-
Notifications
You must be signed in to change notification settings - Fork 32
95 lines (80 loc) · 3.49 KB
/
package_chart.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
name: Package Helm Chart
on:
# Only push Helm Chart if the deployment templates have changed
push:
branches:
- main
paths:
- deployment/chainloop/**
permissions:
contents: read
jobs:
# This reusable workflow inspects if the given workflow_name exists on Chainloop. If the Workflow does not exist
# it will create one with an empty contract ready for operators to be filled. Otherwise, if found, it will just
# be ignored and the process will continue. For this to work it's using a pre-created API Token
onboard_workflow:
name: Onboard Chainloop Workflow
uses: chainloop-dev/labs/.github/workflows/chainloop_onboard.yml@64839eb68c20fefda46929c6c6e893cdf0537619
with:
project: "chainloop"
workflow_name: "chainloop-vault-helm-package"
secrets:
api_token: ${{ secrets.CHAINLOOP_TOKEN }}
package:
name: Package and push Helm Chart
runs-on: ubuntu-latest
needs: onboard_workflow
permissions:
packages: write
env:
CHAINLOOP_TOKEN: ${{ secrets.CHAINLOOP_TOKEN }}
CHAINLOOP_WORKFLOW_NAME: ${{ needs.onboard_workflow.outputs.workflow_name }}
CHAINLOOP_PROJECT: ${{ needs.onboard_workflow.outputs.project_name }}
steps:
- name: Install Chainloop
run: |
curl -sfL https://raw.githubusercontent.com/chainloop-dev/chainloop/01ad13af08950b7bfbc83569bea207aeb4e1a285/docs/static/install.sh | bash -s
- name: Docker login to Github Packages
uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Install Helm
uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Initialize Attestation
run: |
chainloop attestation init --workflow ${CHAINLOOP_WORKFLOW_NAME} --project ${CHAINLOOP_PROJECT}
- name: Package Chart
run: helm package deployment/chainloop/
- name: Add Attestation (Helm Chart)
run: |
export CONTAINER_CP=$(cat deployment/chainloop/Chart.yaml | yq -r .annotations.images | yq -r '.[] | select(.name == "control-plane") | .image')
export CONTAINER_CAS=$(cat deployment/chainloop/Chart.yaml | yq -r .annotations.images | yq -r '.[] | select(.name == "artifact-cas") | .image')
# Attest Chart
chainloop attestation add --name helm-chart --value chainloop*.tgz
# Attest Control plane image
chainloop attestation add --name control-plane-image --value "${CONTAINER_CP}"
# Attest CAS image
chainloop attestation add --name artifact-cas-image --value "${CONTAINER_CAS}"
- name: Push Chart
run: |
for pkg in chainloop*.tgz; do
helm push ${pkg} oci://ghcr.io/chainloop-dev/charts
done
- name: Finish and Record Attestation
if: ${{ success() }}
run: |
chainloop attestation push --key env://CHAINLOOP_SIGNING_KEY
env:
CHAINLOOP_SIGNING_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
CHAINLOOP_SIGNING_KEY: ${{ secrets.COSIGN_KEY }}
- name: Mark attestation as failed
if: ${{ failure() }}
run: |
chainloop attestation reset
- name: Mark attestation as cancelled
if: ${{ cancelled() }}
run: |
chainloop attestation reset --trigger cancellation