feat: Change Release Action to also Publish Image and Chart (#6)

As we can't trigger the publish and publish-chart workflows from the release workflow due to permissions issue we will need to publish the image and chart from the release workflow. Signed-off-by: Samuel Torres <[email protected]>
form3tech-oss · Dec 17, 2024 · 29e1830 · 29e1830
1 parent be3fe99
commit 29e1830
Show file tree

Hide file tree

Showing 14 changed files with 169 additions and 209 deletions.
diff --git a/.github/workflows/publish-chart.yaml b/.github/workflows/publish-chart.yaml
diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -9,14 +9,115 @@ on:
         default: 'v0.1.0'
       source_ref:
         description: 'source ref to publish from. E.g.: main or release-x.y'
-        required: true
         default: 'main'
+        required: true
+      prerelease:
+        required: false
+        default: 'false'
 
 jobs:
+  publish:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+      attestations: write
+      packages: write
+    env:
+      REGISTRY: ghcr.io
+      IMAGE_NAME: ${{ github.repository }}
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
+      - name: Login to GHCR
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 #v3.3.0
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Generate images meta
+        id: meta
+        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
+        with:
+          images: |
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=raw,value=${{ github.event.inputs.version }}
+      - name: Build and push
+        id: build-push
+        uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 #v6.10.0
+        with:
+          provenance: true
+          sbom: true
+          push: true
+          platforms: linux/amd64,linux/arm64
+          labels: ${{ steps.meta.outputs.labels }}
+          tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.event.inputs.version }}
+          outputs: "type=registry,push=true"
+      - name: Attest
+        uses: actions/attest-build-provenance@c4fbc648846ca6f503a13a2281a5e7b98aa57202 # v2.0.1
+        id: attest
+        with:
+          subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          subject-digest: ${{ steps.build-push.outputs.digest }}
+          push-to-registry: true
+
+  publish-chart:
+    needs: publish
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: write
+      attestations: write
+      packages: write
+    env:
+      REGISTRY: ghcr.io
+      CHART_DIR: charts
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Install Helm
+        uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
+        with:
+          version: v3.12.0
+      - name: Login to GHCR
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 #v3.3.0
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Package chart
+        id: package
+        run: |
+          helm package ${{ env.CHART_DIR }}/x-pdb --version=${{ github.event.inputs.version }} --app-version=${{ github.event.inputs.version }}
+          echo "chart_file=$(ls *.tgz)" >> $GITHUB_OUTPUT
+      - name: Push chart to GHCR
+        id: push
+        run: |
+          helm push ${{ steps.package.outputs.chart_file }} oci://${{ env.REGISTRY }}/${{ github.repository }}/charts |& tee helm-push-output.log
+          DIGEST=$(awk -F "[, ]+" '/Digest/{print $NF}' < helm-push-output.log)
+          echo "digest=$DIGEST" >> $GITHUB_OUTPUT
+      - name: Attest
+        uses: actions/attest-build-provenance@c4fbc648846ca6f503a13a2281a5e7b98aa57202 # v2.0.1
+        id: attest
+        with:
+          subject-name: ${{ env.REGISTRY }}/${{ github.repository }}/charts/x-pdb
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true
+      - name: Publish Helm charts to GH Pages
+        uses: stefanprodan/helm-gh-pages@0ad2bb377311d61ac04ad9eb6f252fb68e207260 # v1.7.0
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          charts_dir: ${{ env.CHART_DIR }}
+
   release:
+    needs: [publish, publish-chart]
     name: Create Release
     runs-on: ubuntu-latest
-
     steps:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -28,8 +129,7 @@ jobs:
         with:
           tag_name: ${{ github.event.inputs.version }}
           target_commitish: ${{ github.event.inputs.source_ref }}
+          prerelease: ${{ github.event.inputs.prerelease }}
           generate_release_notes: true
-          body: |
-            Image: `${{ env.IMAGE_NAME }}:${{ github.event.inputs.version }}`
         env:
           GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
@@ -33,6 +33,9 @@ jobs:
       - name: Lint
         id: run-lint
         run: make lint
+      - name: Helm Lint
+        id: helm-lint
+        run: make helm-lint
       - name: Run Go tests
         id: run-tests
         run: make test

diff --git a/Makefile b/Makefile
@@ -3,7 +3,7 @@
 ##########
 
 # Image names
-IMG                       ?= x-pdb:latest
+IMG                       ?= ghcr.io/form3tech-oss/x-pdb:latest
 TEST_APP_IMG              ?= x-pdb-test:latest
 TEST_DISRUPTION_PROBE_IMG ?= x-pdb-test-disruption-probe:latest
 
@@ -127,6 +127,10 @@ lint: golangci-lint ## Run golangci-lint linter
 lint-fix: golangci-lint ## Run golangci-lint linter and perform fixes
 	$(GOLANGCI_LINT) run --fix
 
+.PHONY: helm-lint
+helm-lint: # Lints the x-pdb helm chartk
+	helm lint charts/x-pdb
+
 ##@ Build
 
 .PHONY: build
@@ -220,10 +224,12 @@ install: kind-load ## Installs x-pdb into a cluster
 
 .PHONY: proto-generate
 proto-generate: ## Generates the go packages from the proto contracts.
-	protoc --go_out=$(PROTO_GO_OUT_DIR) --go_opt=paths=source_relative \
-	--go-grpc_out=$(PROTO_GO_OUT_DIR) --go-grpc_opt=paths=source_relative \
-	$(PROTO_FILES)
+	buf generate
 
+.PHONY: proto-lint
+proto-lint: ## Lints the proto contracts
+	buf lint
+
 ##@ Dependencies
 
 ## Location to install dependencies to

diff --git a/README.md b/README.md
@@ -8,6 +8,7 @@ This is needed, because each cluster acts individually (evictions, rolling out u
 Please refer to the documentation at https://form3tech-oss.github.com/x-pdb
 
 ## Development
+
 ### Running tests
 
 Simple tests can be ran with `make test`.
@@ -17,6 +18,7 @@ This will create three `kind` clusters which are connected through `metallb`.
 
 ```
 make multi-cluster
+make deploy-e2e
 make e2e
 ```
 

diff --git a/charts/x-pdb/Chart.yaml b/charts/x-pdb/Chart.yaml
@@ -1,5 +1,6 @@
 apiVersion: v2
-name: x-pdb
+appVersion: 0.0.1
 description: A Helm chart for Kubernetes
+name: x-pdb
 type: application
 version: 0.0.1
diff --git a/charts/x-pdb/templates/_helpers.tpl b/charts/x-pdb/templates/_helpers.tpl
@@ -75,14 +75,3 @@ Create the name of the service account to use
 {{- default "default" .Values.serviceAccount.name }}
 {{- end }}
 {{- end }}
-
-{{/*
-Creates an image name from the image structure available in the values file
-*/}}
-{{- define "x-pdb.image" -}}
-{{- if .registry }}
-  {{- print .registry "/" (required "An image repository is required" .repository) ":" .tag -}}
-{{- else }}
-  {{- print (required "An image repository is required" .repository) ":" .tag -}}
-{{- end }}
-{{- end }}
diff --git a/charts/x-pdb/templates/certificates.yaml b/charts/x-pdb/templates/certificates.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.webhook.tls.certManager.enabled -}}
+{{- if .Values.webhook.tls.certManager.enabled }}
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
@@ -26,8 +26,9 @@ spec:
     encoding: PKCS1
     size: 2048
 {{- end }}
+
+{{- if .Values.controller.tls.certManager.enabled }}
 ---
-{{- if .Values.controller.tls.certManager.enabled -}}
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:

diff --git a/charts/x-pdb/templates/deployment.yaml b/charts/x-pdb/templates/deployment.yaml
@@ -38,7 +38,7 @@ spec:
         - name: {{ .Chart.Name }}
           securityContext:
             {{- toYaml .Values.securityContext | nindent 12 }}
-          image: "{{ include "x-pdb.image" .Values.image }}"
+          image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ default .Chart.AppVersion .Values.image.tag }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           command:
           - /x-pdb

diff --git a/charts/x-pdb/values.yaml b/charts/x-pdb/values.yaml
@@ -1,11 +1,11 @@
 replicaCount: 2
 
 image:
-  registry: tech.form3
-  repository: x-pdb
+  registry: ghcr.io 
+  repository: form3tech-oss/x-pdb
   pullPolicy: IfNotPresent
   # Overrides the image tag whose default is the chart appVersion.
-  tag: "latest"
+  tag: ""
 
 imagePullSecrets: []
 nameOverride: ""

diff --git a/hack/env/xpdb-values.yaml b/hack/env/xpdb-values.yaml
@@ -27,6 +27,4 @@ service:
     type: LoadBalancer
     # loadBalancerIP computed dynamically via install-xpdb.sh
 image:
-  registry: ""
-  repository: "x-pdb"
   tag: "latest"