feat: Add GitHub integration and enhance GitOps repository management… #7
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release Helm Chart (OCI) | |
| on: | |
| push: | |
| tags: | |
| - "v*" | |
| # Minimal top-level permissions — each job declares only what it needs. | |
| permissions: {} | |
| env: | |
| REGISTRY: ghcr.io | |
| HELM_REGISTRY: ghcr.io/aotanami/charts | |
| CHART_PATH: deploy/helm/aotanami | |
| jobs: | |
| release-helm: | |
| name: Package, Push & Sign Helm Chart | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write # GitHub Release asset upload | |
| packages: write # Push to GHCR | |
| id-token: write # Cosign keyless signing (Fulcio OIDC) | |
| steps: | |
| - name: Harden runner | |
| uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| persist-credentials: false | |
| - name: Set up Helm | |
| uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 # v4.3.0 | |
| with: | |
| version: v3.17.1 | |
| - name: Install Cosign | |
| uses: sigstore/cosign-installer@3454372f43399081ed03b604cb2d021dabca52bb # v3.8.2 | |
| - name: Install Syft | |
| uses: anchore/sbom-action/download-syft@17ae1740179002c89186b61233e0f892c3118b11 # v0.23.0 | |
| - name: Log in to GHCR (Helm OCI) | |
| run: | | |
| echo "${{ secrets.GITHUB_TOKEN }}" | helm registry login "${{ env.REGISTRY }}" \ | |
| --username "${{ github.actor }}" --password-stdin | |
| # Docker login for Cosign (Cosign uses Docker credentials, not Helm's) | |
| - name: Log in to GHCR (Docker/Cosign) | |
| uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| # ── Extract and validate version ── | |
| - name: Extract version | |
| id: version | |
| run: | | |
| VERSION="${{ github.ref_name }}" | |
| VERSION="${VERSION#v}" # Strip leading 'v' for SemVer | |
| echo "version=${VERSION}" >> "$GITHUB_OUTPUT" | |
| echo "tag=${{ github.ref_name }}" >> "$GITHUB_OUTPUT" | |
| # ── Lint before packaging ── | |
| - name: Lint Helm chart | |
| run: helm lint "${{ env.CHART_PATH }}" | |
| # ── Stamp version into Chart.yaml ── | |
| - name: Update chart version | |
| run: | | |
| sed -i "s/^version:.*/version: ${{ steps.version.outputs.version }}/" \ | |
| "${{ env.CHART_PATH }}/Chart.yaml" | |
| sed -i "s/^appVersion:.*/appVersion: \"${{ steps.version.outputs.version }}\"/" \ | |
| "${{ env.CHART_PATH }}/Chart.yaml" | |
| # ── Validate template rendering ── | |
| - name: Validate template rendering | |
| run: helm template aotanami "${{ env.CHART_PATH }}" --debug > /dev/null | |
| # ── Package ── | |
| - name: Package Helm chart | |
| run: | | |
| helm package "${{ env.CHART_PATH }}" --destination .helm-packages/ | |
| # ── Push to OCI registry ── | |
| - name: Push Helm chart to GHCR (OCI) | |
| id: helm-push | |
| run: | | |
| CHART_PACKAGE=".helm-packages/aotanami-${{ steps.version.outputs.version }}.tgz" | |
| # Push and capture the output to extract the digest | |
| PUSH_OUT=$(helm push "${CHART_PACKAGE}" "oci://${{ env.HELM_REGISTRY }}" 2>&1) | |
| echo "$PUSH_OUT" | |
| # Extract digest (e.g. Digest: sha256:abcd...) | |
| DIGEST=$(echo "$PUSH_OUT" | grep -i digest | awk '{print $2}') | |
| echo "digest=${DIGEST}" >> "$GITHUB_OUTPUT" | |
| # ── Cosign keyless signing ── | |
| - name: Sign Helm chart OCI artifact | |
| run: | | |
| cosign sign --yes \ | |
| "${{ env.HELM_REGISTRY }}/aotanami@${{ steps.helm-push.outputs.digest }}" | |
| # ── SBOM for the chart package ── | |
| - name: Generate Helm chart SBOM | |
| run: | | |
| CHART_PACKAGE=".helm-packages/aotanami-${{ steps.version.outputs.version }}.tgz" | |
| syft "${CHART_PACKAGE}" \ | |
| -o spdx-json=helm-sbom-spdx.json \ | |
| -o cyclonedx-json=helm-sbom-cyclonedx.json | |
| # ── Attest SBOM ── | |
| - name: Attest Helm chart SBOM | |
| run: | | |
| cosign attest --yes \ | |
| --predicate helm-sbom-spdx.json \ | |
| --type spdxjson \ | |
| "${{ env.HELM_REGISTRY }}/aotanami@${{ steps.helm-push.outputs.digest }}" | |
| # ── Upload SBOMs as release assets ── | |
| - name: Upload Helm SBOMs to release | |
| uses: softprops/action-gh-release@v2 | |
| with: | |
| files: | | |
| helm-sbom-spdx.json | |
| helm-sbom-cyclonedx.json |