zelyo-operator/.github/workflows/release-helm.yml at main · zelyo-ai/zelyo-operator · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
name: Release Helm Charts (OCI)

on:
  push:
    tags:
      - "v*"

# Minimal top-level permissions — each job declares only what it needs.
permissions: {}

env:
  REGISTRY: ghcr.io
  HELM_REGISTRY: ghcr.io/zelyo-ai/charts

jobs:
  release-helm:
    name: Package, Push & Sign Helm Charts
    runs-on: ubuntu-latest
    permissions:
      contents: write          # GitHub Release asset upload
      packages: write          # Push to GHCR
      id-token: write          # Cosign keyless signing (Fulcio OIDC)
    strategy:
      matrix:
        chart:
          - name: zelyo-operator
            path: deploy/helm/zelyo-operator
          - name: zelyo-policies
            path: deploy/helm/zelyo-policies
    steps:
      - name: Harden runner
        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40  # v2.19.0
        with:
          egress-policy: audit

      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
        with:
          persist-credentials: false

      - name: Set up Helm
        uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2  # v5.0.0
        with:
          version: v3.17.1

      - name: Install Cosign
        uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003  # v4.1.1

      - name: Install Syft
        uses: anchore/sbom-action/download-syft@e22c389904149dbc22b58101806040fa8d37a610  # v0.24.0

      - name: Log in to GHCR (Helm OCI)
        run: |
          echo "${{ secrets.GITHUB_TOKEN }}" | helm registry login "${{ env.REGISTRY }}" \
            --username "${{ github.actor }}" --password-stdin

      # Docker login for Cosign (Cosign uses Docker credentials, not Helm's)
      - name: Log in to GHCR (Docker/Cosign)
        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121  # v4.1.0
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      # ── Extract and validate version ──
      - name: Extract version
        id: version
        run: |
          VERSION="${{ github.ref_name }}"
          VERSION="${VERSION#v}"  # Strip leading 'v' for SemVer
          echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
          echo "tag=${{ github.ref_name }}" >> "$GITHUB_OUTPUT"

      # ── Lint before packaging ──
      - name: Lint Helm chart
        run: helm lint "${{ matrix.chart.path }}"

      # ── Stamp version into Chart.yaml ──
      - name: Update chart version
        run: |
          sed -i "s/^version:.*/version: ${{ steps.version.outputs.version }}/" \
            "${{ matrix.chart.path }}/Chart.yaml"
          sed -i "s/^appVersion:.*/appVersion: \"${{ steps.version.outputs.version }}\"/" \
            "${{ matrix.chart.path }}/Chart.yaml"

      # ── Validate template rendering ──
      - name: Validate template rendering
        run: helm template ${{ matrix.chart.name }} "${{ matrix.chart.path }}" --debug > /dev/null

      # ── Package ──
      - name: Package Helm chart
        run: |
          helm package "${{ matrix.chart.path }}" --destination .helm-packages/

      # ── Push to OCI registry ──
      - name: Push Helm chart to GHCR (OCI)
        id: helm-push
        run: |
          CHART_PACKAGE=".helm-packages/${{ matrix.chart.name }}-${{ steps.version.outputs.version }}.tgz"
          # Push and capture the output to extract the digest
          PUSH_OUT=$(helm push "${CHART_PACKAGE}" "oci://${{ env.HELM_REGISTRY }}" 2>&1)
          echo "$PUSH_OUT"
          # Extract digest (e.g. Digest: sha256:abcd...)
          DIGEST=$(echo "$PUSH_OUT" | grep -i digest | awk '{print $2}')
          echo "digest=${DIGEST}" >> "$GITHUB_OUTPUT"

      # ── Cosign keyless signing ──
      - name: Sign Helm chart OCI artifact
        run: |
          cosign sign --yes \
            "${{ env.HELM_REGISTRY }}/${{ matrix.chart.name }}@${{ steps.helm-push.outputs.digest }}"

      # ── SBOM for the chart package ──
      - name: Generate Helm chart SBOM
        run: |
          CHART_PACKAGE=".helm-packages/${{ matrix.chart.name }}-${{ steps.version.outputs.version }}.tgz"
          syft "${CHART_PACKAGE}" \
            -o spdx-json=${{ matrix.chart.name }}-sbom-spdx.json \
            -o cyclonedx-json=${{ matrix.chart.name }}-sbom-cyclonedx.json

      # ── Attest SBOM ──
      - name: Attest Helm chart SBOM
        run: |
          cosign attest --yes \
            --predicate ${{ matrix.chart.name }}-sbom-spdx.json \
            --type spdxjson \
            "${{ env.HELM_REGISTRY }}/${{ matrix.chart.name }}@${{ steps.helm-push.outputs.digest }}"

      # ── Upload SBOMs as release assets ──
      - name: Upload Helm SBOMs to release
        uses: softprops/action-gh-release@v3
        with:
          files: |
            ${{ matrix.chart.name }}-sbom-spdx.json
            ${{ matrix.chart.name }}-sbom-cyclonedx.json