Bump Helm Chart and Dagger Version => v1.89.12 (#3015) #528
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Package Helm Chart | |
| on: | |
| # Only push Helm Chart if the deployment templates have changed | |
| push: | |
| branches: | |
| - main | |
| paths: | |
| - deployment/chainloop/** | |
| permissions: read-all | |
| jobs: | |
| package: | |
| name: Package and push Helm Chart | |
| runs-on: ubuntu-latest | |
| permissions: | |
| packages: write | |
| id-token: write # required for SLSA provenance - https://docs.chainloop.dev/guides/slsa/ | |
| env: | |
| CHAINLOOP_WORKFLOW_NAME: "helm-package" | |
| CHAINLOOP_PROJECT: "chainloop" | |
| steps: | |
| - name: Install Chainloop | |
| run: | | |
| curl -sfL https://dl.chainloop.dev/cli/install.sh | bash -s | |
| - name: Docker login to Github Packages | |
| uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Install Helm | |
| uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5 | |
| - name: Install Cosign | |
| uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 | |
| with: | |
| cosign-release: "v2.4.1" | |
| - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| - name: Package Chart | |
| run: helm package deployment/chainloop/ | |
| - name: Add Attestation (Helm Chart) and Push Chart | |
| run: | | |
| export CONTAINER_CP=$(cat deployment/chainloop/Chart.yaml | yq -r .annotations.images | yq -r '.[] | select(.name == "control-plane") | .image') | |
| export CONTAINER_CAS=$(cat deployment/chainloop/Chart.yaml | yq -r .annotations.images | yq -r '.[] | select(.name == "artifact-cas") | .image') | |
| chart_version=$(cat deployment/chainloop/Chart.yaml | yq .version) | |
| app_version=$(cat deployment/chainloop/Chart.yaml | yq .appVersion) | |
| # Force the version that's inside the Chart.yaml file | |
| # and make sure it exists in the project by passing the --existing-version flag | |
| # if it doesn't exist, the attestation will fail, and first we need to create/update/rename the version in the project and re-run the job | |
| chainloop attestation init --workflow ${CHAINLOOP_WORKFLOW_NAME} --project ${CHAINLOOP_PROJECT} --version ${app_version} --existing-version | |
| # Attest Control plane image | |
| chainloop attestation add --name control-plane-image --value "${CONTAINER_CP}" | |
| # Attest CAS image | |
| chainloop attestation add --name artifact-cas-image --value "${CONTAINER_CAS}" | |
| # Push Chart | |
| for pkg in chainloop*.tgz; do | |
| helm push ${pkg} oci://ghcr.io/chainloop-dev/charts | |
| done | |
| # Sign Chart | |
| cosign sign --tlog-upload=false --key env://COSIGN_PRIVATE_KEY ghcr.io/chainloop-dev/charts/chainloop:${chart_version} | |
| # Attest the Chart | |
| chainloop attestation add --name helm-chart --value oci://ghcr.io/chainloop-dev/charts/chainloop:${chart_version} | |
| env: | |
| COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_KEY}} | |
| COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}} | |
| # Needed for commit signature verification: https://docs.chainloop.dev/concepts/attestations#commit-verification | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Finish and Record Attestation | |
| if: ${{ success() }} | |
| run: | | |
| chainloop attestation push | |
| - name: Mark attestation as failed | |
| if: ${{ failure() }} | |
| run: | | |
| chainloop attestation reset | |
| - name: Mark attestation as cancelled | |
| if: ${{ cancelled() }} | |
| run: | | |
| chainloop attestation reset --trigger cancellation |