mirror of
https://github.com/rcourtman/Pulse.git
synced 2026-05-07 08:57:12 +00:00
149 lines
5.6 KiB
YAML
149 lines
5.6 KiB
YAML
name: Publish Helm Chart
|
|
|
|
on:
|
|
release:
|
|
types: [published]
|
|
workflow_dispatch:
|
|
inputs:
|
|
chart_version:
|
|
description: "Chart version (required when running manually, use format 4.24.0)"
|
|
required: true
|
|
app_version:
|
|
description: "Application version to embed (defaults to chart version)"
|
|
required: false
|
|
|
|
jobs:
|
|
publish:
|
|
name: Package and Push Helm Chart
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
contents: write # Required for gh release upload
|
|
packages: write
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 0
|
|
fetch-tags: true
|
|
|
|
- name: Set up Helm
|
|
uses: azure/setup-helm@v4
|
|
with:
|
|
version: v3.15.2
|
|
|
|
- name: Determine chart version
|
|
id: versions
|
|
run: |
|
|
if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
|
|
CHART_VERSION="${{ inputs.chart_version }}"
|
|
if [ -z "$CHART_VERSION" ]; then
|
|
echo "::error::chart_version input is required when running manually"
|
|
exit 1
|
|
fi
|
|
APP_VERSION="${{ inputs.app_version }}"
|
|
if [ -z "$APP_VERSION" ]; then
|
|
APP_VERSION="$CHART_VERSION"
|
|
fi
|
|
RELEASE_TAG="v${CHART_VERSION}"
|
|
else
|
|
RELEASE_TAG="${{ github.event.release.tag_name }}"
|
|
if [ -z "$RELEASE_TAG" ]; then
|
|
echo "::error::Release tag is empty"
|
|
exit 1
|
|
fi
|
|
CHART_VERSION="${RELEASE_TAG#v}"
|
|
APP_VERSION="$CHART_VERSION"
|
|
fi
|
|
|
|
IS_PRERELEASE="false"
|
|
if [[ "$APP_VERSION" =~ -rc\.[0-9]+$ ]] || [[ "$APP_VERSION" =~ -alpha\.[0-9]+$ ]] || [[ "$APP_VERSION" =~ -beta\.[0-9]+$ ]]; then
|
|
IS_PRERELEASE="true"
|
|
fi
|
|
|
|
echo "chart_version=$CHART_VERSION" >> "$GITHUB_OUTPUT"
|
|
echo "app_version=$APP_VERSION" >> "$GITHUB_OUTPUT"
|
|
echo "release_tag=$RELEASE_TAG" >> "$GITHUB_OUTPUT"
|
|
echo "is_prerelease=$IS_PRERELEASE" >> "$GITHUB_OUTPUT"
|
|
|
|
- name: Validate release line policy
|
|
env:
|
|
RELEASE_TAG: ${{ steps.versions.outputs.release_tag }}
|
|
APP_VERSION: ${{ steps.versions.outputs.app_version }}
|
|
run: |
|
|
set -euo pipefail
|
|
|
|
REQUIRED_BRANCH="$(python3 scripts/release_control/control_plane.py --branch-for-version "${APP_VERSION}")"
|
|
|
|
if [ "$(git rev-parse --is-shallow-repository)" = "true" ]; then
|
|
git fetch --prune --unshallow origin
|
|
fi
|
|
git fetch --prune origin "${REQUIRED_BRANCH}" --tags
|
|
|
|
if ! git rev-parse -q --verify "refs/tags/${RELEASE_TAG}" >/dev/null; then
|
|
echo "::error::Tag ${RELEASE_TAG} does not exist. Helm publish must map to a real Git tag."
|
|
exit 1
|
|
fi
|
|
|
|
TAG_COMMIT="$(git rev-list -n1 "refs/tags/${RELEASE_TAG}")"
|
|
if ! git merge-base --is-ancestor "$TAG_COMMIT" "origin/${REQUIRED_BRANCH}"; then
|
|
echo "::error::Tag ${RELEASE_TAG} is not reachable from origin/${REQUIRED_BRANCH}. Refusing cross-line Helm publish."
|
|
exit 1
|
|
fi
|
|
|
|
echo "[OK] ${RELEASE_TAG} validated against release line ${REQUIRED_BRANCH}"
|
|
|
|
- name: Align chart metadata links
|
|
run: |
|
|
python3 scripts/sync_chart_release_metadata.py \
|
|
--chart deploy/helm/pulse/Chart.yaml \
|
|
--version "${{ steps.versions.outputs.chart_version }}" \
|
|
--repo "${{ github.repository }}"
|
|
|
|
- name: Helm lint (strict)
|
|
run: helm lint deploy/helm/pulse --strict
|
|
|
|
- name: Package chart
|
|
run: |
|
|
mkdir -p dist
|
|
helm package deploy/helm/pulse \
|
|
--version "${{ steps.versions.outputs.chart_version }}" \
|
|
--app-version "${{ steps.versions.outputs.app_version }}" \
|
|
--destination dist
|
|
|
|
- name: Upload packaged chart artifact
|
|
uses: actions/upload-artifact@v4
|
|
with:
|
|
name: pulse-chart-${{ steps.versions.outputs.chart_version }}
|
|
path: dist/pulse-${{ steps.versions.outputs.chart_version }}.tgz
|
|
|
|
- name: Authenticate with GHCR
|
|
run: |
|
|
echo "${{ github.token }}" | helm registry login ghcr.io --username "${{ github.actor }}" --password-stdin
|
|
|
|
- name: Push chart to GHCR
|
|
run: |
|
|
helm push dist/pulse-${{ steps.versions.outputs.chart_version }}.tgz \
|
|
oci://ghcr.io/${{ github.repository_owner }}/pulse-chart
|
|
|
|
- name: Configure package visibility
|
|
env:
|
|
GITHUB_TOKEN: ${{ github.token }}
|
|
run: |
|
|
# Connect package to repository and set visibility to public
|
|
# This ensures the package inherits public visibility and appears in repo packages
|
|
gh api -X PUT /user/packages/container/pulse-chart/versions/latest/restore || true
|
|
gh api -X PATCH /user/packages/container/pulse-chart -f visibility=public || true
|
|
|
|
# Also try org endpoint if user endpoint fails
|
|
gh api -X PATCH /orgs/${{ github.repository_owner }}/packages/container/pulse-chart -f visibility=public || true
|
|
|
|
echo "Package visibility configuration attempted. Verify at: https://github.com/${{ github.repository_owner }}?tab=packages"
|
|
|
|
- name: Attach chart to release
|
|
if: github.event_name == 'release'
|
|
env:
|
|
GITHUB_TOKEN: ${{ github.token }}
|
|
run: |
|
|
gh release upload "${{ steps.versions.outputs.release_tag }}" \
|
|
dist/pulse-${{ steps.versions.outputs.chart_version }}.tgz \
|
|
--clobber
|