Skip to content

chore: workflow for publishing secrets-vault chart (#22) #4

chore: workflow for publishing secrets-vault chart (#22)

chore: workflow for publishing secrets-vault chart (#22) #4

name: secrets-vault-chart
env:
HELM_VERSION: v3.14.0
CHART_DIRS: secrets/secrets-vault/charts
on:
push:
tags:
- 'secrets-vault-chart-v[0-9].[0-9]+.[0-9]+'
pull_request:
paths:
- 'secrets/secrets-vault/charts/**'
- '.github/workflows/secrets-vault-chart.yml'
jobs:
validate:
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Fetch main branch for chart-testing
run: |
git fetch origin main:main
- name: Set up Helm
uses: azure/setup-helm@v4
with:
version: ${{ env.HELM_VERSION }}
# Used by helm chart-testing below
- name: Set up Python
uses: actions/[email protected]
with:
python-version: '3.12.7'
- name: Set up chart-testing
uses: helm/[email protected]
with:
version: v3.11.0
yamllint_version: 1.35.1
yamale_version: 5.0.0
- name: Install wash
uses: taiki-e/install-action@v2
with:
tool: [email protected]
- name: Run chart-testing (lint)
run: |
ct lint --config ${{ env.CHART_DIRS }}/secrets-vault/ci/ct.yaml --chart-dirs ${{ env.CHART_DIRS }}
- name: Create kind cluster
uses: helm/[email protected]
with:
version: "v0.22.0"
- name: Install nats in the test cluster
run: |
helm repo add nats https://nats-io.github.io/k8s/helm/charts/
helm repo update
helm install nats nats/nats -f ${{ env.CHART_DIRS }}/secrets-vault/ci/nats.yaml
- name: Generate nkey seed
run: |
export "NKEY_SEED=$(wash key gen account -o json | jq -Mr .seed | tr -d '\n')" >> ${GITHUB_ENV}
- name: Generate xkey seed
run: |
export "XKEY_SEED=$(wash key gen curve -o json | jq -Mr .seed | tr -d '\n')" >> ${GITHUB_ENV}
- name: Run chart-testing install / same namespace
run: |
ct install --config ${{ env.CHART_DIRS }}/secrets-vault/ci/ct.yaml --helm-extra-set-args "--set=config.nats.address=nats-headless.default:4222 --set=config.jwks_address=127.0.0.1:3000 --set=config.nkey_seed=${{ env.NKEY_SEED }} --set=config.xkey_seed=${{ env.XKEY_SEED }} --set=config.vault.address=localhost:8222 --set=config.vault.auth_method_path=jwt --set=config.vault.defaultSecretEnginePath=secret"
publish:
if: ${{ startsWith(github.ref, 'refs/tags/secrets-vault-chart-v') }}
runs-on: ubuntu-22.04
needs: validate
permissions:
packages: write
steps:
- uses: actions/checkout@v4
- name: Set up Helm
uses: azure/setup-helm@v4
with:
version: ${{ env.HELM_VERSION }}
- name: Package
run: |
helm package ${{ env.CHART_DIRS }}/secrets-vault -d .helm-charts
- name: Login to GHCR
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Lowercase the organization name for ghcr.io
run: |
echo "GHCR_REPO_NAMESPACE=${GITHUB_REPOSITORY_OWNER,,}" >>${GITHUB_ENV}
- name: Publish
run: |
for chart in .helm-charts/*; do
if [ -z "${chart:-}" ]; then
break
fi
helm push "${chart}" "oci://ghcr.io/${{ env.GHCR_REPO_NAMESPACE }}/charts"
done