mirror of
https://github.com/we-promise/sure.git
synced 2026-06-01 08:49:01 +00:00
956c27df6b
* chore(ci): pin GitHub Actions to commit SHAs (#1811) Follow-up to #1810. The Node-24 upgrade left every workflow on mutable tag refs (`actions/checkout@v5`, `actions/download-artifact@v7`, etc.) which superagent-security[bot] flagged on the ci.yml + publish.yml reviews. Pin all 18 external actions to the commit SHA they currently resolve to and add a trailing `# vMAJOR.MINOR.PATCH` comment so reviewers can see the version. Local reusable-workflow refs (`uses: ./.github/...`) are left alone — pinning those would defeat the point. Closes #1811 * chore(ci): address review — persist-credentials + setup-node consistency (#1811) Two pieces of follow-up feedback on the SHA-pinning PR: - @coderabbitai (P1 nitpicks) + @JSONbored: add 'persist-credentials: false' to checkout steps in jobs that don't perform authenticated git operations. Adds the line to 17 read-only checkouts across 9 workflows (chart-ci, ci, flutter-build, helm-publish, ios-testflight, llm-evals, preview-cleanup, preview-deploy, publish:build). Checkouts inside jobs that 'git push' (chart-release, mobile-build, mobile-release, helm-publish:second-checkout, publish:bump-pre_release) are intentionally left alone so they keep their token. - @jjmata: preview-deploy.yml was the only workflow on actions/setup-node v6.4.0; everywhere else pinned v5.0.0. Standardise on v5.0.0 to match. Dependabot config already has a github-actions ecosystem entry with a weekly schedule, so no addition needed for that point. * chore(ci): document intentional setup-node v6→5 normalization (#1811) @superagent-security flagged the v6.4.0 -> v5.0.0 change in preview-deploy.yml as a possible unintended downgrade. The downgrade was deliberate, per @jjmata's review request to normalize setup-node across all workflows. Add an inline YAML comment next to the line so future scans don't re-flag it. --------- Signed-off-by: Juan José Mata <juanjo.mata@gmail.com> Co-authored-by: jeffrey701 <jeffrey701@users.noreply.github.com> Co-authored-by: Juan José Mata <juanjo.mata@gmail.com>
163 lines
5.2 KiB
YAML
163 lines
5.2 KiB
YAML
name: Helm Publish
|
|
|
|
on:
|
|
workflow_call:
|
|
inputs:
|
|
chart_version:
|
|
description: Chart semver version (v-prefix allowed)
|
|
required: false
|
|
type: string
|
|
app_version:
|
|
description: App version value for Chart.yaml appVersion
|
|
required: false
|
|
type: string
|
|
update_gh_pages:
|
|
description: Whether to publish packaged chart to gh-pages index
|
|
required: false
|
|
type: boolean
|
|
default: true
|
|
|
|
permissions:
|
|
contents: write
|
|
|
|
jobs:
|
|
publish:
|
|
if: github.repository == 'we-promise/sure'
|
|
runs-on: ubuntu-latest
|
|
outputs:
|
|
chart_version: ${{ steps.version.outputs.chart_version }}
|
|
app_version: ${{ steps.version.outputs.app_version }}
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
|
|
with:
|
|
persist-credentials: false
|
|
fetch-depth: 0
|
|
|
|
- name: Install Helm
|
|
uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
|
|
|
|
- name: Resolve chart and app versions
|
|
id: version
|
|
shell: bash
|
|
run: |
|
|
set -euo pipefail
|
|
|
|
normalize_version() {
|
|
local raw="$1"
|
|
echo "${raw#v}"
|
|
}
|
|
|
|
if [ -n "${{ inputs.chart_version }}" ]; then
|
|
CHART_VERSION="$(normalize_version "${{ inputs.chart_version }}")"
|
|
elif [[ "${GITHUB_REF_TYPE}" == "tag" && "${GITHUB_REF_NAME}" == v* ]]; then
|
|
CHART_VERSION="$(normalize_version "${GITHUB_REF_NAME}")"
|
|
else
|
|
CHART_VERSION="0.0.0-nightly.$(date -u +'%Y%m%d.%H%M%S')"
|
|
fi
|
|
|
|
if [ -n "${{ inputs.app_version }}" ]; then
|
|
APP_VERSION="${{ inputs.app_version }}"
|
|
elif [[ "${GITHUB_REF_TYPE}" == "tag" && "${GITHUB_REF_NAME}" == v* ]]; then
|
|
APP_VERSION="${GITHUB_REF_NAME}"
|
|
else
|
|
APP_VERSION="${CHART_VERSION}"
|
|
fi
|
|
|
|
echo "chart_version=${CHART_VERSION}" >> "$GITHUB_OUTPUT"
|
|
echo "app_version=${APP_VERSION}" >> "$GITHUB_OUTPUT"
|
|
|
|
- name: Update Chart.yaml version
|
|
shell: bash
|
|
run: |
|
|
set -euo pipefail
|
|
sed -i -E "s/^version:.*/version: ${{ steps.version.outputs.chart_version }}/" charts/sure/Chart.yaml
|
|
sed -i -E "s/^appVersion:.*/appVersion: \"${{ steps.version.outputs.app_version }}\"/" charts/sure/Chart.yaml
|
|
|
|
- name: Add Helm repositories
|
|
run: |
|
|
helm repo add cloudnative-pg https://cloudnative-pg.github.io/charts
|
|
helm repo add ot-helm https://ot-container-kit.github.io/helm-charts
|
|
helm repo update
|
|
|
|
- name: Build dependencies
|
|
run: helm dependency build charts/sure
|
|
|
|
- name: Package chart
|
|
run: |
|
|
mkdir -p .cr-release-packages
|
|
helm package charts/sure -d .cr-release-packages
|
|
|
|
- name: Upload packaged chart artifact
|
|
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
|
|
with:
|
|
name: helm-chart-package
|
|
path: .cr-release-packages/*.tgz
|
|
include-hidden-files: true
|
|
if-no-files-found: error
|
|
retention-days: 7
|
|
|
|
- name: Checkout gh-pages
|
|
if: ${{ inputs.update_gh_pages }}
|
|
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
|
|
with:
|
|
ref: gh-pages
|
|
path: gh-pages
|
|
|
|
- name: Update index and push
|
|
if: ${{ inputs.update_gh_pages }}
|
|
env:
|
|
GIT_USER_NAME: ${{ github.actor }}
|
|
GIT_USER_EMAIL: ${{ github.actor }}@users.noreply.github.com
|
|
run: |
|
|
set -euo pipefail
|
|
|
|
CHART_VERSION="${{ steps.version.outputs.chart_version }}"
|
|
MAX_ATTEMPTS=5
|
|
|
|
cp .cr-release-packages/*.tgz gh-pages/
|
|
|
|
cd gh-pages
|
|
git config user.name "$GIT_USER_NAME"
|
|
git config user.email "$GIT_USER_EMAIL"
|
|
|
|
index_and_commit() {
|
|
if [ -f index.yaml ]; then
|
|
helm repo index . --url https://we-promise.github.io/sure --merge index.yaml
|
|
else
|
|
helm repo index . --url https://we-promise.github.io/sure
|
|
fi
|
|
|
|
git add .
|
|
if git diff --cached --quiet; then
|
|
echo "No Helm chart updates to publish."
|
|
return 1
|
|
fi
|
|
git commit -m "Publish chart ${CHART_VERSION}"
|
|
}
|
|
|
|
index_and_commit || exit 0
|
|
|
|
for attempt in $(seq 1 "$MAX_ATTEMPTS"); do
|
|
echo "Push attempt ${attempt}/${MAX_ATTEMPTS}..."
|
|
if git push; then
|
|
echo "Chart ${CHART_VERSION} published successfully."
|
|
exit 0
|
|
fi
|
|
|
|
if [ "$attempt" -eq "$MAX_ATTEMPTS" ]; then
|
|
echo "::error::Failed to push after ${MAX_ATTEMPTS} attempts"
|
|
exit 1
|
|
fi
|
|
|
|
backoff=$(( attempt * 2 ))
|
|
echo "Push failed; retrying in ${backoff}s after rebase..."
|
|
sleep "$backoff"
|
|
|
|
git fetch origin gh-pages
|
|
git rebase origin/gh-pages
|
|
|
|
git reset HEAD~1 --soft 2>/dev/null || true
|
|
index_and_commit || { echo "No changes after rebase."; exit 0; }
|
|
done
|