feat(ci): add publish-chart workflow (#10)

nikpivkin · web-flow · commit 6d953684e406 · 2026-04-09T13:22:34.000+06:00
* feat(ci): add publish-chart workflow

* chore: use ubuntu-2404-2core runner

* chore: wait for release and use forked trivy

* fix: skip empty git commit when index is up to date

* fix: correct git push logic and use env vars in publish-chart workflow

* fix: improve publish-chart workflow reliability and security

* chore: clarify input descriptions

* fix: fail on duplicate chart publish

* chore: use HELM_CHARTS_DEPLOY_TOKEN for gh-pages push

* fix: skip publish if chart version already released

* chore: explicitly set persist-credentials

* feat: make publish-chart workflow reusable across repositories

* fix: use GITHUB_TOKEN for read-only steps in publish-chart workflow

* chore: cleanup publish-chart workflow

* chore: add newline
diff --git a/.github/workflows/publish-chart.yaml b/.github/workflows/publish-chart.yaml
@@ -0,0 +1,136 @@
+name: Publish Helm chart
+
+on:
+  workflow_dispatch:
+    inputs:
+      repository:
+        description: 'Repository with the Helm chart (e.g. {owner}/trivy)'
+        required: true
+        type: string
+      ref:
+        description: 'Ref to checkout from the repository (e.g. commit SHA or tag)'
+        required: true
+        type: string
+      chart_dir:
+        description: 'Path to the Helm chart directory in the repository'
+        required: true
+        type: string
+
+# Disable all GITHUB_TOKEN permissions by default; individual jobs override as needed
+permissions: {}
+
+env:
+  HELM_REPO: helm-charts
+
+jobs:
+  check-published:
+    runs-on: ubuntu-2404-2core
+    permissions:
+      contents: read # required to read Chart.yaml and releases from public repositories via gh CLI
+    outputs:
+      skip: ${{ steps.check.outputs.skip }}
+      tag: ${{ steps.check.outputs.tag }}
+    steps:
+      - name: Check if already published
+        id: check
+        env:
+          GH_TOKEN: ${{ github.token }}
+          REPOSITORY: ${{ inputs.repository }}
+          CHART_DIR: ${{ inputs.chart_dir }}
+          REF: ${{ inputs.ref }}
+        run: |
+          content=$(gh api "repos/$REPOSITORY/contents/$CHART_DIR/Chart.yaml?ref=$REF" \
+            --jq '.content' | base64 -d)
+          name=$(echo "$content" | grep '^name:' | awk '{print $2}')
+          version=$(echo "$content" | grep '^version:' | awk '{print $2}')
+          tag="${name}-${version}"
+          echo "tag=$tag" >> "$GITHUB_OUTPUT"
+
+          if gh release view "$tag" --repo "$GITHUB_REPOSITORY_OWNER/$HELM_REPO" > /dev/null 2>&1; then
+            echo "Chart $tag is already published, skipping"
+            echo "skip=true" >> "$GITHUB_OUTPUT"
+          fi
+
+  publish-chart:
+    needs: check-published
+    if: needs.check-published.outputs.skip != 'true'
+    runs-on: ubuntu-2404-2core
+    permissions:
+      contents: read # required by github.token to read releases from public repositories via gh CLI
+    steps:
+      - name: Checkout repository with the Helm chart
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          repository: ${{ inputs.repository }}
+          ref: ${{ inputs.ref }}
+          persist-credentials: false
+          sparse-checkout: ${{ inputs.chart_dir }}
+
+      - name: Install chart-releaser
+        env:
+          CR_VERSION: "1.3.0"
+        run: |
+          curl -sSLO "https://github.com/helm/chart-releaser/releases/download/v${CR_VERSION}/chart-releaser_${CR_VERSION}_linux_amd64.tar.gz"
+          echo "baed2315a9bb799efb71d512c5198a2a3b8dcd139d7f22f878777cffcd649a37  chart-releaser_${CR_VERSION}_linux_amd64.tar.gz" | sha256sum -c -
+          tar xzf "chart-releaser_${CR_VERSION}_linux_amd64.tar.gz" cr
+          mv cr /usr/local/bin/cr
+          rm "chart-releaser_${CR_VERSION}_linux_amd64.tar.gz"
+
+      - name: Package helm chart
+        env:
+          CHART_DIR: ${{ inputs.chart_dir }}
+        run: |
+          cr package "$CHART_DIR"
+
+      - name: Upload helm chart
+        env:
+          GH_TOKEN: ${{ secrets.HELM_CHARTS_DEPLOY_TOKEN }}
+        run: |
+          cr upload --owner "$GITHUB_REPOSITORY_OWNER" \
+            --git-repo "$HELM_REPO" \
+            --token "$GH_TOKEN" \
+            --package-path .cr-release-packages
+
+      - name: Wait for release to be available
+        env:
+          GH_TOKEN: ${{ github.token }}
+          CHART_TAG: ${{ needs.check-published.outputs.tag }}
+        run: |
+          # cr index fails if the release is not yet available via GitHub API
+          # due to a race condition after cr upload creates the release
+          max_attempts=10
+          for i in $(seq 1 "$max_attempts"); do
+            gh api "repos/$GITHUB_REPOSITORY_OWNER/$HELM_REPO/releases/tags/$CHART_TAG" > /dev/null && break
+            if [[ $i -eq $max_attempts ]]; then
+              echo "Release $CHART_TAG not available after $max_attempts attempts" >&2
+              exit 1
+            fi
+            sleep 2
+          done
+
+      - name: Index helm chart
+        run: |
+          cr index --owner "$GITHUB_REPOSITORY_OWNER" \
+            --git-repo "$HELM_REPO" \
+            -c "https://$GITHUB_REPOSITORY_OWNER.github.io/$HELM_REPO/" \
+            --index-path index.yaml
+
+      - name: Checkout gh-pages
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with: # zizmor: ignore[artipacked] -- token is required to push to gh-pages
+          ref: gh-pages
+          path: gh-pages
+          token: ${{ secrets.HELM_CHARTS_DEPLOY_TOKEN }}
+          persist-credentials: true
+
+      - name: Push index file
+        env:
+          CHART_TAG: ${{ needs.check-published.outputs.tag }}
+        run: |
+          cp index.yaml gh-pages/index.yaml
+          cd gh-pages
+          git config user.email aqua-bot@users.noreply.github.com
+          git config user.name aqua-bot
+          git add index.yaml
+          git commit -m "Update index.yaml for ${CHART_TAG}"
+          git push
