@@ -138,6 +138,11 @@ jobs:
138138 app-id : ${{ env.GITHUB_APP_ID }}
139139 private-key : ${{ env.PRIVATE_KEY }}
140140 owner : ${{ github.repository_owner }}
141+ # AUTHTOKEN only operates on the central helm-charts repository (checkout gh-pages,
142+ # create the release, and push the index.yaml commit), so scope the token to that
143+ # single repo with just contents:write instead of blanket installation access.
144+ repositories : helm-charts
145+ permission-contents : write
141146
142147 - name : Set the correct token (Github App or PAT)
143148 env :
@@ -307,20 +312,30 @@ jobs:
307312 git tag "${TAGNAME}"
308313
309314 - name : Make github release
310- uses : softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # tags/v1
311- with :
312- body : |
313- ${{ steps.parse-chart.outputs.desc }}
315+ env :
316+ GH_TOKEN : ${{ env.AUTHTOKEN }}
317+ TAGNAME : ${{ steps.parse-chart.outputs.tagname }}
318+ DESC : ${{ steps.parse-chart.outputs.desc }}
319+ PACKAGENAME : ${{ steps.parse-chart.outputs.packagename }}
320+ run : |
321+ # The .prov provenance file only exists when chart signing is enabled; include it
322+ # only when present (action-gh-release silently skipped missing files).
323+ assets=( "${CR_PACKAGE_PATH}/${PACKAGENAME}.tgz" )
324+ if [[ -f "${CR_PACKAGE_PATH}/${PACKAGENAME}.tgz.prov" ]]; then
325+ assets+=( "${CR_PACKAGE_PATH}/${PACKAGENAME}.tgz.prov" )
326+ fi
327+ notes="$(cat <<EOF
328+ ${DESC}
314329
315- Source commit: https://github.com/${{ github.repository }} /commit/${{ github.sha } }
330+ Source commit: https://github.com/${GITHUB_REPOSITORY} /commit/${GITHUB_SHA }
316331
317- Tag on source: https://github.com/${{ github.repository }} /releases/tag/${{ steps.parse-chart.outputs.tagname } }
318- files : |
319- ${{ env.CR_PACKAGE_PATH }}/${{ steps.parse-chart.outputs.packagename }}.tgz
320- ${{ env.CR_PACKAGE_PATH }}/${{ steps.parse-chart.outputs.packagename }}.tgz.prov
321- repository : grafana/helm-charts
322- tag_name : ${{ steps.parse-chart.outputs.tagname }}
323- token : ${{ env.AUTHTOKEN }}
332+ Tag on source: https://github.com/${GITHUB_REPOSITORY} /releases/tag/${TAGNAME }
333+ EOF
334+ )"
335+ gh release create "${TAGNAME}" "${assets[@]}" \
336+ --repo grafana/helm-charts \
337+ --title "${TAGNAME}" \
338+ --notes "${notes}"
324339
325340 - name : Push release tag on origin
326341 env :
@@ -335,7 +350,7 @@ jobs:
335350 # untouched. We then stage it for ghcommit-action below.
336351 - name : Generate helm repo index.yaml
337352 run : |
338- "${CR_TOOL_PATH}/cr" index --config "${CR_CONFIGFILE}" --token "${{ env. AUTHTOKEN } }" --index-path "${CR_INDEX_PATH}" --package-path "${CR_PACKAGE_PATH}"
353+ "${CR_TOOL_PATH}/cr" index --config "${CR_CONFIGFILE}" --token "${AUTHTOKEN}" --index-path "${CR_INDEX_PATH}" --package-path "${CR_PACKAGE_PATH}"
339354 cp "${CR_INDEX_PATH}/index.yaml" index.yaml
340355
341356 # Publish index.yaml to gh-pages via the GitHub GraphQL `createCommitOnBranch` mutation
0 commit comments