feat(ci): add build_release, publish_charts and manage_release workflow

Author: github-actions[bot]

.github/workflows/manage_release.yaml

@@ -0,0 +1,71 @@
+name: manage_release
+
+# Triggered on every push to master that touches charts/,
+# or manually via workflow_dispatch with an optional chart name.
+on:
+  push:
+    branches: [master]
+    paths:
+      - 'charts/**'
+  workflow_dispatch:
+    inputs:
+      chart:
+        description: "Chart to release (leave empty for automatic detection)"
+        required: false
+        default: ""
+
+jobs:
+
+  # Detect which charts need to be released
+  detect:
+    name: Detect charts
+    runs-on: ubuntu-22.04
+    outputs:
+      charts:     ${{ steps.compute.outputs.charts }}
+      has_charts: ${{ steps.compute.outputs.has_charts }}
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          submodules: true
+
+      - name: Init runner
+        run: bash ./scripts/init_runner.sh ${{ github.job }}
+
+      - name: Detect charts
+        id: compute
+        env:
+          GITHUB_EVENT_NAME:   ${{ github.event_name }}
+          GITHUB_EVENT_BEFORE: ${{ github.event.before }}
+          GITHUB_EVENT_AFTER:  ${{ github.event.after }}
+          INPUT_CHART:         ${{ github.event.inputs.chart }}
+        run: bash ./scripts/detect_charts.sh
+
+  #  Release the detected charts 
+    name: Release charts
+    runs-on: ubuntu-22.04
+    needs: detect
+    if: needs.detect.outputs.has_charts == 'true'
+    permissions:
+      contents: write  # required to create and push git tags
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          submodules: true
+
+      - name: Init runner
+        run: bash ./scripts/init_runner.sh ${{ github.job }}
+
+      - name: Setup workspace
+        env:
+          KALISIO_GITHUB_URL: ${{ secrets.KALISIO_GITHUB_URL }}
+          SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_KEY }}
+        run: bash ./scripts/setup_workspace.sh
+
+      - name: Release charts
+        env:
+          SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_KEY }}
+        run: bash ./scripts/build_release.sh -p ${{ needs.detect.outputs.charts }}

scripts/build_release.sh

@@ -0,0 +1,82 @@
+#!/usr/bin/env bash
+set -euo pipefail
+# set -x
+
+# Build and release Helm charts to Harbor OCI registry and S3 backup.
+# Decrypts Harbor and rclone credentials from the development repository,
+# logs into the registry, then delegates to publish_charts.sh.
+#
+# Usage (CI mode):
+#   bash ./scripts/build_release.sh -p chart1 chart2
+#
+# Usage (dev mode, no push):
+#   bash ./scripts/build_release.sh chart1
+
+THIS_FILE=$(readlink -f "${BASH_SOURCE[0]}")
+THIS_DIR=$(dirname "$THIS_FILE")
+ROOT_DIR=$(dirname "$THIS_DIR")
+WORKSPACE_DIR="$(dirname "$ROOT_DIR")"
+
+. "$THIS_DIR/kash/kash.sh"
+
+## Parse options
+##
+PUBLISH=false
+while getopts "p" option; do
+    case $option in
+        p) # publish charts to Harbor and S3
+            PUBLISH=true
+            ;;
+        *)
+            ;;
+    esac
+done
+shift $((OPTIND-1))
+
+## Decrypt credentials
+##
+begin_group "Setup Harbor credentials"
+
+load_env_files \
+    "$WORKSPACE_DIR/development/common/kalisio_harbor.enc.env"
+
+load_value_files \
+    "$WORKSPACE_DIR/development/common/KALISIO_HARBOR_PASSWORD.enc.value"
+
+end_group "Setup Harbor credentials"
+
+## Login to Harbor OCI registry
+##
+begin_group "Helm registry login"
+
+helm registry login "$KALISIO_HARBOR_URL" \
+    --username "$KALISIO_HARBOR_USERNAME" \
+    --password-stdin < "$KALISIO_HARBOR_PASSWORD"
+
+end_group "Helm registry login"
+
+## Decrypt rclone configuration for S3 backup access
+##
+begin_group "Setup rclone config"
+
+RCLONE_ENC_CONF="$WORKSPACE_DIR/development/rclone.enc.conf"
+RCLONE_DEC_CONF=$(enc2dec "$RCLONE_ENC_CONF")
+sops --decrypt --output "$RCLONE_DEC_CONF" "$RCLONE_ENC_CONF"
+
+end_group "Setup rclone config"
+
+## Release charts
+##
+begin_group "Release charts"
+
+if [ "$PUBLISH" = true ]; then
+    bash "$THIS_DIR/publish_charts.sh" "$@"
+else
+    echo "-> Dry run mode: skipping publish (use -p to publish)"
+fi
+
+end_group "Release charts"
+
+## Logout from Harbor OCI registry
+##
+helm registry logout "$KALISIO_HARBOR_URL"

scripts/publish_charts.sh

@@ -0,0 +1,42 @@
+#!/usr/bin/env bash
+set -euo pipefail
+# set -x
+
+# Orchestrate the release of all charts passed as arguments.
+# For each chart, decides between a production release or a dev release
+# based on whether the corresponding git tag already exists:
+#   - tag absent  -> new version -> production release (release-chart.sh)
+#   - tag present -> same version, content changed -> dev release (release-dev-chart.sh)
+#
+# Usage (CI mode):
+#   SOPS_AGE_KEY=... bash ./scripts/publish_charts.sh chart1 chart2
+#
+# Usage (dev mode, no push):
+#   bash ./scripts/publish_charts.sh chart1
+
+THIS_FILE=$(readlink -f "${BASH_SOURCE[0]}")
+THIS_DIR=$(dirname "$THIS_FILE")
+
+. "$THIS_DIR/kash/kash.sh"
+
+#  Git identity required to create and push tags 
+git config user.name  "github-actions[bot]"
+git config user.email "github-actions[bot]@users.noreply.github.com"
+
+#  Release each chart 
+for CHART in "$@"; do
+    VERSION=$(sed -En 's/^version: (.*)$/\1/p' "charts/${CHART}/Chart.yaml")
+    TAG_NAME="${CHART}-${VERSION}"
+
+    begin_group "Publish ${CHART} (${VERSION})"
+
+    if git show-ref --tags "${TAG_NAME}" --quiet; then
+        echo "-> Tag ${TAG_NAME} already exists, releasing dev version (0.0.0-dev)"
+        bash "$THIS_DIR/release-dev-chart.sh" "${CHART}"
+    else
+        echo "-> Tag ${TAG_NAME} not found, releasing production version (${VERSION})"
+        bash "$THIS_DIR/release-chart.sh" "${CHART}"
+    fi
+
+    end_group "Publish ${CHART} (${VERSION})"
+done