|
| 1 | +name: "NCA: package and publish Policy Reporter Helm chart" |
| 2 | + |
| 3 | +env: |
| 4 | + CHART_REPO_PREFIX: "/policy-reporter-chart" |
| 5 | + ECR_TEST_ACCOUNT: "182084413329" |
| 6 | + ECR_PROD_ACCOUNT: "182084413329" |
| 7 | + |
| 8 | +on: |
| 9 | + workflow_dispatch: |
| 10 | + push: |
| 11 | + branch: |
| 12 | + # uncomment this (and update to the current major version) if you want an |
| 13 | + # image built for each commit |
| 14 | + #- tag-2.16.1-NCA |
| 15 | + # nca/X naming is used in actions below, adjust accordingly if needed |
| 16 | + - nca/feature/* |
| 17 | + tag: |
| 18 | + - nca/release/* |
| 19 | + |
| 20 | +# On each push to the aforementioned branches or tags with names matching the |
| 21 | +# pattern above, the following happens: |
| 22 | +# |
| 23 | +# - Depending on Git reference name (branch or tag name) we determine a release |
| 24 | +# for a would-be artifact. |
| 25 | +# - nca/release/<RESULTING NAME> |
| 26 | +# - nca/feature/<RESULTING NAME> |
| 27 | +# - tag-VERSION-NCA --> VERSION-nca-GIT_SHA_FIRST_8_CHARS, i.e. 2.16.1-nca-aabbccdd |
| 28 | +# |
| 29 | +# - Note that when pushing to nca/feature branch or creating a nca/release tag, |
| 30 | +# the artifacts will have the same name (will overwrite the previous |
| 31 | +# versions). However, when pushing to tag-VERSION-NCA branch, each resulting |
| 32 | +# artifact will be unique. |
| 33 | +# |
| 34 | +# - We also determine if it is a release build or just a test build. This |
| 35 | +# affects on where the resulting image will be pushed to. |
| 36 | +# |
| 37 | +# - Docker images (nginx and django) are built. They are tagged with release |
| 38 | +# determined above and pushed to repositories stated in environment variables |
| 39 | +# above. The same image is pushed to both repositories. |
| 40 | + |
| 41 | +jobs: |
| 42 | + helm-chart: |
| 43 | + name: package and publish Helm chart |
| 44 | + runs-on: ubuntu-latest |
| 45 | + permissions: |
| 46 | + packages: write |
| 47 | + contents: write |
| 48 | + pages: write |
| 49 | + id-token: write |
| 50 | + steps: |
| 51 | + - name: set ECR to use, release mode |
| 52 | + if: ${{ startsWith(github.ref_name, 'nca/release/') }} |
| 53 | + run: | |
| 54 | + echo "VERSION_SUFFIX=-t${GITHUB_REF_NAME#nca/release/}" >> $GITHUB_ENV |
| 55 | + echo "ECR_ACCOUNT=${ECR_PROD_ACCOUNT}" >> $GITHUB_ENV |
| 56 | +
|
| 57 | + - name: set ECR to use, feature branch mode |
| 58 | + if: ${{ startsWith(github.ref_name, 'nca/feature/') }} |
| 59 | + run: | |
| 60 | + echo "VERSION_SUFFIX=-feature+${GITHUB_REF_NAME#nca/feature/}" >> $GITHUB_ENV |
| 61 | + echo "ECR_ACCOUNT=${ECR_TEST_ACCOUNT}" >> $GITHUB_ENV |
| 62 | +
|
| 63 | + - name: set ECR to use, release branch mode |
| 64 | + if: ${{ startsWith(github.ref_name, 'tag-') }} |
| 65 | + run: | |
| 66 | + t=$(echo ${GITHUB_REF_NAME} | tr '[:upper:]' '[:lower:]') |
| 67 | + t="${t#tag-}" |
| 68 | + t="${t%-nca}" |
| 69 | + echo "VERSION_SUFFIX=-t$(echo $t | tr '[:upper:]' '[:lower:]').git${GITHUB_SHA:0:8}" >> $GITHUB_ENV |
| 70 | + echo "ECR_ACCOUNT=${ECR_PROD_ACCOUNT}" >> $GITHUB_ENV |
| 71 | +
|
| 72 | + - name: checkout |
| 73 | + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 |
| 74 | + with: |
| 75 | + fetch-depth: 0 |
| 76 | + |
| 77 | + - name: install Helm |
| 78 | + uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4.3.1 |
| 79 | + with: |
| 80 | + version: v3.16.1 |
| 81 | + |
| 82 | + - name: add yq |
| 83 | + uses: mikefarah/yq@b534aa9ee5d38001fba3cd8fe254a037e4847b37 # v4.45.4 |
| 84 | + |
| 85 | + - name: set Helm chart version |
| 86 | + id: set-helm-chart-version |
| 87 | + run: | |
| 88 | + echo "CHART_VERSION=$(yq -e '.version' charts/policy-reporter/Chart.yaml)${{ env.VERSION_SUFFIX }}" >> $GITHUB_ENV |
| 89 | +
|
| 90 | + - name: package Helm chart |
| 91 | + id: package-helm-chart |
| 92 | + run: | |
| 93 | + mkdir build |
| 94 | + yq -i '.version="${{ env.CHART_VERSION }}"' charts/policy-reporter/Chart.yaml |
| 95 | + helm package charts/policy-reporter/ --destination ./build |
| 96 | +
|
| 97 | + - name: Configure AWS prod credentials (nca/release mode) |
| 98 | + if: ${{ startsWith(github.ref_name, 'nca/release/') }} |
| 99 | + uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1 |
| 100 | + with: |
| 101 | + aws-region: eu-central-1 |
| 102 | + aws-access-key-id: ${{ secrets.ECR_PROD_ACCESS_KEY }} |
| 103 | + aws-secret-access-key: ${{ secrets.ECR_PROD_SECRET_KEY }} |
| 104 | + |
| 105 | + - name: Configure AWS test credentials (nca/feature mode) |
| 106 | + if: ${{ startsWith(github.ref_name, 'nca/feature/') }} |
| 107 | + uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1 |
| 108 | + with: |
| 109 | + aws-region: eu-central-1 |
| 110 | + aws-access-key-id: ${{ secrets.ECR_TEST_ACCESS_KEY }} |
| 111 | + aws-secret-access-key: ${{ secrets.ECR_TEST_SECRET_KEY }} |
| 112 | + |
| 113 | + - name: Configure AWS test credentials (tag- mode) |
| 114 | + if: ${{ startsWith(github.ref_name, 'tag-') }} |
| 115 | + uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1 |
| 116 | + with: |
| 117 | + aws-region: eu-central-1 |
| 118 | + aws-access-key-id: ${{ secrets.ECR_TEST_ACCESS_KEY }} |
| 119 | + aws-secret-access-key: ${{ secrets.ECR_TEST_SECRET_KEY }} |
| 120 | + |
| 121 | + - name: Login to Amazon ECR |
| 122 | + id: login-ecr |
| 123 | + uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # 2.0.1 |
| 124 | + with: |
| 125 | + registries: ${{ env.ECR_ACCOUNT }} |
| 126 | + |
| 127 | + - name: get caller identity 1 |
| 128 | + run: | |
| 129 | + aws sts get-caller-identity |
| 130 | +
|
| 131 | + - name: Push helm chart to AWS ECR |
| 132 | + env: |
| 133 | + REGISTRY: ${{ steps.login-ecr.outputs.registry }} |
| 134 | + run: | |
| 135 | + helm push ./build/policy-reporter-*.tgz oci://${{ env.REGISTRY }}${{ env.CHART_REPO_PREFIX }}/ |
0 commit comments