forked from awslabs/mountpoint-s3-csi-driver
-
Notifications
You must be signed in to change notification settings - Fork 0
92 lines (90 loc) · 2.93 KB
/
Copy pathhelm-publish.yaml
File metadata and controls
92 lines (90 loc) · 2.93 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
name: Helm publish
on:
# This job is manually dispatched for now, since we do not have image build fully automated yet.
workflow_dispatch:
inputs:
tag:
description: "Release tag (e.g. v2.0.0)"
required: true
dry-run:
description: "Skip publishing Helm chart"
type: boolean
required: true
default: true
jobs:
verify-helm-chart:
runs-on: ubuntu-latest
permissions:
id-token: write
environment: "trusted"
steps:
- name: Checkout tag
uses: actions/checkout@v6
with:
ref: ${{ inputs.tag }}
fetch-depth: 0
- name: Checkout verification script from main
uses: actions/checkout@v6
with:
ref: main
path: main-branch
sparse-checkout: |
scripts/verify-helm-images.sh
sparse-checkout-cone-mode: false
- name: Install crane
run: |
cd /tmp
curl -sL "https://github.com/google/go-containerregistry/releases/latest/download/go-containerregistry_Linux_x86_64.tar.gz" > crane.tar.gz
tar -xzf crane.tar.gz crane
sudo mv crane /usr/local/bin/crane
sudo chmod +x /usr/local/bin/crane
crane version
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v6
with:
role-to-assume: ${{ vars.IAM_ROLE }}
aws-region: ${{ vars.AWS_REGION }}
inline-session-policy: >-
{
"Version": "2012-10-17",
"Statement": [
{
"Sid":"AllowECRAuth",
"Effect":"Allow",
"Action":"ecr:GetAuthorizationToken",
"Resource":"*"
},
{
"Sid":"AllowECRRead",
"Effect": "Allow",
"Action": "ecr:BatchGetImage",
"Resource": "arn:aws:ecr:us-east-1:602401143452:repository/eks/*"
}
]
}
- name: Verify all images exist before publishing
run: ./main-branch/scripts/verify-helm-images.sh
publish-helm-chart:
runs-on: ubuntu-latest
permissions:
contents: write
needs: [verify-helm-chart]
# Ensure only the latest version of this job on main can run for publishing, as this is global for the project
if: ${{ github.ref == 'refs/heads/main' && !inputs.dry-run }}
steps:
- name: Checkout tag
uses: actions/checkout@v6
with:
ref: ${{ inputs.tag }}
fetch-depth: 0
- name: Configure Git
run: |
git config user.name "$GITHUB_ACTOR"
git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
- name: Run chart-releaser
uses: helm/chart-releaser-action@v1.7.0
env:
CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
with:
config: .github/cr.yaml
mark_as_latest: false