Skip to content
Chart - Release

chore(deps): update github/codeql-action action to v3 #880

Sign in to view logs

chore(deps): update github/codeql-action action to v3

chore(deps): update github/codeql-action action to v3 #880

Workflow file for this run

.github/workflows/chart-release.yaml at 0b0e8b6
name: "Chart - Release"
on:
# Allow to run the workflow from GitHub UI and other workflows.
workflow_dispatch:
inputs:
trigger:
description: 'Trigger release manually'
required: false
default: false
type: boolean
pull_request:
types:
- labeled
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
jobs:
wait-for-release-conditions:
if: ${{ contains(github.event.*.labels.*.name, 'release') || github.event.inputs.trigger }}
runs-on: ubuntu-latest
steps:
- name: Wait for all PR checks to succeed
uses: lewagon/[email protected]
with:
ref: ${{ github.ref }}
running-workflow-name: 'wait-for-release-conditions'
repo-token: ${{ secrets.GITHUB_TOKEN }}
wait-interval: 10
release:
needs: wait-for-release-conditions
runs-on: ubuntu-latest
permissions:
contents: write
id-token: write
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
with:
fetch-depth: 0
# TODO: Remove this step when we automate release chores as a pre-release workflow.
# Use Go Sprig Function which is supported by chglog like "{{ env GITHUB_WORKFLOW_REF }}".
- name: Substitute GITHUB_WORKFLOW_REF var.
run: |
sed -i "s|_GITHUB_WORKFLOW_REF_|${GITHUB_WORKFLOW_REF}|g" charts/camunda-platform/RELEASE-NOTES.md
- name: Install env dependencies
uses: asdf-vm/actions/install@v3
- uses: actions/cache@v3
with:
path: |
~/.cache/go-build
~/go/pkg/mod
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-go-
- name: Configure Git
run: |
git config user.name "$GITHUB_ACTOR"
git config user.email "[email protected]"
- name: Add Helm repos
run: |
make helm.repos-add
- name: Update Helm dependency
run: |
make helm.dependency-update
- name: cosign-installer
uses: sigstore/[email protected]
- name: Run Chart Releaser
uses: helm/[email protected]
with:
config: .github/config/chart-releaser.yaml
env:
CR_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
CR_SKIP_EXISTING: 'true'
- name: Set Helm chart version var
run: |
CHART_VERSION="$(yq ".version" charts/camunda-platform/Chart.yaml)"
echo "CHART_VERSION=${CHART_VERSION}" | tee -a $GITHUB_ENV
- name: Sign Helm chart with Cosign
run: |
cosign sign-blob -y .cr-release-packages/camunda-platform-${CHART_VERSION}.tgz \
--bundle camunda-platform-${CHART_VERSION}.cosign.bundle
- name: Verify signed Helm chart with Cosign
run: |
cosign verify-blob .cr-release-packages/camunda-platform-${CHART_VERSION}.tgz \
--bundle ./camunda-platform-${CHART_VERSION}.cosign.bundle \
--certificate-identity "https://github.com/${GITHUB_WORKFLOW_REF}" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com"
- name: Upload Helm chart signature bundle
run: |
gh release upload "camunda-platform-${CHART_VERSION}" \
./camunda-platform-${CHART_VERSION}.cosign.bundle \
--repo "${GITHUB_REPOSITORY}"
env:
GH_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
verify:
needs: release
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
with:
# The verify step happens in the "release" branch before merging to the "main" branch.
ref: release
fetch-depth: 0
# NOTE: This simple test is under review. So it could fail (it should be fixed in that case).
- name: Simple smoke test
uses: nick-fields/retry@v2
with:
max_attempts: 3
timeout_minutes: 5
retry_wait_seconds: 10
command: make release.verify-components-version