fix: allow helm-release workflow to inherit secrets (#99) #151
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: Release Prefect Operator | |
"on": | |
push: | |
branches: | |
- main | |
tags: | |
- '*' | |
pull_request: | |
branches: | |
- main | |
permissions: {} | |
jobs: | |
run_unit_tests: | |
uses: ./.github/workflows/tests.yaml | |
permissions: | |
# required by downstream jobs | |
contents: read | |
build_and_upload_manifests: | |
if: github.ref_type == 'tag' | |
needs: run_unit_tests | |
permissions: | |
# required to write artifacts to a release | |
contents: write | |
runs-on: ubuntu-latest | |
steps: | |
- name: Check out code | |
uses: actions/checkout@v4 | |
- name: Install tool dependencies | |
uses: jdx/mise-action@v2 | |
with: | |
experimental: true | |
- name: Package kubernetes manifests & CRDs | |
run: | | |
# package just CRDs | |
cat deploy/charts/prefect-operator/crds/*.yaml > prefect-crds.yaml | |
make helmbuild | |
# template the helm chart including the CRDs | |
helm template prefect-operator deploy/charts/prefect-operator \ | |
--include-crds --set operator.image.tag=${{ github.ref_name }} \ | |
> prefect-operator.yaml | |
# Remove labels relevant only for Helm installs | |
yq -i 'del(.metadata.labels."app.kubernetes.io/managed-by")' prefect-operator.yaml | |
yq -i 'del(.metadata.labels."helm.sh/chart")' prefect-operator.yaml | |
yq -i 'del(.spec.template.metadata.labels."app.kubernetes.io/managed-by")' prefect-operator.yaml | |
yq -i 'del(.spec.template.metadata.labels."helm.sh/chart")' prefect-operator.yaml | |
# Ensure all references to app version match the released version tag | |
yq -i '(.. | select(tag == "!!str" and . == "v0.0.0")) |= "${{ github.ref_name }}"' prefect-operator.yaml | |
- name: Upload release assets | |
run: gh release upload ${{ github.ref_name }} prefect-crds.yaml prefect-operator.yaml | |
env: | |
GH_TOKEN: ${{ github.token }} | |
build_and_push_docker_image: | |
needs: run_unit_tests | |
runs-on: ubuntu-latest | |
# The GitHub environments are created by Terraform and map to Docker Hub repositories: | |
# - dev: https://hub.docker.com/r/prefecthq/prefect-operator-dev | |
# - prod: https://hub.docker.com/r/prefecthq/prefect-operator | |
# The environment will be 'prod' if the GitHub event is a release. Otherwise, it will be 'dev'. | |
environment: ${{ github.ref_type == 'tag' && 'prod' || 'dev' }} | |
steps: | |
- name: Check out code | |
uses: actions/checkout@v4 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
- name: Login to Docker Hub | |
uses: docker/login-action@v3 | |
with: | |
# These credentials are managed in Terraform. Depending on the 'environment' value above, | |
# these will either be the credentials for 'dev' or 'prod'. | |
username: ${{ secrets.DOCKERHUB_USERNAME }} | |
password: ${{ secrets.DOCKERHUB_TOKEN }} | |
- name: Docker image metadata | |
id: metadata | |
uses: docker/metadata-action@v5 | |
with: | |
# For jobs on tags, push to the prod repository. | |
# For all other situations, like pull requests and 'main', push to the dev repository. | |
images: prefecthq/${{ github.ref_type == 'tag' && 'prefect-operator' || 'prefect-operator-dev' }} | |
tags: | | |
type=ref,event=pr | |
type=ref,event=branch | |
type=semver,pattern={{version}} | |
labels: | | |
org.opencontainers.image.title=prefect-operator | |
org.opencontainers.image.description=Prefect Operator image | |
org.opencontainers.image.vendor=Prefect | |
- name: Build and push | |
uses: docker/build-push-action@v6 | |
with: | |
context: . | |
push: true | |
tags: ${{ steps.metadata.outputs.tags }} | |
labels: ${{ steps.metadata.outputs.labels }} | |
create_helm_release: | |
if: github.ref_type == 'tag' | |
needs: build_and_push_docker_image | |
uses: ./.github/workflows/helm-release.yaml | |
permissions: | |
# required by downstream jobs | |
contents: write | |
# this is required so that the workflow can read secrets | |
# from the environment | |
secrets: inherit |