[bitnami/chainloop] Release 2.0.28 (#30534) #1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Copyright Broadcom, Inc. All Rights Reserved. | |
# SPDX-License-Identifier: APACHE-2.0 | |
name: '[CI/CD] CD Pipeline' | |
on: # rebuild any PRs and main branch changes | |
push: | |
branches: | |
- main | |
paths: | |
- 'bitnami/**' | |
- '!**.md' | |
# Remove all permissions by default. | |
permissions: {} | |
jobs: | |
get-chart: | |
runs-on: ubuntu-latest | |
name: 'Get modified charts' | |
permissions: | |
contents: read | |
outputs: | |
chart: ${{ steps.get-chart.outputs.chart }} | |
result: ${{ steps.get-chart.outputs.result }} | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 | |
with: | |
path: charts | |
fetch-depth: 2 # to be able to obtain files changed in the latest commit | |
- id: get-chart | |
name: 'Get modified charts' | |
run: | | |
cd charts | |
files_changed="$(git show --pretty="" --name-only)" | |
# Adding || true to avoid "Process exited with code 1" errors | |
charts_dirs_changed="$(echo "$files_changed" | xargs dirname | grep -o "bitnami/[^/]*" | sort | uniq || true)" | |
# Using grep -c as a better alternative to wc -l when dealing with empty strings." | |
num_charts_changed="$(echo "$charts_dirs_changed" | grep -c "bitnami" || true)" | |
num_version_bumps="$(echo "$files_changed" | grep "bitnami/[^/]*/Chart.yaml" | xargs git show | grep -c "+version" || true)" | |
if [[ "$num_charts_changed" -ne "$num_version_bumps" ]]; then | |
# Changes done in charts but version not bumped -> ERROR | |
charts_changed_str="$(echo ${charts_dirs_changed[@]})" | |
echo "error=Detected changes in charts without version bump in Chart.yaml. Charts changed: ${num_charts_changed} ${charts_changed_str}. Version bumps detected: ${num_version_bumps}" >> $GITHUB_OUTPUT | |
echo "result=fail" >> $GITHUB_OUTPUT | |
elif [[ "$num_charts_changed" -eq "1" ]]; then | |
# Changes done in only one chart -> OK | |
chart_name=$(echo "$charts_dirs_changed" | sed "s|bitnami/||g") | |
echo "chart=${chart_name}" >> $GITHUB_OUTPUT | |
echo "result=ok" >> $GITHUB_OUTPUT | |
else | |
# Changes done in more than chart -> FAIL | |
charts_changed_str="$(echo ${charts_dirs_changed[@]})" | |
echo "error=Changes detected in more than one chart directory: ${charts_changed_str}. The publish process will be stopped. Please create different commits for each chart." >> $GITHUB_OUTPUT | |
echo "result=fail" >> $GITHUB_OUTPUT | |
fi | |
- id: show-error | |
name: 'Show error' | |
if: ${{ steps.get-chart.outputs.result == 'fail' }} | |
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea | |
with: | |
script: | | |
core.setFailed('${{ steps.get-chart.outputs.error }}') | |
vib-publish: | |
runs-on: ubuntu-latest | |
needs: get-chart | |
if: ${{ needs.get-chart.outputs.result == 'ok' }} | |
name: VIB Publish | |
permissions: | |
contents: read | |
env: | |
CSP_API_URL: https://console.tanzu.broadcom.com | |
CSP_API_TOKEN: ${{ secrets.CSP_API_TOKEN }} | |
VIB_PUBLIC_URL: https://cp.bromelia.vmware.com | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 | |
name: Checkout Repository | |
with: | |
path: charts | |
- uses: vmware-labs/vmware-image-builder-action@v0 | |
name: Publish ${{ needs.get-chart.outputs.chart }} | |
with: | |
pipeline: ${{ needs.get-chart.outputs.chart }}/vib-publish.json | |
config: charts/.vib/ | |
env: | |
VIB_ENV_S3_URL: s3://${{ secrets.AWS_S3_BUCKET }}/bitnami | |
VIB_ENV_S3_ACCESS_KEY_ID: ${{ secrets.AWS_PUBLISH_ACCESS_KEY_ID }} | |
VIB_ENV_S3_SECRET_ACCESS_KEY: ${{ secrets.AWS_PUBLISH_SECRET_ACCESS_KEY }} | |
VIB_ENV_S3_ROLE_ARN: ${{ secrets.AWS_PUBLISH_ROLE_ARN }} | |
update-deprecated-index: | |
runs-on: ubuntu-latest | |
needs: | |
- vib-publish | |
name: Update branch deprecated-index | |
steps: | |
- uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 | |
with: | |
path: ~/artifacts | |
# If we perform a checkout of the main branch, we will find conflicts with the submodules | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 | |
with: | |
ref: 'deprecated-index' | |
path: 'deprecated-index' | |
# The token is persisted in the local git config and enables scripts to run authenticated git commands. | |
token: ${{ secrets.BITNAMI_BOT_TOKEN }} | |
- name: Install helm | |
run: | | |
HELM_TARBALL="helm-v3.8.1-linux-amd64.tar.gz" | |
curl -SsLfO "https://get.helm.sh/${HELM_TARBALL}" && sudo tar xf "$HELM_TARBALL" --strip-components 1 -C /usr/local/bin | |
# Install file plugin | |
helm plugin add https://github.com/zoobab/helm_file_repo | |
- id: update-deprecated-index | |
name: Fetch chart and update depreacted-index | |
env: | |
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_PUBLISH_ACCESS_KEY_ID }} | |
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_PUBLISH_SECRET_ACCESS_KEY }} | |
AWS_ASSUME_ROLE_ARN: ${{ secrets.AWS_PUBLISH_ROLE_ARN }} | |
AWS_MAX_ATTEMPTS: 3 | |
AWS_DEFAULT_REGION: us-east-1 | |
run: | | |
# Configure AWS account | |
export $(printf "AWS_ACCESS_KEY_ID=%s AWS_SECRET_ACCESS_KEY=%s AWS_SESSION_TOKEN=%s" $(aws sts assume-role --role-arn ${AWS_ASSUME_ROLE_ARN} --role-session-name GitHubCharts --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" --output text)) | |
# Extract chart release metadata from the publish report file | |
vib_publish_report_file=$(find ~/artifacts -name "report.json" -print -quit) | |
chart_name=$(jq -re '.actions|map(select(.action_id == "helm-publish"))[0] | .application.name' $vib_publish_report_file) | |
chart_version=$(jq -re '.actions|map(select(.action_id == "helm-publish"))[0] | .application.version' $vib_publish_report_file) | |
# Download published asset | |
mkdir download | |
aws s3 cp s3://${{ secrets.AWS_S3_BUCKET }}/bitnami/${chart_name}-${chart_version}.tgz download/ | |
cd deprecated-index | |
git config user.name "Bitnami Containers" | |
git config user.email "[email protected]" | |
attempts=0 | |
max_attempts=5 | |
is_index_updated=0 | |
while [[ $attempts -lt $max_attempts && $is_index_updated -eq 0 ]]; do | |
attempts=$((attempts + 1)) | |
# Pull changes from remote | |
git fetch origin deprecated-index | |
current_commit_id=$(git rev-parse origin/deprecated-index) | |
git reset --hard $(git commit-tree origin/deprecated-index^{tree} -m "Update index.yaml") | |
# Rebuild index | |
helm repo index --url https://charts.bitnami.com/bitnami --merge bitnami/index.yaml ../download | |
# Compare size of files | |
if [[ $(stat -c%s bitnami/index.yaml) -gt $(stat -c%s ../download/index.yaml) ]]; then | |
echo "New index.yaml file is shorter than the current one" | |
exit 1 | |
fi | |
# Adding tmp file as a helm repo | |
if ! helm repo add cache file://../download/ ; then | |
echo "New index.yaml file can't be indexed" | |
exit 1 | |
fi | |
cp ../download/index.yaml bitnami/index.yaml | |
# Push changes | |
git add bitnami/index.yaml && git commit --signoff --amend --no-edit | |
git push origin deprecated-index --force-with-lease=deprecated-index:${current_commit_id} && is_index_updated=1 || echo "Failed to push during attempt $attempts" | |
done | |
if [[ $is_index_updated -ne 1 ]]; then | |
echo "Could not update the index after $max_attempts attempts" | |
exit 1 | |
fi |