Skip to content

[bitnami/chainloop] Release 2.0.28 (#30534) #1

[bitnami/chainloop] Release 2.0.28 (#30534)

[bitnami/chainloop] Release 2.0.28 (#30534) #1

Workflow file for this run

# Copyright Broadcom, Inc. All Rights Reserved.
# SPDX-License-Identifier: APACHE-2.0
name: '[CI/CD] CD Pipeline'
on: # rebuild any PRs and main branch changes
push:
branches:
- main
paths:
- 'bitnami/**'
- '!**.md'
# Remove all permissions by default.
permissions: {}
jobs:
get-chart:
runs-on: ubuntu-latest
name: 'Get modified charts'
permissions:
contents: read
outputs:
chart: ${{ steps.get-chart.outputs.chart }}
result: ${{ steps.get-chart.outputs.result }}
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
path: charts
fetch-depth: 2 # to be able to obtain files changed in the latest commit
- id: get-chart
name: 'Get modified charts'
run: |
cd charts
files_changed="$(git show --pretty="" --name-only)"
# Adding || true to avoid "Process exited with code 1" errors
charts_dirs_changed="$(echo "$files_changed" | xargs dirname | grep -o "bitnami/[^/]*" | sort | uniq || true)"
# Using grep -c as a better alternative to wc -l when dealing with empty strings."
num_charts_changed="$(echo "$charts_dirs_changed" | grep -c "bitnami" || true)"
num_version_bumps="$(echo "$files_changed" | grep "bitnami/[^/]*/Chart.yaml" | xargs git show | grep -c "+version" || true)"
if [[ "$num_charts_changed" -ne "$num_version_bumps" ]]; then
# Changes done in charts but version not bumped -> ERROR
charts_changed_str="$(echo ${charts_dirs_changed[@]})"
echo "error=Detected changes in charts without version bump in Chart.yaml. Charts changed: ${num_charts_changed} ${charts_changed_str}. Version bumps detected: ${num_version_bumps}" >> $GITHUB_OUTPUT
echo "result=fail" >> $GITHUB_OUTPUT
elif [[ "$num_charts_changed" -eq "1" ]]; then
# Changes done in only one chart -> OK
chart_name=$(echo "$charts_dirs_changed" | sed "s|bitnami/||g")
echo "chart=${chart_name}" >> $GITHUB_OUTPUT
echo "result=ok" >> $GITHUB_OUTPUT
else
# Changes done in more than chart -> FAIL
charts_changed_str="$(echo ${charts_dirs_changed[@]})"
echo "error=Changes detected in more than one chart directory: ${charts_changed_str}. The publish process will be stopped. Please create different commits for each chart." >> $GITHUB_OUTPUT
echo "result=fail" >> $GITHUB_OUTPUT
fi
- id: show-error
name: 'Show error'
if: ${{ steps.get-chart.outputs.result == 'fail' }}
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea
with:
script: |
core.setFailed('${{ steps.get-chart.outputs.error }}')
vib-publish:
runs-on: ubuntu-latest
needs: get-chart
if: ${{ needs.get-chart.outputs.result == 'ok' }}
name: VIB Publish
permissions:
contents: read
env:
CSP_API_URL: https://console.tanzu.broadcom.com
CSP_API_TOKEN: ${{ secrets.CSP_API_TOKEN }}
VIB_PUBLIC_URL: https://cp.bromelia.vmware.com
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
name: Checkout Repository
with:
path: charts
- uses: vmware-labs/vmware-image-builder-action@v0
name: Publish ${{ needs.get-chart.outputs.chart }}
with:
pipeline: ${{ needs.get-chart.outputs.chart }}/vib-publish.json
config: charts/.vib/
env:
VIB_ENV_S3_URL: s3://${{ secrets.AWS_S3_BUCKET }}/bitnami
VIB_ENV_S3_ACCESS_KEY_ID: ${{ secrets.AWS_PUBLISH_ACCESS_KEY_ID }}
VIB_ENV_S3_SECRET_ACCESS_KEY: ${{ secrets.AWS_PUBLISH_SECRET_ACCESS_KEY }}
VIB_ENV_S3_ROLE_ARN: ${{ secrets.AWS_PUBLISH_ROLE_ARN }}
update-deprecated-index:
runs-on: ubuntu-latest
needs:
- vib-publish
name: Update branch deprecated-index
steps:
- uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16
with:
path: ~/artifacts
# If we perform a checkout of the main branch, we will find conflicts with the submodules
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
with:
ref: 'deprecated-index'
path: 'deprecated-index'
# The token is persisted in the local git config and enables scripts to run authenticated git commands.
token: ${{ secrets.BITNAMI_BOT_TOKEN }}
- name: Install helm
run: |
HELM_TARBALL="helm-v3.8.1-linux-amd64.tar.gz"
curl -SsLfO "https://get.helm.sh/${HELM_TARBALL}" && sudo tar xf "$HELM_TARBALL" --strip-components 1 -C /usr/local/bin
# Install file plugin
helm plugin add https://github.com/zoobab/helm_file_repo
- id: update-deprecated-index
name: Fetch chart and update depreacted-index
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_PUBLISH_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_PUBLISH_SECRET_ACCESS_KEY }}
AWS_ASSUME_ROLE_ARN: ${{ secrets.AWS_PUBLISH_ROLE_ARN }}
AWS_MAX_ATTEMPTS: 3
AWS_DEFAULT_REGION: us-east-1
run: |
# Configure AWS account
export $(printf "AWS_ACCESS_KEY_ID=%s AWS_SECRET_ACCESS_KEY=%s AWS_SESSION_TOKEN=%s" $(aws sts assume-role --role-arn ${AWS_ASSUME_ROLE_ARN} --role-session-name GitHubCharts --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" --output text))
# Extract chart release metadata from the publish report file
vib_publish_report_file=$(find ~/artifacts -name "report.json" -print -quit)
chart_name=$(jq -re '.actions|map(select(.action_id == "helm-publish"))[0] | .application.name' $vib_publish_report_file)
chart_version=$(jq -re '.actions|map(select(.action_id == "helm-publish"))[0] | .application.version' $vib_publish_report_file)
# Download published asset
mkdir download
aws s3 cp s3://${{ secrets.AWS_S3_BUCKET }}/bitnami/${chart_name}-${chart_version}.tgz download/
cd deprecated-index
git config user.name "Bitnami Containers"
git config user.email "[email protected]"
attempts=0
max_attempts=5
is_index_updated=0
while [[ $attempts -lt $max_attempts && $is_index_updated -eq 0 ]]; do
attempts=$((attempts + 1))
# Pull changes from remote
git fetch origin deprecated-index
current_commit_id=$(git rev-parse origin/deprecated-index)
git reset --hard $(git commit-tree origin/deprecated-index^{tree} -m "Update index.yaml")
# Rebuild index
helm repo index --url https://charts.bitnami.com/bitnami --merge bitnami/index.yaml ../download
# Compare size of files
if [[ $(stat -c%s bitnami/index.yaml) -gt $(stat -c%s ../download/index.yaml) ]]; then
echo "New index.yaml file is shorter than the current one"
exit 1
fi
# Adding tmp file as a helm repo
if ! helm repo add cache file://../download/ ; then
echo "New index.yaml file can't be indexed"
exit 1
fi
cp ../download/index.yaml bitnami/index.yaml
# Push changes
git add bitnami/index.yaml && git commit --signoff --amend --no-edit
git push origin deprecated-index --force-with-lease=deprecated-index:${current_commit_id} && is_index_updated=1 || echo "Failed to push during attempt $attempts"
done
if [[ $is_index_updated -ne 1 ]]; then
echo "Could not update the index after $max_attempts attempts"
exit 1
fi