-
Notifications
You must be signed in to change notification settings - Fork 3
158 lines (131 loc) · 5.42 KB
/
release.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
name: release
on:
workflow_call: {}
permissions: {}
jobs:
publish-helm-chart:
name: publish helm chart
runs-on: ubuntu-22.04
permissions:
contents: read
packages: write
# needed for cosign
id-token: write
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
- name: Login to GitHub Container Registry
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: downgrade helm
shell: bash
run: |
rm /usr/local/bin/helm
curl -fsSL https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 > /tmp/helm.sh
chmod +x /tmp/helm.sh
/tmp/helm.sh --version v3.12.3
helm version
- name: Add helm repos and update deps
run: |
helm repo add miracum https://miracum.github.io/charts
helm repo add akhq https://akhq.io/
helm repo add hapi-fhir-jpaserver-starter https://hapifhir.github.io/hapi-fhir-jpaserver-starter
helm dep build charts/onco-analytics-on-fhir
helm dep build charts/prerequisites
# TODO: maybe replace image tags in values.yaml with digests before packaging
- name: Package, upload, and sign Helm charts
run: |
CHART_VERSION=$(yq .version charts/onco-analytics-on-fhir/Chart.yaml)
# onco-analytics-on-fhir
helm package charts/onco-analytics-on-fhir
helm push "onco-analytics-on-fhir-${CHART_VERSION}.tgz" oci://ghcr.io/${{ github.repository }}/charts
cp "onco-analytics-on-fhir-${CHART_VERSION}.tgz" onco-analytics-on-fhir-chart.tgz
cosign sign --yes "ghcr.io/${{ github.repository }}/charts/onco-analytics-on-fhir:${CHART_VERSION}"
# prerequisites
helm package charts/prerequisites
helm push "prerequisites-${CHART_VERSION}.tgz" oci://ghcr.io/${{ github.repository }}/charts
cp "prerequisites-${CHART_VERSION}.tgz" prerequisites-chart.tgz
cosign sign --yes "ghcr.io/${{ github.repository }}/charts/prerequisites:${CHART_VERSION}"
- uses: actions/upload-artifact@ff15f0306b3f739f7b6fd43fb5d26cd321bd4de5 # v3.2.1
with:
name: helm-charts
path: |
onco-analytics-on-fhir-chart.tgz
prerequisites-chart.tgz
build-air-gapped-installer:
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- run: |
./build-air-gapped-installer.sh
- name: Upload air-gapped installer artifact
uses: actions/upload-artifact@ff15f0306b3f739f7b6fd43fb5d26cd321bd4de5 # v3.2.1
with:
name: air-gapped-installers
path: |
air-gapped-installer.tgz
air-gapped-prerequisites-installer.tgz
compose-air-gapped-installer.tgz
prepare-artifacts:
name: prepare artifacts
runs-on: ubuntu-22.04
needs:
- publish-helm-chart
- build-air-gapped-installer
outputs:
hashes: ${{ steps.hash.outputs.hashes }}
permissions:
contents: write # to upload artifacts to the release
steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Download Helm chart
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3
with:
name: helm-charts
path: /tmp
- name: Download air-gapped installers
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3
with:
name: air-gapped-installers
path: /tmp
- name: Create dist dir
run: |
mkdir -p dist/
- name: Add Helm chart to dist
run: |
ls -lsa /tmp
cp /tmp/onco-analytics-on-fhir-chart.tgz dist/
cp /tmp/prerequisites-chart.tgz dist/
# cp /tmp/air-gapped-installer.tgz dist/
# cp /tmp/air-gapped-prerequisites-installer.tgz dist/
cp /tmp/compose-air-gapped-installer.tgz dist/
- name: Generate SLSA subject for release assets
id: hash
working-directory: dist
run: |
# air-gapped-installer.tgz air-gapped-prerequisites-installer.tgz
sha256sum onco-analytics-on-fhir-chart.tgz prerequisites-chart.tgz compose-air-gapped-installer.tgz > checksums.sha256
echo "hashes=$(base64 -w0 < checksums.sha256)" >> "$GITHUB_OUTPUT"
- name: upload assets to release
uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # tag=v1
with:
files: |
dist/*.tgz
dist/*.sha256
provenance:
needs:
- prepare-artifacts
permissions:
actions: read
id-token: write
contents: write
# can't be referenced by digest. See <https://github.com/slsa-framework/slsa-github-generator#verification-of-provenance>
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
with:
base64-subjects: "${{ needs.prepare-artifacts.outputs.hashes }}"
compile-generator: true # Workaround for https://github.com/slsa-framework/slsa-github-generator/issues/1163
upload-assets: true