Merge pull request #18 from github/update-policy-chart-for-release

Split policy controller and policies release workflows for simplicity
github · Jun 7, 2024 · 609026e · 609026e
2 parents bf2b9bc + e8cfda2
commit 609026e
Show file tree

Hide file tree

Showing 5 changed files with 59 additions and 15 deletions.
diff --git a/.github/workflows/policies-release.yml b/.github/workflows/policies-release.yml
@@ -0,0 +1,20 @@
+name: Release Policy Controller Policies Chart
+
+on:
+  push:
+    tags:
+      - policies-v*
+
+jobs:
+  release-policy-controller:
+    name: Release Policy Controller Policies Chart
+    uses: .github/workflows/release.yml
+    with:
+      chart_name: policy-controller-policies
+      chart_release: ${{ github.ref }}
+    permissions:
+      attestations: write
+      contents: read
+      id-token: write
+      packages: write
+    secrets: inherit
diff --git a/.github/workflows/policy-controller-release.yml b/.github/workflows/policy-controller-release.yml
@@ -0,0 +1,20 @@
+name: Release Policy Controller Chart
+
+on:
+  push:
+    tags:
+      - policy-controller-v*
+
+jobs:
+  release-policy-controller:
+    name: Release Policy Controller Chart
+    uses: .github/workflows/release.yml
+    with:
+      chart_name: policy-controller
+      chart_release: ${{ github.ref }}
+    permissions:
+      attestations: write
+      contents: read
+      id-token: write
+      packages: write
+    secrets: inherit
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -1,10 +1,14 @@
 name: Release
 
 on:
-  push:
-    tags:
-      - policy-controller-v*
-      - policies-v*
+  workflow_call:
+    inputs:
+      chart_name:
+        type: string
+        required: true
+      chart_release:
+        type: string
+        required: true
 
 jobs:
   release:
@@ -24,31 +28,31 @@ jobs:
         run: |
           # tag names are in the format <chart-name>-v<semantic-version>
           # so we need to extract the chart name
-          chart_name=$(echo -n ${{ github.ref_name }} | awk -F'-v' '{print $1}')
-          echo chart_name=$chart_name >> $GITHUB_OUTPUT
+          release_name=$(echo -n ${{ inputs.chart_release }} | awk -F'-v' '{print $1}')
+          echo release_name=$release_name >> $GITHUB_OUTPUT
 
           # extract the version from the tag name
-          version=$(echo -n ${{ github.ref_name }} | sed "s/^$chart_name-//")
-          echo chart_version=$version >> $GITHUB_OUTPUT
+          version=$(echo -n ${{ inputs.chart_release }} | sed "s/^$release_name-//")
+          echo release_version=$version >> $GITHUB_OUTPUT
       - name: Package Helm chart
-        run: helm package charts/${{ steps.release-details.outputs.chart_name }}
+        run: helm package charts/${{ steps.release-details.outputs.release_name }}
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Push packaged chart to GHCR
-        run: helm push ${{ github.ref_name }}.tgz oci://${{ env.REGISTRY }}/${{ github.repository }}
+        run: helm push ${{ inputs.chart_name }}.tgz oci://${{ env.REGISTRY }}/${{ github.repository }}
       - uses: imjasonh/setup-crane@00c9e93efa4e1138c9a7a5c594acd6c75a2fbf0c # v0.3
       - name: Get pushed chart digest
         id: get-digest
         run: |
-          digest=$(crane digest ${{ env.REGISTRY }}/${{ github.repository }}/${{ steps.release-details.outputs.chart_name }}:${{ steps.release-details.outputs.chart_version }})
+          digest=$(crane digest ${{ env.REGISTRY }}/${{ github.repository }}/${{ steps.release-details.outputs.release_name }}:${{ steps.release-details.outputs.release_version }})
           echo digest=$digest >> $GITHUB_OUTPUT
       - name: Attest
         uses: actions/attest-build-provenance@173725a1209d09b31f9d30a3890cf2757ebbff0d # v1.1.2
         with:
-          subject-name: ${{ env.REGISTRY }}/${{ github.repository }}/${{ steps.release-details.outputs.chart_name }}
+          subject-name: ${{ env.REGISTRY }}/${{ github.repository }}/${{ steps.release-details.outputs.release_name }}
           subject-digest: ${{ steps.get-digest.outputs.digest }}
           push-to-registry: true
diff --git a/charts/policies/Chart.yaml b/charts/policies/Chart.yaml
@@ -1,5 +1,5 @@
 apiVersion: v2
-description: The Helm chart for Policy  Controller
+description: Default policy for GitHub's Sigstore policy controller
 home: https://github.com/github/policy-controller
 
 sources:

diff --git a/charts/policy-controller/Chart.yaml b/charts/policy-controller/Chart.yaml
@@ -1,5 +1,5 @@
 apiVersion: v2
-description: The Helm chart for Policy  Controller
+description: The Helm chart for GitHub's Sigstore Policy Controller
 home: https://github.com/github/policy-controller
 
 sources: