-
Notifications
You must be signed in to change notification settings - Fork 9
163 lines (143 loc) · 5.09 KB
/
build-helm-cluster.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
---
name: 'Package Helm chart Cluster'
on:
pull_request:
types:
- opened
- synchronize
- ready_for_review
branches:
- master
paths:
- "charts/cluster-hoprd/**"
concurrency:
group: ${{ github.head_ref }}-cluster
cancel-in-progress: true
jobs:
bump_version:
name: Bump version
runs-on: self-hosted-hoprnet-small
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Bump Chart version
id: bumping_version
run: |
helm_chart_version=$(grep '^version:' Chart.yaml | sed 's/.*: //')
git_tag=$(git tag -l helm-cluster-hoprd-${helm_chart_version})
echo "Workspace version is helm-cluster-hoprd-${helm_chart_version} while tagged is ${git_tag}"
if [ "${git_tag}" = "helm-cluster-hoprd-${helm_chart_version}" ]; then
patch_number=$(echo $helm_chart_version | sed 's/.*\.//')
release_number=$(echo $helm_chart_version | sed "s/\.${patch_number}//")
bump_version=${release_number}.$((patch_number + 1))
echo "The helm chart version ${git_tag} already exists, bumping to version helm-cluster-hoprd-${bump_version}";
sed -i "s/^version: ${helm_chart_version}/version: ${bump_version}/" Chart.yaml
echo "bumped_version=true" >> $GITHUB_OUTPUT
fi
working-directory: 'charts/cluster-hoprd/'
- name: Commit and push
if: ${{ steps.bumping_version.outputs.bumped_version }}
uses: stefanzweifel/git-auto-commit-action@v5
with:
commit_message: "Bump Helm chart version to ${{ steps.bumping_version.outputs.bumped_version }}"
repository: .
commit_user_name: HOPR CI robot
commit_user_email: [email protected]
commit_author: HOPR CI robot <[email protected]>
skip_fetch: false
skip_checkout: false
create_branch: false
lint:
name: Lint
runs-on: self-hosted-hoprnet-small
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set up Helm
uses: azure/setup-helm@v4
with:
version: latest
token: ${{ secrets.GITHUB_TOKEN }}
- name: Lint
run: helm lint -f ./values-staging.yaml .
working-directory: 'charts/cluster-hoprd/'
package:
name: Package Helm Chart
runs-on: self-hosted-hoprnet-small
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set up Helm
uses: azure/setup-helm@v4
with:
version: latest
token: ${{ secrets.GITHUB_TOKEN }}
- name: Get Helm chart version
id: get_version
run: |
HELM_CHART_VERSION=$(grep '^version:' Chart.yaml | sed 's/.*: //')
echo "HELM_CHART_VERSION=${HELM_CHART_VERSION}" >> $GITHUB_OUTPUT
working-directory: 'charts/cluster-hoprd/'
- name: Helm Package
run: helm package . --version ${{ steps.get_version.outputs.HELM_CHART_VERSION }}
working-directory: 'charts/cluster-hoprd/'
trivy:
name: Helm Security Analysis
runs-on: ubuntu-latest
permissions:
security-events: write
actions: read
contents: read
steps:
- name: Checkout
uses: actions/checkout@v4 # 93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # tag=v3.1.0
- name: Set up Helm
uses: azure/setup-helm@v4
with:
version: latest
token: ${{ secrets.GITHUB_TOKEN }}
- name: Set up python
uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # tag=v5.1.0
with:
python-version: 3.7
- name: Run Trivy vulnerability scanner in IaC mode
uses: aquasecurity/trivy-action@master
with:
scan-type: 'config'
hide-progress: false
format: 'table'
scan-ref: 'charts/cluster-hoprd/'
exit-code: '1'
ignore-unfixed: true
# severity: 'MEDIUM,HIGH,CRITICAL'
# trivyignores: '.trivyignore'
generate-readme:
name: Generate Readme
runs-on: self-hosted-hoprnet-small
permissions:
contents: write
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup NodeJs
uses: actions/setup-node@v4
with:
node-version: 18
- name: Install readme-generator-for-helm
run: npm install -g @bitnami/[email protected]
- name: Execute readme-generator-for-helm
id: generator
run: |
readme-generator --values "charts/cluster-hoprd/values.yaml" --readme "charts/cluster-hoprd/README.md" --schema "/tmp/schema.json"
if git status -s | grep charts; then
echo "readme_updated=true" >> $GITHUB_OUTPUT
fi
- name: Commit and push
if: ${{ steps.generator.outputs.readme_updated }}
uses: stefanzweifel/git-auto-commit-action@v5
with:
commit_message: Update parameters README.md
repository: .
commit_user_name: HOPR CI robot
commit_user_email: [email protected]
commit_author: HOPR CI robot <[email protected]>