Merge pull request #65 from github/dependabot/github_actions/actions/… #30
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release | |
| on: | |
| push: | |
| tags: | |
| - policy-controller-v* | |
| - trust-policies-v* | |
| jobs: | |
| release: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| attestations: write | |
| contents: read | |
| id-token: write | |
| packages: write | |
| env: | |
| REGISTRY: ghcr.io | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Extract Helm chart name and version | |
| id: release-details | |
| run: | | |
| # tag names are in the format <chart-name>-v<semantic-version> | |
| # so we need to extract the chart name | |
| release_name=$(echo -n ${{ github.ref_name }} | awk -F'-v' '{print $1}') | |
| echo release_name=$release_name >> $GITHUB_OUTPUT | |
| # extract the version from the tag name | |
| version=$(echo -n ${{ github.ref_name }} | sed "s/^$release_name-//") | |
| echo release_version=$version >> $GITHUB_OUTPUT | |
| - name: Package Helm chart | |
| run: helm package charts/${{ steps.release-details.outputs.release_name }} | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Push packaged chart to GHCR | |
| run: helm push ${{ github.ref_name }}.tgz oci://${{ env.REGISTRY }}/${{ github.repository }} | |
| - uses: imjasonh/setup-crane@31b88efe9de28ae0ffa220711af4b60be9435f6e # v0.4 | |
| - name: Get pushed chart digest | |
| id: get-digest | |
| run: | | |
| digest=$(crane digest ${{ env.REGISTRY }}/${{ github.repository }}/${{ steps.release-details.outputs.release_name }}:${{ steps.release-details.outputs.release_version }}) | |
| echo digest=$digest >> $GITHUB_OUTPUT | |
| - name: Attest | |
| uses: actions/attest-build-provenance@ef244123eb79f2f7a7e75d99086184180e6d0018 # v1.4.4 | |
| with: | |
| subject-name: ${{ env.REGISTRY }}/${{ github.repository }}/${{ steps.release-details.outputs.release_name }} | |
| subject-digest: ${{ steps.get-digest.outputs.digest }} | |
| push-to-registry: true |