Merge pull request #7 from GitGuardian/fspiers/-/improve-ci

feat(ci): reworked all ci

Author: ixxeL2097

.github/workflows/pull-request.yaml

@@ -147,6 +147,7 @@ jobs:
 
   publish-chart:
     name: Publish Helm Chart
+    needs: [lint-test]
     runs-on: ubuntu-latest
     steps:
       - uses: azure/[email protected]

.github/workflows/release.yaml

@@ -5,15 +5,22 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+  packages: write
+  attestations: write
+  id-token: write
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
 jobs:
-  release:
-    permissions:
-      contents: write
-      packages: write
+  publish-chart:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v5.0.0
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
 
@@ -22,91 +29,47 @@ jobs:
           git config user.name "$GITHUB_ACTOR"
           git config user.email "[email protected]"
 
-      - name: Login to Registry
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ vars.REGISTRY }}
-          username: ${{ secrets.REGISTRY_USER }}
-          password: ${{ secrets.REGISTRY_PASSWORD }}
-
-      - name: Login to GHCR
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Login to GHCR Helm registry
+        shell: bash
+        run: |
+          echo "${{ secrets.GITHUB_TOKEN }}" | helm registry login \
+            ghcr.io \
+            --username ${{ github.actor }} \
+            --password-stdin
 
       - name: Run chart-releaser
         id: chart-releaser
         uses: helm/[email protected]
         with:
           skip_existing: true
+          skip_packaging: true
+          skip_upload: true
         env:
           CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
 
-      - name: Install cosign
-        uses: sigstore/[email protected]
-        if: ${{ steps.chart-releaser.outputs.changed_charts }}
-
-      - id: github-repo-owner-name
-        uses: ASzc/change-string-case-action@v6
-        with:
-          string: ${{ github.repository_owner }}
-
-      - name: Upload charts to OCI registries
+      - name: Upload charts to OCI GHCR
         id: upload
         if: ${{ steps.chart-releaser.outputs.changed_charts }}
-        env:
-          COSIGN_KEY: ${{ secrets.COSIGN_KEY }}
-          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
-          REGISTRY_USER: ${{ secrets.REGISTRY_USER }}
         run: |
           CHANGED_CHARTS="${{ steps.chart-releaser.outputs.changed_charts }}"
 
-          # Login to primary registry
-          helm registry login --username $REGISTRY_USER --password ${{ secrets.REGISTRY_PASSWORD }} https://${{ vars.REGISTRY }}
-
-          # Login to GHCR
-          helm registry login --username ${{ github.actor }} --password ${{ secrets.GITHUB_TOKEN }} https://ghcr.io
-
           RELEASED_CHARTS=""
           for chart_directory in ${CHANGED_CHARTS//,/ }; do
             CHART_NAME=${chart_directory#charts/}
 
             cd $chart_directory
 
-            # Extract version and appVersion from Chart.yaml
             CHART_VERSION=$(yq eval '.version' "Chart.yaml")
             APP_VERSION=$(yq eval '.appVersion' "Chart.yaml")
 
-            # Push to primary registry (Docker Hub)
-            echo "Pushing Helm chart $CHART_NAME-$CHART_VERSION.tgz to oci://${{ vars.REGISTRY }}/${{ vars.REPOSITORY }}"
-            if helm push ${{ github.workspace }}/.cr-release-packages/${CHART_NAME}-${CHART_VERSION}.tgz oci://${{ vars.REGISTRY }}/${{ vars.REPOSITORY }} 2>&1 | tee ${CHART_NAME}-output.log; then
-
-              # Extract digest and sign chart
-              DIGEST=$(cat ${CHART_NAME}-output.log | awk -F '[, ]+' '/Digest/{print $NF}')
-              cosign sign -y --key env://COSIGN_KEY ${{ vars.REGISTRY }}/${{ vars.REPOSITORY }}/${CHART_NAME}:${CHART_VERSION}@$DIGEST
-
-              RELEASED_CHARTS="$RELEASED_CHARTS ${CHART_NAME}"
-              echo "Successfully released $CHART_NAME-$CHART_VERSION to primary registry"
-            else
-              echo "Failed to push $CHART_NAME-$CHART_VERSION to primary registry"
-              cat ${CHART_NAME}-output.log
-              exit 1
-            fi
+            helm package . --app-version=${APP_VERSION} --version=${CHART_VERSION}
 
             # Push to GHCR
-            echo "Pushing Helm chart $CHART_NAME-$CHART_VERSION.tgz to oci://ghcr.io/${{ steps.github-repo-owner-name.outputs.lowercase }}/helm-charts"
-            if helm push ${{ github.workspace }}/.cr-release-packages/${CHART_NAME}-${CHART_VERSION}.tgz oci://ghcr.io/${{ steps.github-repo-owner-name.outputs.lowercase }}/helm-charts 2>&1 | tee ${CHART_NAME}-ghcr-output.log; then
-
-              # Extract digest and sign GHCR chart
-              GHCR_DIGEST=$(cat ${CHART_NAME}-ghcr-output.log | awk -F '[, ]+' '/Digest/{print $NF}')
-              cosign sign -y --key env://COSIGN_KEY ghcr.io/${{ steps.github-repo-owner-name.outputs.lowercase }}/helm-charts/${CHART_NAME}:${CHART_VERSION}@$GHCR_DIGEST
-
+            echo "Pushing Helm chart $CHART_NAME-$CHART_VERSION.tgz to oci://ghcr.io/${{ github.event.repository.name }}"
+            if helm push ${{ github.workspace }}/$CHART_NAME-$CHART_VERSION.tgz oci://ghcr.io/${{ github.event.repository.name }}; then
               echo "Successfully released $CHART_NAME-$CHART_VERSION to GHCR"
             else
               echo "Failed to push $CHART_NAME-$CHART_VERSION to GHCR"
-              cat ${CHART_NAME}-ghcr-output.log
               exit 1
             fi