linuxfoundation · dealako · Jul 31, 2025 · Jul 30, 2025 · Jul 31, 2025 · Jul 31, 2025
@@ -0,0 +1,60 @@
+# Copyright The Linux Foundation and each contributor to LFX.
+# SPDX-License-Identifier: MIT
+
+name: Docker Build - Main Branch
+
+on:
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+jobs:
+  build-and-push:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=raw,value=development
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          platforms: linux/amd64,linux/arm64
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          build-args: |
+            BUILD_ENV=production
@@ -0,0 +1,139 @@
+# Copyright The Linux Foundation and each contributor to LFX.
+# SPDX-License-Identifier: MIT
+
+name: Docker Build - Release
+
+on:
+  push:
+    tags:
+      - v*
+
+permissions:
+  contents: read
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+  COSIGN_VERSION: v2.5.3
+  HELM_VERSION: v3.18.4
+
+jobs:
+  build-and-push:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+    outputs:
+      app_version: ${{ steps.prepare.outputs.app_version }}
+      chart_name: ${{ steps.prepare.outputs.chart_name }}
+      chart_version: ${{ steps.prepare.outputs.chart_version }}
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Prepare versions and chart name
+        id: prepare
+        run: |
+          set -euo pipefail
+          APP_VERSION=$(echo ${{ github.ref_name }} | sed 's/v//g')
+          CHART_NAME="$(yq '.name' charts/*/Chart.yaml)"
+          CHART_VERSION="$(yq '.version' charts/*/Chart.yaml)"
+          {
+            echo "app_version=$APP_VERSION"
+            echo "chart_name=$CHART_NAME"
+            echo "chart_version=$CHART_VERSION"
+          } >> "$GITHUB_OUTPUT"
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          platforms: linux/amd64,linux/arm64
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          build-args: |
+            BUILD_ENV=production
+
+  release-helm-chart:
+    needs: build-and-push
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      packages: write
+      id-token: write
+    outputs:
+      digest: ${{ steps.publish-ghcr.outputs.digest }}
+      image_name: ${{ steps.publish-ghcr.outputs.image_name }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Publish Chart to GHCR
+        id: publish-ghcr
+        uses: linuxfoundation/lfx-public-workflows/.github/actions/helm-chart-oci-publisher@c465d6571fa0b8be9d551d902955164ea04a00af # main
+        with:
+          name: ${{ needs.build-and-push.outputs.chart_name }}
+          repository: ${{ github.repository }}/chart
+          chart_version: ${{ needs.build-and-push.outputs.chart_version }}
+          app_version: ${{ needs.build-and-push.outputs.app_version }}
+          registry: ghcr.io
+          registry_username: ${{ github.actor }}
+          registry_password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2
+        with:
+          cosign-release: "${{ env.COSIGN_VERSION }}"
+
+      - name: Login to GitHub
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Sign the Helm chart in GHCR
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          set -euo pipefail
+          cosign sign --yes '${{ steps.publish-ghcr.outputs.image_name }}@${{ steps.publish-ghcr.outputs.digest }}'
+
+  create-ghcr-helm-provenance:
+    needs:
+      - release-helm-chart
+    permissions:
+      actions: read
+      id-token: write
+      packages: write
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.1.0
+    with:
+      image: ${{ needs.release-helm-chart.outputs.image_name }}
+      digest: ${{ needs.release-helm-chart.outputs.digest }}
+      registry-username: ${{ github.actor }}
+    secrets:
+      registry-password: ${{ secrets.GITHUB_TOKEN }}
@@ -0,0 +1,16 @@
+# Copyright The Linux Foundation and each contributor to LFX.
+# SPDX-License-Identifier: MIT
+
+apiVersion: v2
+name: lfx-v2-pcc-ui
+description: A Helm chart for LFX Project Control Center UI - Angular SSR application with Express backend
+type: application
+version: 0.1.0
+appVersion: "latest"
+keywords:
+  - lfx
+  - project-control-center
+  - ui
+home: https://github.com/linuxfoundation/lfx-v2-pcc-ui
+sources:
+  - https://github.com/linuxfoundation/lfx-v2-pcc-ui
@@ -0,0 +1,90 @@
+# LFX V2 PCC UI Helm Chart
+
+This Helm chart deploys the LFX V2 PCC UI application, which is an Angular SSR application with Express backend for the LFX Project Control Center.
+
+## Configuration
+
+### Required Configuration
+
+The following values must be configured before deployment:
+
+```yaml
+environment:
+  PCC_BASE_URL:
+    value: ''
+  PCC_AUTH0_CLIENT_ID:
+    value: ''
+  PCC_AUTH0_CLIENT_SECRET:
+    value: ''
+  SUPABASE_URL:
+    value: ''
+  POSTGRES_API_KEY:
+    value: ''
+```
+
+These can also be set from a secret
+
+```yaml
+POSTGRES_API_KEY:
+  value: ''
+  valueFrom:
+    secretKeyRef:
+      name: pcc-env-secrets
+      key: api_key
+```
+
+### Global Parameters
+
+| Parameter                 | Description                         | Default |
+| ------------------------- | ----------------------------------- | ------- |
+| `global.imageRegistry`    | Global Docker image registry        | `""`    |
+| `global.imagePullSecrets` | Global Docker registry secret names | `[]`    |
+
+### Application Parameters
+
+| Parameter           | Description        | Default                                 |
+| ------------------- | ------------------ | --------------------------------------- |
+| `replicaCount`      | Number of replicas | `1`                                     |
+| `image.registry`    | Image registry     | `""`                                    |
+| `image.repository`  | Image repository   | `ghcr.io/linuxfoundation/lfx-v2-pcc-ui` |
+| `image.tag`         | Image tag          | `"latest"`                              |
+| `image.pullPolicy`  | Image pull policy  | `IfNotPresent`                          |
+| `image.pullSecrets` | Image pull secrets | `[]`                                    |
+
+### Environment Variables
+
+| Parameter                               | Description                        | Required | Default                                                          |
+| --------------------------------------- | ---------------------------------- | -------- | ---------------------------------------------------------------- |
+| `environment.NODE_ENV`                  | Node.js environment                | No       | `production`                                                     |
+| `environment.PORT`                      | Application port                   | No       | `4000`                                                           |
+| `environment.COREPACK_HOME`             | Corepack cache directory           | No       | `/home/appuser/.cache/node/corepack`                             |
+| `environment.XDG_CACHE_HOME`            | XDG cache directory                | No       | `/home/appuser/.cache`                                           |
+| `environment.TMPDIR`                    | Temporary directory                | No       | `/tmp`                                                           |
+| `environment.PCC_BASE_URL`              | Base URL for the PCC application   | Yes      | `https://pcc.k8s.orb.local`                                      |
+| `environment.PCC_AUTH0_ISSUER_BASE_URL` | Auth0 issuer base URL              | No       | `https://linuxfoundation-dev.auth0.com/`                         |
+| `environment.PCC_AUTH0_AUDIENCE`        | Auth0 audience                     | No       | `https://api-gw.dev.platform.linuxfoundation.org/`               |
+| `environment.ENV`                       | Environment name                   | Yes      | `production`                                                     |
+| `environment.QUERY_SERVICE_URL`         | Query service URL                  | No       | `http://query-service.default.svc.cluster.local/query/resources` |
+| `environment.PCC_AUTH0_CLIENT_ID`       | Auth0 client ID (secret)           | Yes      |                                                                  |
+| `environment.PCC_AUTH0_CLIENT_SECRET`   | Auth0 client secret (secret)       | Yes      |                                                                  |
+| `environment.SUPABASE_URL`              | Supabase URL (secret)              | Yes      |                                                                  |
+| `environment.POSTGRES_API_KEY`          | Supabase Postgres API key (secret) | Yes      |                                                                  |
+
+### Service Parameters
+
+| Parameter             | Description         | Default     |
+| --------------------- | ------------------- | ----------- |
+| `service.type`        | Service type        | `ClusterIP` |
+| `service.port`        | Service port        | `80`        |
+| `service.targetPort`  | Target port         | `4000`      |
+| `service.annotations` | Service annotations | `{}`        |
+
+### Ingress Parameters
+
+| Parameter             | Description                 | Default |
+| --------------------- | --------------------------- | ------- |
+| `ingress.enabled`     | Enable ingress              | `false` |
+| `ingress.className`   | Ingress class name          | `""`    |
+| `ingress.annotations` | Ingress annotations         | `{}`    |
+| `ingress.hosts`       | Ingress hosts configuration | `[]`    |
+| `ingress.tls`         | Ingress TLS configuration   | `[]`    |