f.weber/bookstack-chart
1
0
Fork 0
Code Issues Pull Requests Actions Releases 2 Activity
bookstack-chart/.gitea/workflows/package-and-deploy.yaml
Florian 8ed24361bf
All checks were successful
Package & Sign Helm Chart / build (release) Successful in 1m24s
Details
Removed invisible chars and printing of signing key in workflows file
2025-06-12 19:50:18 +02:00

83 lines
2.6 KiB
YAML
Raw Blame History

name: Package & Sign Helm Chart
on:
release:
types: [published]
jobs:
build:
runs-on: ubuntu-24.04
env:
CHART_DIR: bookstack/
CHART_VERSION: ${{ github.event.release.tag_name }}
GPG_KEY_ID: ${{ secrets.GPG_KEY_ID }}
PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
steps:
# 1) Code auschecken
- uses: actions/checkout@v4
# 2) Helm installieren
- uses: azure/setup-helm@v4.3.0
with:
version: latest
id: install
- name: Import GPG key
uses: crazy-max/ghaction-import-gpg@v6
with:
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
passphrase: ${{ secrets.GPG_PASSPHRASE }}
trust_level: 5
# 3) "Generation-1"-Secret-Ring für Helm erzeugen (TMP, 600 Rechte)
- name: Build legacy secret-keyring
run: |
set -euo pipefail
install -m 700 -d /tmp/gpgring
gpg --batch --yes --pinentry-mode loopback \
--passphrase "$PASSPHRASE" \
--export-secret-keys "$GPG_KEY_ID" \
>/tmp/gpgring/secring.gpg
chmod 600 /tmp/gpgring/secring.gpg
echo "$PASSPHRASE" > /tmp/gpgring/passphrase.txt
chmod 600 /tmp/gpgring/passphrase.txt
# 4) Chart bauen & signieren
- name: Package & sign chart
run: |
cp README.md "$CHART_DIR"/
helm dependency build "$CHART_DIR"
helm package "$CHART_DIR" \
--version "$CHART_VERSION" \
--sign \
--key "Morlana Signing" \
--keyring /tmp/gpgring/secring.gpg \
--passphrase-file /tmp/gpgring/passphrase.txt
# 5) In dein internes Chart-Repo hochladen
- name: Upload to ChartMuseum
env:
REPO_CREDENTIALS: ${{ secrets.REPO_CREDENTIALS }}
run: |
curl -H "Authorization: Basic $REPO_CREDENTIALS" \
-F "chart=@bookstack-$CHART_VERSION.tgz" \
-F "prov=@bookstack-$CHART_VERSION.tgz.prov" \
https://charts.morlana.net/api/charts
# 6) Public-Key aus Repo beilegen und als Release-Asset anhängen
- name: Attach release assets
uses: softprops/action-gh-release@v2
with:
tag_name: ${{ github.event.release.tag_name }}
files: |
bookstack-${{ env.CHART_VERSION }}.tgz
bookstack-${{ env.CHART_VERSION }}.tgz.prov
pubkeys/morlana.asc
# 7) Aufräumen (optional, Runner ist ohnehin kurzlebig)
- name: Cleanup sensitive files
if: ${{ always() }}
run: rm -rf /tmp/gpgring
View Git Blame Copy Permalink