# Copyright Broadcom, Inc. All Rights Reserved. # SPDX-License-Identifier: APACHE-2.0 name: '[CI/CD] CD Pipeline' on: # rebuild any PRs and main branch changes push: branches: - main paths: - 'bitnami/**' - '!**.md' # Remove all permissions by default. permissions: {} jobs: get-chart: runs-on: ubuntu-latest name: 'Get modified charts' permissions: contents: read outputs: chart: ${{ steps.get-chart.outputs.chart }} result: ${{ steps.get-chart.outputs.result }} steps: - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 with: path: charts fetch-depth: 2 # to be able to obtain files changed in the latest commit - id: get-chart name: 'Get modified charts' run: | cd charts files_changed="$(git show --pretty="" --name-only)" # Adding || true to avoid "Process exited with code 1" errors charts_dirs_changed="$(echo "$files_changed" | xargs dirname | grep -o "bitnami/[^/]*" | sort | uniq || true)" # Using grep -c as a better alternative to wc -l when dealing with empty strings." num_charts_changed="$(echo "$charts_dirs_changed" | grep -c "bitnami" || true)" num_version_bumps="$(echo "$files_changed" | grep Chart.yaml | xargs git show | grep -c "+version" || true)" if [[ "$num_charts_changed" -ne "$num_version_bumps" ]]; then # Changes done in charts but version not bumped -> ERROR charts_changed_str="$(echo ${charts_dirs_changed[@]})" echo "error=Detected changes in charts without version bump in Chart.yaml. Charts changed: ${num_charts_changed} ${charts_changed_str}. Version bumps detected: ${num_version_bumps}" >> $GITHUB_OUTPUT echo "result=fail" >> $GITHUB_OUTPUT elif [[ "$num_charts_changed" -eq "1" ]]; then # Changes done in only one chart -> OK chart_name=$(echo "$charts_dirs_changed" | sed "s|bitnami/||g") echo "chart=${chart_name}" >> $GITHUB_OUTPUT echo "result=ok" >> $GITHUB_OUTPUT else # Changes done in more than chart -> FAIL charts_changed_str="$(echo ${charts_dirs_changed[@]})" echo "error=Changes detected in more than one chart directory: ${charts_changed_str}. The publish process will be stopped. Please create different commits for each chart." >> $GITHUB_OUTPUT echo "result=fail" >> $GITHUB_OUTPUT fi - id: show-error name: 'Show error' if: ${{ steps.get-chart.outputs.result == 'fail' }} uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea with: script: | core.setFailed('${{ steps.get-chart.outputs.error }}') vib-publish: runs-on: ubuntu-latest needs: get-chart if: ${{ needs.get-chart.outputs.result == 'ok' }} name: VIB Publish permissions: contents: read env: CSP_API_URL: https://console.cloud.vmware.com CSP_API_TOKEN: ${{ secrets.CSP_API_TOKEN }} VIB_PUBLIC_URL: https://cp.bromelia.vmware.com steps: - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 name: Checkout Repository with: path: charts - uses: vmware-labs/vmware-image-builder-action@v0 name: Publish ${{ needs.get-chart.outputs.chart }} with: pipeline: ${{ needs.get-chart.outputs.chart }}/vib-publish.json config: charts/.vib/ env: VIB_ENV_S3_URL: s3://${{ secrets.AWS_S3_BUCKET }}/bitnami VIB_ENV_S3_ACCESS_KEY_ID: ${{ secrets.AWS_PUBLISH_ACCESS_KEY_ID }} VIB_ENV_S3_SECRET_ACCESS_KEY: ${{ secrets.AWS_PUBLISH_SECRET_ACCESS_KEY }} VIB_ENV_S3_ROLE_ARN: ${{ secrets.AWS_PUBLISH_ROLE_ARN }} update-index: runs-on: ubuntu-latest needs: - vib-publish name: Update charts index steps: - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a with: path: ~/artifacts # If we perform a checkout of the main branch, we will find conflicts with the submodules - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 with: ref: 'index' path: index # The token is persisted in the local git config and enables scripts to run authenticated git commands. token: ${{ secrets.BITNAMI_BOT_TOKEN }} - name: Install helm run: | HELM_TARBALL="helm-v3.8.1-linux-amd64.tar.gz" curl -SsLfO "https://get.helm.sh/${HELM_TARBALL}" && sudo tar xf "$HELM_TARBALL" --strip-components 1 -C /usr/local/bin # Install file plugin helm plugin add https://github.com/zoobab/helm_file_repo - id: update-index name: Fetch chart and update index env: AWS_ACCESS_KEY_ID: ${{ secrets.AWS_PUBLISH_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_PUBLISH_SECRET_ACCESS_KEY }} AWS_ASSUME_ROLE_ARN: ${{ secrets.AWS_PUBLISH_ROLE_ARN }} AWS_DEFAULT_REGION: us-east-1 run: | # Configure AWS account export $(printf "AWS_ACCESS_KEY_ID=%s AWS_SECRET_ACCESS_KEY=%s AWS_SESSION_TOKEN=%s" $(aws sts assume-role --role-arn ${AWS_ASSUME_ROLE_ARN} --role-session-name GitHubCharts --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" --output text)) # Extract chart release metadata from the publish report file vib_publish_report_file=$(find ~/artifacts -name "report.json" -print -quit) chart_name=$(jq -re '.actions|map(select(.action_id == "helm-publish"))[0] | .application.name' $vib_publish_report_file) chart_version=$(jq -re '.actions|map(select(.action_id == "helm-publish"))[0] | .application.version' $vib_publish_report_file) # Download published asset mkdir download aws s3 cp s3://${{ secrets.AWS_S3_BUCKET }}/bitnami/${chart_name}-${chart_version}.tgz download/ cd index git config user.name "Bitnami Containers" git config user.email "bitnami-bot@vmware.com" attempts=0 max_attempts=5 is_index_updated=0 while [[ $attempts -lt $max_attempts && $is_index_updated -eq 0 ]]; do attempts=$((attempts + 1)) # Pull changes from remote git fetch origin index current_commit_id=$(git rev-parse origin/index) git reset --hard $(git commit-tree origin/index^{tree} -m "Update index.yaml") # Rebuild index helm repo index --url https://charts.bitnami.com/bitnami --merge bitnami/index.yaml ../download # Compare size of files if [[ $(stat -c%s bitnami/index.yaml) -gt $(stat -c%s ../download/index.yaml) ]]; then echo "New index.yaml file is shorter than the current one" exit 1 fi # Adding tmp file as a helm repo if ! helm repo add cache file://../download/ ; then echo "New index.yaml file can't be indexed" exit 1 fi cp ../download/index.yaml bitnami/index.yaml # Push changes git add bitnami/index.yaml && git commit --signoff --amend --no-edit git push origin index --force-with-lease=index:${current_commit_id} && is_index_updated=1 || echo "Failed to push during attempt $attempts" done if [[ $is_index_updated -ne 1 ]]; then echo "Could not update the index after $max_attempts attempts" exit 1 fi push-tag: runs-on: ubuntu-latest permissions: contents: write needs: - get-chart - vib-publish name: Push tag if: ${{ needs.get-chart.outputs.result == 'ok' }} steps: - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 with: path: charts fetch-depth: 2 # to be able to obtain files changed in the latest commit - id: push-tag name: 'Push tag' env: CHART: ${{ needs.get-chart.outputs.chart }} run: | cd charts # Get chart version and list of tags chart_version="$(yq e '.version' bitnami/${CHART}/Chart.yaml)" git fetch --tags # If the tag does not exist, create and push it (this allows re-executing the job) if ! git tag | grep ${CHART}/${chart_version}; then git tag ${CHART}/${chart_version} git push --tags fi # If the CD Pipeline does not succeed we should notify the interested agents slack-notif: runs-on: ubuntu-latest needs: - vib-publish - update-index if: always() name: Notify unsuccessful CD run steps: - name: Notify in Slack channel if: ${{ needs.update-index.result != 'success' }} uses: slackapi/slack-github-action@70cd7be8e40a46e8b0eced40b0de447bdb42f68e with: channel-id: ${{ secrets.CD_SLACK_CHANNEL_ID }} payload: | { "attachments": [ { "color": "#CC0000", "fallback": "Unsuccessful bitnami/charts CD pipeline", "blocks": [ { "type": "section", "text": { "type": "mrkdwn", "text": "*Unsuccessful `bitnami/charts` CD pipeline*" } }, { "type": "section", "text": { "type": "mrkdwn", "text": "The CD pipeline for <${{ github.event.head_commit.url }}|bitnami/charts@${{ github.event.head_commit.id }}> did not succeed. Check the related <${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|action run> for more information." } } ] } ] } env: SLACK_BOT_TOKEN: ${{ secrets.CD_SLACK_BOT_TOKEN }}