bitnami
/
charts


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185
							# Copyright Broadcom, Inc. All Rights Reserved.
# SPDX-License-Identifier: APACHE-2.0

name: '[CI/CD] CD Pipeline'
on: # rebuild any PRs and main branch changes
  push:
    branches:
      - main
    paths:
      - 'bitnami/**'
      - '!**.md'
# Remove all permissions by default.
permissions: {}
jobs:
  get-chart:
    runs-on: ubuntu-latest
    name: 'Get modified charts'
    permissions:
      contents: read
    outputs:
      chart: ${{ steps.get-chart.outputs.chart }}
      result: ${{ steps.get-chart.outputs.result }}
    if: ${{ github.repository_owner == 'bitnami' }}
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
        with:
          path: charts
          fetch-depth: 2 # to be able to obtain files changed in the latest commit
      - id: get-chart
        name: 'Get modified charts'
        run: |
          cd charts
          files_changed="$(git show --pretty="" --name-only)"
          # Adding || true to avoid "Process exited with code 1" errors
          charts_dirs_changed="$(echo "$files_changed" | xargs dirname | grep -o "bitnami/[^/]*" | sort | uniq || true)"
          # Using grep -c as a better alternative to wc -l when dealing with empty strings."
          num_charts_changed="$(echo "$charts_dirs_changed" | grep -c "bitnami" || true)"
          num_version_bumps="$(echo "$files_changed" | grep  "bitnami/[^/]*/Chart.yaml" | xargs git show | grep -c "+version" || true)"

          if [[ "$num_charts_changed" -ne "$num_version_bumps" ]]; then
            # Changes done in charts but version not bumped -> ERROR
            charts_changed_str="$(echo ${charts_dirs_changed[@]})"
            echo "error=Detected changes in charts without version bump in Chart.yaml. Charts changed: ${num_charts_changed} ${charts_changed_str}. Version bumps detected: ${num_version_bumps}" >> $GITHUB_OUTPUT
            echo "result=fail" >> $GITHUB_OUTPUT
          elif [[ "$num_charts_changed" -eq "1" ]]; then
            # Changes done in only one chart -> OK
            chart_name=$(echo "$charts_dirs_changed" | sed "s|bitnami/||g")
            echo "chart=${chart_name}" >> $GITHUB_OUTPUT
            echo "result=ok" >> $GITHUB_OUTPUT
          else
            # Changes done in more than chart -> FAIL
            charts_changed_str="$(echo ${charts_dirs_changed[@]})"
            echo "error=Changes detected in more than one chart directory: ${charts_changed_str}. The publish process will be stopped. Please create different commits for each chart." >> $GITHUB_OUTPUT
            echo "result=fail" >> $GITHUB_OUTPUT
          fi
      - id: show-error
        name: 'Show error'
        if: ${{ steps.get-chart.outputs.result == 'fail' }}
        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea
        with:
          script: |
              core.setFailed('${{ steps.get-chart.outputs.error }}')
  vib-publish:
    runs-on: ubuntu-latest
    needs: get-chart
    if: ${{ needs.get-chart.outputs.result == 'ok' }}
    name: VIB Publish
    permissions:
      contents: read
    env:
      CSP_API_URL: https://console.tanzu.broadcom.com
      CSP_API_TOKEN: ${{ secrets.CSP_API_TOKEN }}
      VIB_PUBLIC_URL: ${{ vars.VIB_PUBLIC_URL }}
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
        name: Checkout Repository
        with:
          path: charts
      - uses: vmware-labs/vmware-image-builder-action@v0
        name: Publish ${{ needs.get-chart.outputs.chart }}
        with:
          pipeline: ${{ needs.get-chart.outputs.chart }}/vib-publish.json
          config: charts/.vib/
        env:
          VIB_PUBLIC_URL: ${{ vars.VIB_PUBLIC_URL }}
          VIB_ENV_S3_URL: s3://${{ secrets.AWS_S3_BUCKET }}/bitnami
          VIB_ENV_S3_ACCESS_KEY_ID: ${{ secrets.AWS_PUBLISH_ACCESS_KEY_ID }}
          VIB_ENV_S3_SECRET_ACCESS_KEY: ${{ secrets.AWS_PUBLISH_SECRET_ACCESS_KEY }}
          VIB_ENV_S3_ROLE_ARN: ${{ secrets.AWS_PUBLISH_ROLE_ARN }}
          # Set docker credentials
          VIB_ENV_CHARTS_REGISTRY: oci://registry-1.docker.io/bitnamicharts
          VIB_ENV_CHARTS_REGISTRY_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
          VIB_ENV_CHARTS_REGISTRY_PASSWORD: ${{ secrets.DOCKERHUB_TOKEN }}
  update-deprecated-index:
    runs-on: ubuntu-latest
    needs:
      - vib-publish
    name: Update branch deprecated-index
    steps:
      - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093
        with:
          path: ~/artifacts
      # If we perform a checkout of the main branch, we will find conflicts with the submodules
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
        with:
          ref: 'deprecated-index'
          path: 'deprecated-index'
          # The token is persisted in the local git config and enables scripts to run authenticated git commands.
          token: ${{ secrets.BITNAMI_BOT_TOKEN }}
      - name: Install helm
        run: |
          HELM_TARBALL="helm-v3.8.1-linux-amd64.tar.gz"
          curl -SsLfO "https://get.helm.sh/${HELM_TARBALL}" && sudo tar xf "$HELM_TARBALL" --strip-components 1 -C /usr/local/bin
          # Install file plugin
          helm plugin add https://github.com/zoobab/helm_file_repo
      - id: update-deprecated-index
        name: Fetch chart and update depreacted-index
        env:
          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_PUBLISH_ACCESS_KEY_ID }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_PUBLISH_SECRET_ACCESS_KEY }}
          AWS_ASSUME_ROLE_ARN: ${{ secrets.AWS_PUBLISH_ROLE_ARN }}
          AWS_MAX_ATTEMPTS: 3
          AWS_DEFAULT_REGION: us-east-1
        run: |
          # Configure AWS account
          export $(printf "AWS_ACCESS_KEY_ID=%s AWS_SECRET_ACCESS_KEY=%s AWS_SESSION_TOKEN=%s" $(aws sts assume-role --role-arn ${AWS_ASSUME_ROLE_ARN} --role-session-name GitHubCharts --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" --output text))
          # Extract chart release metadata from the publish report file
          vib_publish_report_file=$(find ~/artifacts -name "report.json" -print -quit)
          chart_name=$(jq -re '.actions|map(select(.action_id == "helm-publish"))[0] | .application.name' $vib_publish_report_file)
          chart_version=$(jq -re '.actions|map(select(.action_id == "helm-publish"))[0] | .application.version' $vib_publish_report_file)
          # Download published asset
          mkdir download
          aws s3 cp s3://${{ secrets.AWS_S3_BUCKET }}/bitnami/${chart_name}-${chart_version}.tgz download/

          cd deprecated-index
          git config user.name "Bitnami Bot"
          git config user.email "bitnami.bot@broadcom.com"

          attempts=0
          max_attempts=5
          is_index_updated=0
          while [[ $attempts -lt $max_attempts && $is_index_updated -eq 0 ]]; do
            attempts=$((attempts + 1))

            # Pull changes from remote
            git fetch origin deprecated-index
            current_commit_id=$(git rev-parse origin/deprecated-index)
            git reset --hard $(git commit-tree origin/deprecated-index^{tree} -m "Update index.yaml")

            # Rebuild index
            helm repo index --url https://charts.bitnami.com/bitnami --merge bitnami/index.yaml ../download
            # Compare size of files
            if [[ $(stat -c%s bitnami/index.yaml) -gt $(stat -c%s ../download/index.yaml) ]]; then
              echo "New index.yaml file is shorter than the current one"
              exit 1
            fi
            # Adding tmp file as a helm repo
            if ! helm repo add cache file://../download/ ; then
              echo "New index.yaml file can't be indexed"
              exit 1
            fi

            cp ../download/index.yaml bitnami/index.yaml

            # Push changes
            git add bitnami/index.yaml && git commit --signoff --amend --no-edit
            git push origin deprecated-index --force-with-lease=deprecated-index:${current_commit_id} && is_index_updated=1 || echo "Failed to push during attempt $attempts"
          done

          if [[ $is_index_updated -ne 1 ]]; then
            echo "Could not update the index after $max_attempts attempts"
            exit 1
          fi
  notify:
    name: Send notification
    needs:
      - vib-publish
      - update-deprecated-index
    if: ${{ always() && (needs.vib-publish.result == 'failure' || needs.update-deprecated-index.result == 'failure') }}
    uses: bitnami/support/.github/workflows/gchat-notification.yml@main
    with:
      workflow: ${{ github.workflow }}
      job-url: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
    secrets:
      webhook-url: ${{ secrets.GCHAT_CONTENT_ALERTS_WEBHOOK_URL }}