feat(ci): using separate workflows for gitguardian

Author: Frederic Spiers

.github/workflows/pull-request-gitguardian.yaml

@@ -0,0 +1,127 @@
+name: "Pull Request GitGuardian"
+on:
+  pull_request:
+    types:
+      - opened
+      - reopened
+      - synchronize
+    branches:
+      - main
+
+jobs:
+  lint-test:
+    runs-on: ubuntu-latest
+    outputs:
+      changed: ${{ steps.list-changed.outputs.changed }}
+      changedCharts: ${{ steps.list-changed.outputs.changedCharts }}
+    steps:
+      - name: Setup Helm
+        uses: Azure/setup-helm@v4.3.1
+        with:
+          version: 'v3.19.2'
+
+      - name: Checkout pull request branch
+        uses: actions/checkout@v5.0.0
+        with:
+          ref: ${{ github.head_ref }}
+          repository: ${{github.event.pull_request.head.repo.full_name}}
+          fetch-depth: 0
+
+      # Python is required because `ct lint` runs Yamale (https://github.com/23andMe/Yamale) and
+      # yamllint (https://github.com/adrienverge/yamllint) which require Python
+      - name: Set up Python
+        uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
+        with:
+          python-version: 3.13
+
+      - name: Set up chart-testing-action
+        uses: helm/chart-testing-action@v2.8.0
+
+      - name: Get changed charts
+        id: list-changed
+        run: |
+          changed=$(ct list-changed --target-branch ${{ github.event.repository.default_branch }})
+          if [[ -n "$changed" ]]; then
+            echo "Changed charts:"
+            echo "$changed"
+            echo "changed=true" >> $GITHUB_OUTPUT
+            echo 'changedCharts<<EOF' >> $GITHUB_OUTPUT
+            echo $changed >> $GITHUB_OUTPUT
+            echo 'EOF' >> $GITHUB_OUTPUT
+          else
+            echo "No chart changes detected"
+          fi
+
+      - name: Installing plugin helm-unittest
+        if: steps.list-changed.outputs.changed == 'true'
+        run: helm plugin install https://github.com/helm-unittest/helm-unittest >/dev/null
+
+      - name: Run chart testing (lint & unittest)
+        if: steps.list-changed.outputs.changed == 'true'
+        run: ct lint --target-branch ${{ github.event.repository.default_branch }} --validate-maintainers=false --additional-commands "helm unittest {{ .Path }}"
+
+  publish-chart:
+    name: Publish Helm Chart
+    needs: [lint-test]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: azure/setup-helm@v4.3.1
+        with:
+          version: 'v3.19.2'
+
+      - name: Checkout pull request branch
+        uses: actions/checkout@v5.0.0
+        with:
+          ref: ${{ github.head_ref }}
+          repository: ${{github.event.pull_request.head.repo.full_name}}
+          fetch-depth: 0
+
+      - name: Set up chart-testing-action
+        uses: helm/chart-testing-action@v2.8.0
+
+      - name: Get changed charts
+        id: list-changed
+        run: |
+          changed=$(ct list-changed --target-branch ${{ github.event.repository.default_branch }})
+          if [[ -n "$changed" ]]; then
+            echo "Changed charts:"
+            echo "$changed"
+            
+            changed_list=$(echo "$changed" | tr '\n' ',' | sed 's/,$//')
+            echo "changed=$changed_list" >> $GITHUB_OUTPUT
+          else
+            echo "No chart changes detected"
+          fi
+
+      - name: Publish Helm chart to ttl
+        id: upload
+        if: ${{ steps.list-changed.outputs.changed }}
+        run: |
+          CHANGED_CHARTS="${{ steps.list-changed.outputs.changed }}"
+
+          RELEASED_CHARTS=""
+          for chart_directory in ${CHANGED_CHARTS//,/ }; do
+            CHART_NAME=${chart_directory#charts/}
+
+            cd $chart_directory
+
+            SHORT_SHA=$(echo "${{ github.sha }}" | cut -c1-7)
+            CHART_VERSION="0.1.0-${{ github.run_number }}"
+            APP_VERSION="unstable-${SHORT_SHA}"
+
+            helm dep update .
+            helm lint --strict .
+            helm package . --app-version=${APP_VERSION} --version=${CHART_VERSION}
+
+            # Push to GHCR
+            echo "Pushing Helm chart $CHART_NAME-$CHART_VERSION.tgz to oci://ttl.sh/${{ github.event.repository.name }}"
+            if helm push ./$CHART_NAME-$CHART_VERSION.tgz oci://ttl.sh/${{ github.event.repository.name }}; then
+              echo "Successfully released $CHART_NAME-$CHART_VERSION to ttl.sh"
+            else
+              echo "Failed to push $CHART_NAME-$CHART_VERSION to ttl.sh"
+              exit 1
+            fi
+
+            cd ${{ github.workspace }}
+          done
+          echo "released_charts=$RELEASED_CHARTS" >> "$GITHUB_OUTPUT"

.github/workflows/pull-request.yaml

@@ -1,6 +1,6 @@
 name: "Pull Request"
 on:
-  pull_request:
+  pull_request_target:
     types:
       - opened
       - reopened
@@ -17,8 +17,6 @@ jobs:
     steps:
       - name: Setup Helm
         uses: Azure/setup-helm@v4.3.1
-        with:
-          version: 'v3.19.2'
 
       - name: Checkout pull request branch
         uses: actions/checkout@v5.0.0
@@ -32,10 +30,10 @@ jobs:
       - name: Set up Python
         uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
         with:
-          python-version: 3.13
+          python-version: 3.x
 
       - name: Set up chart-testing-action
-        uses: helm/chart-testing-action@v2.8.0
+        uses: helm/chart-testing-action@v2.7.0
 
       - name: Get changed charts
         id: list-changed
@@ -145,70 +143,4 @@ jobs:
             git push
           else
             echo "No changed CHANGELOGS, skip push"
-          fi
-
-  publish-chart:
-    name: Publish Helm Chart
-    needs: [lint-test]
-    runs-on: ubuntu-latest
-    steps:
-      - uses: azure/setup-helm@v4.3.1
-        with:
-          version: 'v3.19.2'
-
-      - name: Checkout pull request branch
-        uses: actions/checkout@v5.0.0
-        with:
-          ref: ${{ github.head_ref }}
-          repository: ${{github.event.pull_request.head.repo.full_name}}
-          fetch-depth: 0
-
-      - name: Set up chart-testing-action
-        uses: helm/chart-testing-action@v2.8.0
-
-      - name: Get changed charts
-        id: list-changed
-        run: |
-          changed=$(ct list-changed --target-branch ${{ github.event.repository.default_branch }})
-          if [[ -n "$changed" ]]; then
-            echo "Changed charts:"
-            echo "$changed"
-            
-            changed_list=$(echo "$changed" | tr '\n' ',' | sed 's/,$//')
-            echo "changed=$changed_list" >> $GITHUB_OUTPUT
-          else
-            echo "No chart changes detected"
-          fi
-
-      - name: Publish Helm chart to ttl
-        id: upload
-        if: ${{ steps.list-changed.outputs.changed }}
-        run: |
-          CHANGED_CHARTS="${{ steps.list-changed.outputs.changed }}"
-
-          RELEASED_CHARTS=""
-          for chart_directory in ${CHANGED_CHARTS//,/ }; do
-            CHART_NAME=${chart_directory#charts/}
-
-            cd $chart_directory
-
-            SHORT_SHA=$(echo "${{ github.sha }}" | cut -c1-7)
-            CHART_VERSION="0.1.0-${{ github.run_number }}"
-            APP_VERSION="unstable-${SHORT_SHA}"
-
-            helm dep update .
-            helm lint --strict .
-            helm package . --app-version=${APP_VERSION} --version=${CHART_VERSION}
-
-            # Push to GHCR
-            echo "Pushing Helm chart $CHART_NAME-$CHART_VERSION.tgz to oci://ttl.sh/${{ github.event.repository.name }}"
-            if helm push ./$CHART_NAME-$CHART_VERSION.tgz oci://ttl.sh/${{ github.event.repository.name }}; then
-              echo "Successfully released $CHART_NAME-$CHART_VERSION to ttl.sh"
-            else
-              echo "Failed to push $CHART_NAME-$CHART_VERSION to ttl.sh"
-              exit 1
-            fi
-
-            cd ${{ github.workspace }}
-          done
-          echo "released_charts=$RELEASED_CHARTS" >> "$GITHUB_OUTPUT"
+          fi

.github/workflows/release-gitguardian.yaml

@@ -0,0 +1,75 @@
+name: Release Charts GitGuardian
+
+on:
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: write
+  packages: write
+  attestations: write
+  id-token: write
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  publish-chart:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+
+      - name: Configure Git
+        run: |
+          git config user.name "$GITHUB_ACTOR"
+          git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
+
+      - name: Login to GHCR Helm registry
+        shell: bash
+        run: |
+          echo "${{ secrets.GITHUB_TOKEN }}" | helm registry login \
+            ghcr.io \
+            --username ${{ github.actor }} \
+            --password-stdin
+
+      - name: Run chart-releaser
+        id: chart-releaser
+        uses: helm/chart-releaser-action@v1.7.0
+        with:
+          skip_existing: true
+        env:
+          CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+
+      - name: Upload charts to OCI GHCR
+        id: upload
+        if: ${{ steps.chart-releaser.outputs.changed_charts }}
+        run: |
+          CHANGED_CHARTS="${{ steps.chart-releaser.outputs.changed_charts }}"
+          REPO_LOWER=$(echo "${{ github.repository }}" | tr '[:upper:]' '[:lower:]')
+
+          RELEASED_CHARTS=""
+          for chart_directory in ${CHANGED_CHARTS//,/ }; do
+            CHART_NAME=${chart_directory#charts/}
+
+            cd $chart_directory
+
+            CHART_VERSION=$(yq eval '.version' "Chart.yaml")
+            APP_VERSION=$(yq eval '.appVersion' "Chart.yaml")
+
+            # Push to GHCR
+            echo "Pushing Helm chart $CHART_NAME-$CHART_VERSION.tgz to oci://ghcr.io/${REPO_LOWER}"
+            if helm push ${{ github.workspace }}/.cr-release-packages/${CHART_NAME}-${CHART_VERSION}.tgz oci://ghcr.io/${REPO_LOWER}; then
+              echo "Successfully released $CHART_NAME-$CHART_VERSION to GHCR"
+            else
+              echo "Failed to push $CHART_NAME-$CHART_VERSION to GHCR"
+              exit 1
+            fi
+
+            cd ${{ github.workspace }}
+          done
+          echo "released_charts=$RELEASED_CHARTS" >> "$GITHUB_OUTPUT"