.github/workflows/publish-release.yaml

name: Publish Release

on:
  workflow_dispatch:
    inputs:
      chart:
        description: 'Chart version (e.g. 2.11.3)'
        required: true
        type: string

jobs:
  release:
    runs-on: ubuntu-latest
    env:
      controller_dockerhub_image_name: docker.io/bitnami/sealed-secrets-controller
      controller_ghcr_image_name: ghcr.io/bitnami-labs/sealed-secrets-controller
      kubeseal_dockerhub_image_name: docker.io/bitnami/sealed-secrets-kubeseal
      kubeseal_ghcr_image_name: ghcr.io/bitnami-labs/sealed-secrets-kubeseal
    steps:
      # Checkout and set env
      - name: Checkout
        uses: actions/checkout@v3.1.0
        with:
          fetch-depth: 0
      - id: load-version
        run: |
          source $GITHUB_WORKSPACE/versions.env
          echo "GO_VERSION=$GO_VERSION" >> $GITHUB_ENV
      - name: Set up Go
        uses: actions/setup-go@v3.3.1
        with:
          go-version: ${{ env.GO_VERSION }}
      - name: Setup kubecfg
        run: |
          mkdir -p ~/bin
          curl -sLf https://github.com/kubecfg/kubecfg/releases/download/v0.26.0/kubecfg_Linux_X64 >~/bin/kubecfg
          chmod +x ~/bin/kubecfg

      - name: Install dependencies
        run: |
          go install gotest.tools/gotestsum@v1.8.1

      # Setup env tools to copy images
      - name: Set up regctl
        uses: iarekylew00t/regctl-installer@v1
        with:
          regctl-release: v0.4.7

      # Check Release
      - name: Check Release
        run: |
          VERSION_TAG=$(git describe --tags --match "v[0-9]*" --abbrev=0 | tr -d v)
          echo "Tag looking for $VERSION_TAG"
          CHECK_CONTROLLER=$(./scripts/release-check ${{ env.controller_dockerhub_image_name }} $VERSION_TAG)
          CHECK_KUBESEAL=$(./scripts/release-check ${{ env.kubeseal_dockerhub_image_name }} $VERSION_TAG)
          echo "RELEASE=$(($CHECK_CONTROLLER * $CHECK_KUBESEAL))" >> $GITHUB_ENV
          echo "VERSION_TAG=$VERSION_TAG" >> $GITHUB_ENV
          echo "GORELEASER_CURRENT_TAG=v$VERSION_TAG" >> $GITHUB_ENV

      # Run tests
      - name: Tests
        if: env.RELEASE == 1
        run: make test

      # Generate K8s manifests
      - name: K8s manifests
        if: env.RELEASE == 1
        run: |
          export PATH=~/bin:$PATH
          make CONTROLLER_IMAGE=${{ env.controller_dockerhub_image_name }}:${VERSION_TAG} controller.yaml controller-norbac.yaml

      # Setup Cosign
      - name: Install Cosign
        uses: sigstore/cosign-installer@v3.4.0
        with:
          cosign-release: v2.2.3

        if: env.RELEASE == 1
      - name: Write Cosign key
        if: env.RELEASE == 1
        run: echo "$COSIGN_KEY" > /tmp/cosign.key
        env:
          COSIGN_KEY: ${{ secrets.COSIGN_KEY }}

      - name: Checkout version
        run: git checkout "$GORELEASER_CURRENT_TAG"

      # Build & Release binaries
      - name: Run GoReleaser
        uses: goreleaser/goreleaser-action@v3.1.0
        if: success() && startsWith(github.ref, 'refs/heads/') && env.RELEASE == 1
        with:
          version: v1.10.3
          args: release --rm-dist
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}

      # Build & Publish multi-arch image
      - name: Login to Docker Hub
        if: env.RELEASE == 1
        uses: docker/login-action@v2.0.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_PASSWORD }}
      - name: Login to GHRC
        if: env.RELEASE == 1
        uses: docker/login-action@v2.0.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Extract metadata (tags, labels) for Docker controller image
        if: env.RELEASE == 1
        id: meta_controller
        uses: docker/metadata-action@v4.0.1
        with:
          images: |
            ${{ env.controller_dockerhub_image_name }}
            ${{ env.controller_ghcr_image_name }}
          tags: |
            type=raw,value=${{ env.VERSION_TAG }}
            type=raw,value=latest
      - name: Copy controller image
        if: env.RELEASE == 1
        run: |
          regctl image copy ${{ env.controller_dockerhub_image_name }}:latest ${{ env.controller_ghcr_image_name }}:latest
          regctl image copy ${{ env.controller_dockerhub_image_name }}:${VERSION_TAG} ${{ env.controller_ghcr_image_name }}:${VERSION_TAG}
      - name: Extract metadata (tags, labels) for Docker kubeseal image
        if: env.RELEASE == 1
        id: meta_kubeseal
        uses: docker/metadata-action@v4.0.1
        with:
          images: |
            ${{ env.kubeseal_dockerhub_image_name }}
            ${{ env.kubeseal_ghcr_image_name }}
          tags: |
            type=raw,value=${{ env.VERSION_TAG }}
            type=raw,value=latest
      - name: Copy kubeseal image
        if: env.RELEASE == 1
        run: |
          regctl image copy ${{ env.kubeseal_dockerhub_image_name }}:latest ${{ env.kubeseal_ghcr_image_name }}:latest
          regctl image copy ${{ env.kubeseal_dockerhub_image_name }}:${VERSION_TAG} ${{ env.kubeseal_ghcr_image_name }}:${VERSION_TAG}
      - name: Sign controller image with a key in GHCR
        if: env.RELEASE == 1
        run: |
          echo -n "$COSIGN_PASSWORD" | cosign sign --key /tmp/cosign.key --yes $TAG_CURRENT
        env:
          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
          TAG_CURRENT: ${{ steps.meta_controller.outputs.tags }}
          COSIGN_REPOSITORY: ${{ env.controller_ghcr_image_name }}/signs
      - name: Sign kubeseal image with a key in GHCR
        if: env.RELEASE == 1
        run: |
          echo -n "$COSIGN_PASSWORD" | cosign sign --key /tmp/cosign.key --yes $TAG_CURRENT
        env:
          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
          TAG_CURRENT: ${{ steps.meta_kubeseal.outputs.tags }}
          COSIGN_REPOSITORY: ${{ env.kubeseal_ghcr_image_name }}/signs

  chart-pr:
    needs: release
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3
        with:
          fetch-depth: 0

      - name: Config Git
        run: |
          git config user.name "$GITHUB_ACTOR"
          git config user.email "$GITHUB_ACTOR@users.noreply.github.com"

      - name: Fetch Versions
        run: |
          echo NEW_VERSION=$(git describe --tags --match "v[0-9]*" --abbrev=0 | tr -d v) >> "$GITHUB_ENV"
          echo PREV_VERSION=$(grep appVersion helm/sealed-secrets/Chart.yaml | grep -o '[0-9.]*') >> "$GITHUB_ENV"

      - name: Update Version
        run: |
          sed -i "s/version: .*/version: ${{ inputs.chart }}/" helm/sealed-secrets/Chart.yaml
          sed -i "s/appVersion: .*/appVersion: $NEW_VERSION/" helm/sealed-secrets/Chart.yaml
          sed -i "s/tag: .*/tag: $NEW_VERSION/" helm/sealed-secrets/values.yaml
          sed -i "s/\`$PREV_VERSION\`/\`$NEW_VERSION\`/" helm/sealed-secrets/README.md
          git checkout -B 'release-chart-${{ inputs.chart }}'
          git add helm/sealed-secrets/Chart.yaml helm/sealed-secrets/values.yaml helm/sealed-secrets/README.md
          git commit -sm 'Release chart ${{ inputs.chart }}'
          git push origin 'release-chart-${{ inputs.chart }}'

      - name: Create PR
        run: gh pr create --fill --base main --repo $GITHUB_REPOSITORY
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}