mirror of
https://github.com/kubernetes-sigs/external-dns.git
synced 2026-04-22 08:21:18 +02:00
a6266dd5ff
Apply principle of least privilege across all workflows:
- end-to-end-tests.yml: add missing permissions (contents: read)
- dependency-update.yaml: add missing permissions (contents: read)
- lint-test-chart.yaml: replace top-level read-all with permissions: {}
- release-chart.yaml: replace top-level read-all with permissions: {}
- codeql-analysis.yaml: remove unused actions: read
- lint.yaml: remove unused pull-requests: read
- staging-image-tester.yaml: remove unused checks: write (no goveralls step)
159 lines
5.3 KiB
YAML
159 lines
5.3 KiB
YAML
name: Release Chart
|
|
|
|
on:
|
|
push:
|
|
branches:
|
|
- master
|
|
paths:
|
|
- "charts/external-dns/Chart.yaml"
|
|
|
|
concurrency:
|
|
group: chart-release
|
|
cancel-in-progress: false
|
|
|
|
permissions: {}
|
|
|
|
jobs:
|
|
release:
|
|
name: Release
|
|
if: github.repository == 'kubernetes-sigs/external-dns'
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
contents: write
|
|
defaults:
|
|
run:
|
|
shell: bash
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
|
|
with:
|
|
fetch-depth: 0
|
|
|
|
- name: Install YQ
|
|
uses: action-stars/install-tool-from-github-release@1fa61c3bea52eca3bcdb1f5c961a3b113fe7fa54 # v0.2.6
|
|
with:
|
|
github_token: ${{ github.token }}
|
|
owner: mikefarah
|
|
repository: yq
|
|
extract: false
|
|
filename_format: "{name}_{os}_{arch}"
|
|
check_command: yq --version
|
|
version: latest
|
|
|
|
- name: Install MDQ
|
|
uses: action-stars/install-tool-from-github-release@1fa61c3bea52eca3bcdb1f5c961a3b113fe7fa54 # v0.2.6
|
|
with:
|
|
github_token: ${{ github.token }}
|
|
owner: yshavit
|
|
repository: mdq
|
|
arch_amd64: x64
|
|
filename_format: "{name}-{os}-{arch}.{ext}"
|
|
check_command: mdq --version
|
|
version: latest
|
|
|
|
- name: Get chart version
|
|
id: chart_version
|
|
run: |
|
|
set -euo pipefail
|
|
chart_version="$(grep -Po "(?<=^version: ).+" charts/external-dns/Chart.yaml)"
|
|
echo "version=${chart_version}" >> $GITHUB_OUTPUT
|
|
|
|
- name: Get changelog entry
|
|
id: changelog_reader
|
|
uses: mindsers/changelog-reader-action@32aa5b4c155d76c94e4ec883a223c947b2f02656 # v2.2.3
|
|
with:
|
|
path: charts/external-dns/CHANGELOG.md
|
|
version: "v${{ steps.chart_version.outputs.version }}"
|
|
|
|
- name: Process changelog
|
|
id: changelog
|
|
run: |
|
|
set -euo pipefail
|
|
|
|
package_dir="./.cr-release-packages"
|
|
mkdir -p "${package_dir}"
|
|
|
|
release_notes_file="RELEASE.md"
|
|
release_notes_path="./charts/external-dns/${release_notes_file}"
|
|
|
|
cat <<"EOF" > "${release_notes_path}"
|
|
${{ steps.changelog_reader.outputs.changes }}
|
|
EOF
|
|
|
|
added="$(mdq --output plain '# Added | -' <"${release_notes_path}" || true)"
|
|
changed="$(mdq --output plain '# Changed | -' <"${release_notes_path}" || true)"
|
|
deprecated="$(mdq --output plain '# Deprecated | -' <"${release_notes_path}" || true)"
|
|
removed="$(mdq --output plain '# Removed | -' <"${release_notes_path}" || true)"
|
|
fixed="$(mdq --output plain '# Fixed | -' <"${release_notes_path}" || true)"
|
|
security="$(mdq --output plain '# Security | -' <"${release_notes_path}" || true)"
|
|
|
|
changes_path="./charts/external-dns/changes.txt"
|
|
rm -f "${changes_path}"
|
|
|
|
old_ifs="${IFS}"
|
|
IFS=$'\n'
|
|
|
|
for item in ${added}; do
|
|
printf -- '- kind: added\n description: "%s"\n' "${item%.*}." >> "${changes_path}"
|
|
done
|
|
|
|
for item in ${changed}; do
|
|
printf -- '- kind: changed\n description: "%s"\n' "${item%.*}." >> "${changes_path}"
|
|
done
|
|
|
|
for item in ${deprecated}; do
|
|
printf -- '- kind: deprecated\n description: "%s"\n' "${item%.*}." >> "${changes_path}"
|
|
done
|
|
|
|
for item in ${removed}; do
|
|
printf -- '- kind: removed\n description: "%s"\n' "${item%.*}." >> "${changes_path}"
|
|
done
|
|
|
|
for item in ${fixed}; do
|
|
printf -- '- kind: fixed\n description: "%s"\n' "${item%.*}." >> "${changes_path}"
|
|
done
|
|
|
|
for item in ${security}; do
|
|
printf -- '- kind: security\n description: "%s"\n' "${item%.*}." >> "${changes_path}"
|
|
done
|
|
|
|
IFS="${old_ifs}"
|
|
|
|
if [[ -f "${changes_path}" ]]; then
|
|
changes="$(cat "${changes_path}")" yq eval --inplace '.annotations["artifacthub.io/changes"] |= strenv(changes)' ./charts/external-dns/Chart.yaml
|
|
rm -f "${changes_path}"
|
|
fi
|
|
|
|
echo "release_notes_file=${release_notes_file}" >> "${GITHUB_OUTPUT}"
|
|
|
|
- name: Install Artifact Hub CLI
|
|
uses: action-stars/install-tool-from-github-release@1fa61c3bea52eca3bcdb1f5c961a3b113fe7fa54 # v0.2.6
|
|
with:
|
|
github_token: ${{ github.token }}
|
|
owner: artifacthub
|
|
repository: hub
|
|
name: ah
|
|
check_command: ah version
|
|
version: latest
|
|
|
|
- name: Run Artifact Hub lint
|
|
run: ah lint --kind helm --path ./charts/external-dns || exit 1
|
|
|
|
- name: Configure Git
|
|
run: |
|
|
git config user.name "$GITHUB_ACTOR"
|
|
git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
|
|
|
|
- name: Install Helm
|
|
uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4.3.1
|
|
with:
|
|
version: latest
|
|
|
|
- name: Run chart-releaser
|
|
uses: helm/chart-releaser-action@cae68fefc6b5f367a0275617c9f83181ba54714f # v1.7.0
|
|
env:
|
|
CR_TOKEN: "${{ github.token }}"
|
|
CR_RELEASE_NAME_TEMPLATE: "external-dns-helm-chart-{{ .Version }}"
|
|
CR_RELEASE_NOTES_FILE: "${{ steps.changelog.outputs.release_notes_file }}"
|
|
CR_MAKE_RELEASE_LATEST: "false"
|