name: ๐Ÿš€ Publish Helm Chart (Enhanced) on: push: branches: - main paths: - 'Chart.yaml' - 'values.yaml' - 'templates/**' - 'examples/**' pull_request: branches: - main paths: - 'Chart.yaml' - 'values.yaml' - 'templates/**' - 'examples/**' workflow_dispatch: inputs: version_bump: description: 'Version bump type' required: true default: 'patch' type: choice options: - patch - minor - major force_publish: description: 'Force publish even if version unchanged' required: false default: false type: boolean env: CHART_PATH: . REPO_URL: https://sakkiii.github.io/apache-nifi-helm REGISTRY: ghcr.io CHART_NAME: apache-nifi-helm jobs: # ========================================== # VALIDATION & TESTING JOB # ========================================== # This job runs on both PRs and main branch pushes # - On PRs: Only validates and tests (no publishing) # - On main: Validates and provides outputs for publishing validate: name: ๐Ÿ” Validate & Test Chart runs-on: ubuntu-22.04 outputs: chart-version: ${{ steps.chart-info.outputs.version }} app-version: ${{ steps.chart-info.outputs.app-version }} version-changed: ${{ steps.version-check.outputs.changed }} steps: - name: ๐Ÿ“ฅ Checkout Repository uses: actions/checkout@v4 with: fetch-depth: 0 # Full history for version comparison - name: ๐Ÿ› ๏ธ Set up Helm uses: azure/setup-helm@v4.2.0 with: version: '3.14.0' # Pin to specific version for reproducibility - name: ๐Ÿ“Š Extract Chart Information id: chart-info run: | VERSION=$(yq eval '.version' Chart.yaml) APP_VERSION=$(yq eval '.appVersion' Chart.yaml) echo "version=$VERSION" >> $GITHUB_OUTPUT echo "app-version=$APP_VERSION" >> $GITHUB_OUTPUT echo "๐Ÿ“‹ Chart Version: $VERSION" echo "๐Ÿ“‹ App Version: $APP_VERSION" - name: ๐Ÿ”„ Check Version Changes id: version-check run: | CURRENT_VERSION="${{ steps.chart-info.outputs.version }}" # Check if this version already exists in releases if git tag --list | grep -q "^v$CURRENT_VERSION$"; then echo "changed=false" >> $GITHUB_OUTPUT echo "โš ๏ธ Version $CURRENT_VERSION already exists" else echo "changed=true" >> $GITHUB_OUTPUT echo "โœ… New version $CURRENT_VERSION detected" fi - name: ๐Ÿ” Lint Helm Chart run: | echo "๐Ÿ” Linting Helm chart..." helm lint "${{ env.CHART_PATH }}" - name: ๐Ÿ“ฆ Update Dependencies run: | echo "๐Ÿ“ฆ Updating Helm dependencies..." helm dependency update "${{ env.CHART_PATH }}" - name: ๐Ÿงช Template Validation run: | echo "๐Ÿงช Validating Helm templates..." # Test with different value files if examples directory exists if [ -d "examples" ]; then for values_file in examples/values-*.yaml; do if [ -f "$values_file" ]; then echo "Testing with $values_file" helm template test-release . -f "$values_file" --debug > /dev/null fi done else echo "โ„น๏ธ Examples directory not found, skipping example value file tests" fi # Test default values helm template test-release . --debug > /dev/null echo "โœ… All template validations passed" - name: ๐Ÿ”’ Security Scan with Checkov uses: bridgecrewio/checkov-action@master with: directory: . framework: kubernetes output_format: sarif output_file_path: checkov-results.sarif continue-on-error: true - name: ๐Ÿ“ค Upload Security Results if: always() uses: github/codeql-action/upload-sarif@v3 with: sarif_file: checkov-results.sarif continue-on-error: true - name: ๐Ÿ” Kubeconform Validation run: | echo "๐Ÿ” Installing kubeconform..." curl -L https://github.com/yannh/kubeconform/releases/latest/download/kubeconform-linux-amd64.tar.gz | tar xz sudo mv kubeconform /usr/local/bin echo "๐Ÿงช Validating Kubernetes manifests..." # Use -skip to skip custom resources that don't have schemas # This prevents failures on cert-manager resources like Certificate and Issuer # Also use -ignore-missing-schemas to be more permissive helm template test-release . | kubeconform -skip Certificate,Issuer -ignore-missing-schemas -summary echo "โœ… Kubeconform validation completed (custom resources skipped)" # ========================================== # PUBLISH JOB (Only on main branch) # ========================================== # This job only runs on main branch pushes when: # - Version has changed (new chart version) # - Force publish is requested via workflow_dispatch # PRs will NOT trigger this job (only validation) publish: name: ๐Ÿ“ฆ Package & Publish Chart runs-on: ubuntu-22.04 needs: validate if: | github.ref == 'refs/heads/main' && (needs.validate.outputs.version-changed == 'true' || github.event.inputs.force_publish == 'true') permissions: contents: write pages: write packages: write id-token: write steps: - name: ๐Ÿ“ฅ Checkout Repository uses: actions/checkout@v4 with: token: ${{ secrets.GITHUB_TOKEN }} - name: ๐Ÿ› ๏ธ Set up Helm uses: azure/setup-helm@v4.2.0 with: version: '3.14.0' - name: ๐Ÿ”‘ Install Helm Plugins run: | helm plugin install https://github.com/chartmuseum/helm-push || true helm plugin install https://github.com/helm/helm-2to3 || true - name: ๐Ÿ“ฆ Update Dependencies run: | helm dependency update "${{ env.CHART_PATH }}" - name: ๐Ÿ“ฆ Package Helm Chart run: | mkdir -p packaged-charts helm package "${{ env.CHART_PATH }}" -d packaged-charts/ # List packaged files ls -la packaged-charts/ - name: ๐Ÿ” Sign Chart (Optional) if: env.GPG_PRIVATE_KEY != '' env: GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }} GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} run: | echo "$GPG_PRIVATE_KEY" | gpg --import --batch --yes for chart in packaged-charts/*.tgz; do helm package --sign --key "Helm Chart Signing" --keyring ~/.gnupg/secring.gpg "$chart" done - name: ๐Ÿณ Log in to GitHub Container Registry uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: ๐Ÿ“ฆ Push to GitHub Packages (OCI) run: | VERSION="${{ needs.validate.outputs.chart-version }}" CHART_FILE=$(find packaged-charts/ -name "*.tgz" | head -1) echo "๐Ÿ“ฆ Pushing chart to GitHub Packages as OCI artifact..." echo "๐Ÿ”— Registry: ${{ env.REGISTRY }}/${{ github.repository_owner }}/${{ env.CHART_NAME }}" echo "๐Ÿท๏ธ Version: $VERSION" # Push chart as OCI artifact helm push "$CHART_FILE" oci://${{ env.REGISTRY }}/${{ github.repository_owner }} echo "โœ… Successfully pushed to GitHub Packages!" echo "๐Ÿ“‹ Install command:" echo "helm install my-nifi oci://${{ env.REGISTRY }}/${{ github.repository_owner }}/${{ env.CHART_NAME }} --version $VERSION" - name: ๐Ÿ“‹ Generate Helm Index run: | helm repo index packaged-charts/ --url "${{ env.REPO_URL }}" # Add metadata to index.yaml cat >> packaged-charts/index.yaml << EOF # Generated on: $(date -u +"%Y-%m-%dT%H:%M:%SZ") # Chart Version: ${{ needs.validate.outputs.chart-version }} # App Version: ${{ needs.validate.outputs.app-version }} # Commit: ${{ github.sha }} # OCI Registry: ${{ env.REGISTRY }}/${{ github.repository_owner }}/${{ env.CHART_NAME }} EOF - name: ๐Ÿท๏ธ Create Git Tag run: | VERSION="${{ needs.validate.outputs.chart-version }}" git config user.name "github-actions[bot]" git config user.email "github-actions[bot]@users.noreply.github.com" git tag -a "v$VERSION" -m "Release version $VERSION" git push origin "v$VERSION" - name: ๐Ÿ“ Generate Release Notes id: release-notes run: | VERSION="${{ needs.validate.outputs.chart-version }}" APP_VERSION="${{ needs.validate.outputs.app-version }}" cat > release-notes.md << EOF # Apache NiFi Helm Chart v$VERSION ## ๐Ÿ“‹ Chart Information - **Chart Version**: $VERSION - **App Version**: $APP_VERSION (Apache NiFi) - **Release Date**: $(date -u +"%Y-%m-%d") ## ๐Ÿš€ Installation Options ### Option 1: GitHub Pages (Traditional Helm Repository) \`\`\`bash helm repo add apache-nifi-helm https://sakkiii.github.io/apache-nifi-helm helm repo update helm install my-nifi apache-nifi-helm/nifi --version $VERSION \`\`\` ### Option 2: GitHub Packages (OCI Registry) \`\`\`bash helm install my-nifi oci://ghcr.io/sakkiii/apache-nifi-helm --version $VERSION \`\`\` ## ๐Ÿ” Authentication Methods Supported - โœ… **Basic Authentication** (Single User) - Default - โœ… **OIDC Authentication** - Enterprise SSO - โœ… **LDAP Authentication** - Directory Integration ## ๐Ÿ“ฆ What's Included - Multi-node clustering support - Automatic TLS certificate management - Persistent storage configuration - Monitoring and metrics integration - Production-ready security defaults ## ๐Ÿ“š Documentation - [Chart README](https://github.com/sakkiii/apache-nifi-helm/blob/main/README.md) - [Authentication Guide](https://github.com/sakkiii/apache-nifi-helm/blob/main/examples/) - [Configuration Examples](https://github.com/sakkiii/apache-nifi-helm/tree/main/examples) ## ๐Ÿ”„ Upgrade Instructions ### From GitHub Pages Repository: \`\`\`bash helm upgrade my-nifi apache-nifi-helm/nifi --version $VERSION \`\`\` ### From GitHub Packages (OCI): \`\`\`bash helm upgrade my-nifi oci://ghcr.io/sakkiii/apache-nifi-helm --version $VERSION \`\`\` --- **Full Changelog**: https://github.com/sakkiii/apache-nifi-helm/compare/v$(git describe --tags --abbrev=0 HEAD^ 2>/dev/null || echo "0.0.0")...v$VERSION EOF - name: ๐Ÿš€ Deploy to GitHub Pages uses: peaceiris/actions-gh-pages@v4 with: github_token: ${{ secrets.GITHUB_TOKEN }} publish_dir: packaged-charts publish_branch: gh-pages user_name: "github-actions[bot]" user_email: "github-actions[bot]@users.noreply.github.com" commit_message: "๐Ÿ“ฆ Publish chart version ${{ needs.validate.outputs.chart-version }}" - name: ๐ŸŽ‰ Create GitHub Release uses: softprops/action-gh-release@v1 with: tag_name: "v${{ needs.validate.outputs.chart-version }}" name: "Apache NiFi Helm Chart v${{ needs.validate.outputs.chart-version }}" body_path: release-notes.md files: | packaged-charts/*.tgz packaged-charts/*.tgz.prov draft: false prerelease: false # ========================================== # NOTIFICATION JOB # ========================================== notify: name: ๐Ÿ“ข Notify Success runs-on: ubuntu-22.04 needs: [validate, publish] if: always() && needs.publish.result == 'success' steps: - name: ๐ŸŽ‰ Success Notification run: | echo "๐ŸŽ‰ Successfully published Apache NiFi Helm Chart!" echo "๐Ÿ“ฆ Version: ${{ needs.validate.outputs.chart-version }}" echo "" echo "๐Ÿ“ Available from multiple sources:" echo "๐Ÿ”— GitHub Pages: https://sakkiii.github.io/apache-nifi-helm" echo "๐Ÿ“ฆ GitHub Packages: ghcr.io/${{ github.repository_owner }}/${{ env.CHART_NAME }}" echo "๐Ÿ“‹ Release: https://github.com/sakkiii/apache-nifi-helm/releases/tag/v${{ needs.validate.outputs.chart-version }}" echo "" echo "๐Ÿ“‹ Installation commands:" echo "helm repo add apache-nifi-helm https://sakkiii.github.io/apache-nifi-helm && helm install my-nifi apache-nifi-helm/nifi" echo "helm install my-nifi oci://ghcr.io/${{ github.repository_owner }}/${{ env.CHART_NAME }}"