gitea-ci-library/.gitea/workflows/helm-build-push.yml

name: Helm Build & Push
on:
  workflow_call:
    inputs:
      env_json:
        required: true
        type: string
      version:
        required: true
        type: string
      chart_path:
        required: true
        type: string
      extra_dependency_paths:
        required: false
        type: string
    secrets:
      GITEA_TOKEN:
        required: true
      HELM_USER:
        required: false
      HELM_PASSWORD:
        required: true

env:
  GITEA_API_URL: ${{ fromJson(inputs.env_json).GITEA_API_URL }}
  GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
  HELM_REGISTRY: ${{ fromJson(inputs.env_json).HELM_REGISTRY || '' }}
  HELM_UI_URL: ${{ fromJson(inputs.env_json).HELM_UI_URL || '' }}
  GIT_TAG_PREFIX: ${{ fromJson(inputs.env_json).GIT_TAG_PREFIX || '' }}
  CHART_FILE: ${{ fromJson(inputs.env_json).VERSION_FILE || 'Chart.yaml' }}
  VERSION: ${{ inputs.version }}

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

jobs:
  build-push:
    runs-on: ubuntu-latest
    container:
      image: alpine/helm:3.19.0
    steps:
      - name: Install Node.js for actions/checkout
        # COMPROMISE: Requires internet access.
        # Does NOT work in air-gapped environments.
        # Replace with a custom image (e.g., extending alpine/helm + nodejs) if needed.
        run: apk add --no-cache nodejs

      - uses: actions/checkout@v4
      - uses: actions/checkout@v4
        with:
          repository: niko/gitea-ci-library
          path: .ci

      - name: Resolve extra subchart dependencies
        if: inputs.extra_dependency_paths != ''
        run: |
          for path in $(echo "${{ inputs.extra_dependency_paths }}" | tr ',' '\n'); do
            helm dependency update "${path}"
          done

      - name: Package Helm chart
        run: |
          CHART_DIR=$(dirname "${CHART_FILE}")
          helm dependency update "${CHART_DIR}"
          helm package "${CHART_DIR}" \
            --version "${VERSION}" \
            --app-version "${VERSION}" \
            --destination /tmp/helm-packages

      - name: Push to OCI registry
        env:
          HELM_USER: ${{ secrets.HELM_USER || github.actor }}
          HELM_PASSWORD: ${{ secrets.HELM_PASSWORD }}
        run: |
          REGISTRY="${HELM_REGISTRY:?HELM_REGISTRY not set in env.conf}"
          echo "$HELM_PASSWORD" | helm registry login "${REGISTRY}" \
            -u "$HELM_USER" \
            --password-stdin
          helm push /tmp/helm-packages/*.tgz "oci://${REGISTRY}"
          helm registry logout "${REGISTRY}"

      - name: Report status with UI link
        if: success() && env.HELM_UI_URL != ''
        run: |
          CHART_NAME=$(grep '^name:' "${CHART_FILE}" | awk '{print $2}')
          UI_URL="${HELM_UI_URL}/${CHART_NAME}/${VERSION}"
          if [ "${CHART_PATH}" != "." ] && [ -n "${CHART_PATH}" ]; then
            bash .ci/scripts/report-status.sh success "${CHART_PATH}: Helm push ${VERSION}" "${CHART_PATH}-ci-helm-build-push" "" "$UI_URL"
          else
            bash .ci/scripts/report-status.sh success "Helm push ${VERSION}" ci-helm-build-push "" "$UI_URL"
          fi

  tag-commit:
    runs-on: ubuntu-latest
    needs: [build-push]
    steps:
      - uses: actions/checkout@v4

      - name: Create git tag
        env:
          GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
          SERVER_URL: ${{ gitea.server_url }}
          RUN_NUMBER: ${{ github.run_number }}
          SHA: ${{ github.sha }}
        run: |
          HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" -X POST \
            "$SERVER_URL/api/v1/repos/${{ github.repository }}/tags" \
            -H "Authorization: token $GITEA_TOKEN" \
            -H "Content-Type: application/json" \
            -d "{\"tag_name\": \"${GIT_TAG_PREFIX}${VERSION}\", \"message\": \"Build #$RUN_NUMBER\", \"target\": \"$SHA\"}")

          if [ "$HTTP_CODE" = "201" ] || [ "$HTTP_CODE" = "409" ]; then
            exit 0
          else
            exit 1
          fi