diff options
| author | chrislusf <chris.lu@gmail.com> | 2025-12-07 12:10:09 -0800 |
|---|---|---|
| committer | Chris Lu <chrislusf@users.noreply.github.com> | 2025-12-07 13:10:38 -0800 |
| commit | f1388aceb83522e7b516854d7592b1f055affab4 (patch) | |
| tree | 6fe4fe49c8ac08d052741b845641a25fbbd6ac59 | |
| parent | 66e25751feeb9883ac649a08c2b04bb14145c447 (diff) | |
| download | seaweedfs-csi-driver-f1388aceb83522e7b516854d7592b1f055affab4.tar.xz seaweedfs-csi-driver-f1388aceb83522e7b516854d7592b1f055affab4.zip | |
Add approval gates and version checks to prevent accidental Helm releases
Fixes #214
Changes:
- Modified helm_release workflow to require GitHub releases instead of tag pushes
- Added environment protection requiring manual approval before publishing
- Added version duplication check to prevent overriding existing versions
- Enhanced CI to warn when Helm files change without version update
Setup required:
1. Create 'helm-release' environment in repository settings
2. Add required reviewers (maintainers with release privileges)
3. Releases now require creating GitHub Releases and manual approval
| -rw-r--r-- | .github/workflows/helm_ci.yaml | 26 | ||||
| -rw-r--r-- | .github/workflows/helm_release.yaml | 64 |
2 files changed, 87 insertions, 3 deletions
diff --git a/.github/workflows/helm_ci.yaml b/.github/workflows/helm_ci.yaml index 523f42a..aa4cdbf 100644 --- a/.github/workflows/helm_ci.yaml +++ b/.github/workflows/helm_ci.yaml @@ -41,6 +41,32 @@ jobs: echo "::set-output name=changed::true" fi + - name: Check if Chart version was updated + if: github.event_name == 'pull_request' + run: | + # Get the base branch chart version + git fetch origin ${{ github.base_ref }} + BASE_VERSION=$(git show origin/${{ github.base_ref }}:deploy/helm/seaweedfs-csi-driver/Chart.yaml | grep '^version:' | awk '{print $2}') + + # Get the current chart version + CURRENT_VERSION=$(grep '^version:' deploy/helm/seaweedfs-csi-driver/Chart.yaml | awk '{print $2}') + + echo "Base version: $BASE_VERSION" + echo "Current version: $CURRENT_VERSION" + + # Check if Helm files were changed + HELM_FILES_CHANGED=$(git diff --name-only origin/${{ github.base_ref }}...HEAD | grep -c "^deploy/helm/" || echo "0") + + if [ "$HELM_FILES_CHANGED" -gt 0 ]; then + if [ "$BASE_VERSION" = "$CURRENT_VERSION" ]; then + echo "::warning::Helm chart files were modified but Chart version was not updated!" + echo "::warning::Please update the version in deploy/helm/seaweedfs-csi-driver/Chart.yaml" + echo "::warning::Current version: $CURRENT_VERSION" + else + echo "✓ Chart version was updated from $BASE_VERSION to $CURRENT_VERSION" + fi + fi + - name: Run chart-testing (lint) run: ct lint --all --validate-maintainers=false --chart-dirs deploy/helm/seaweedfs-csi-driver/ diff --git a/.github/workflows/helm_release.yaml b/.github/workflows/helm_release.yaml index 67dbe66..a3d4946 100644 --- a/.github/workflows/helm_release.yaml +++ b/.github/workflows/helm_release.yaml @@ -1,8 +1,10 @@ name: "helm: publish charts" on: - push: - tags: - - '*' + # Only run on GitHub releases, not raw tag pushes + release: + types: [published] + # Allow manual trigger with approval + workflow_dispatch: permissions: contents: write @@ -11,8 +13,52 @@ permissions: jobs: release: runs-on: ubuntu-latest + # Require manual approval via environment protection + environment: + name: helm-release + url: https://github.com/${{ github.repository }}/releases steps: - uses: actions/checkout@v3 + + - name: Setup Helm + uses: azure/setup-helm@v3 + with: + version: v3.12.0 + + - name: Get chart version + id: chart_version + run: | + CHART_VERSION=$(grep '^version:' deploy/helm/seaweedfs-csi-driver/Chart.yaml | awk '{print $2}') + echo "version=$CHART_VERSION" >> $GITHUB_OUTPUT + echo "Chart version: $CHART_VERSION" + + - name: Check if version already exists + id: check_version + run: | + # Fetch gh-pages branch + git fetch origin gh-pages || echo "gh-pages branch not found" + + # Check if gh-pages branch exists + if git rev-parse --verify origin/gh-pages >/dev/null 2>&1; then + # Check if the version already exists in the index + git checkout origin/gh-pages -- helm/index.yaml 2>/dev/null || echo "index.yaml not found" + + if [ -f helm/index.yaml ]; then + CHART_VERSION="${{ steps.chart_version.outputs.version }}" + if grep -q "version: $CHART_VERSION" helm/index.yaml; then + echo "ERROR: Chart version $CHART_VERSION already exists in the Helm repository!" + echo "Please update the version in deploy/helm/seaweedfs-csi-driver/Chart.yaml" + exit 1 + else + echo "Version check passed: $CHART_VERSION is new" + fi + else + echo "No existing index.yaml found, first release" + fi + else + echo "No gh-pages branch found, first release" + fi + - name: Publish Helm charts uses: stefanprodan/helm-gh-pages@master with: @@ -20,3 +66,15 @@ jobs: charts_dir: deploy/helm/ target_dir: helm branch: gh-pages + + - name: Comment on release + if: github.event_name == 'release' + uses: actions/github-script@v7 + with: + script: | + github.rest.issues.createComment({ + issue_number: context.payload.release.id, + owner: context.repo.owner, + repo: context.repo.repo, + body: '✅ Helm chart version ${{ steps.chart_version.outputs.version }} has been published successfully!' + }) |