exivity · xiangyisss · Jun 20, 2025 · Jun 20, 2025 · Jun 20, 2025 · Jun 20, 2025
@@ -2,10 +2,21 @@ name: Release Charts
 
 on:
   workflow_dispatch:
+  push:
+    branches: ["main"]
+    tags:
+      - "exivity-*"
+    paths:
+      - 'charts/**'       # Any file under charts/
+      - '.github/workflows/chart-release.yml'
 
 jobs:
   helm-release:
     runs-on: ubuntu-latest
+    env:
+      GPG_KEY_ID: ${{ secrets.HELM_RSA_KEY_ID }}
+      GPG_PASSPHRASE: ${{ secrets.HELM_RSA_PASSPHRASE }}
+
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -18,7 +29,67 @@ jobs:
           git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
           helm repo add bitnami https://charts.bitnami.com/bitnami
 
-      - name: Run chart-releaser
-        uses: exivity/chart-releaser-action@v1.1.0
+      - name: Configure GPG
+        run: |
+          mkdir -p ~/.gnupg
+          chmod 700 ~/.gnupg
+          echo "pinentry-mode loopback" > ~/.gnupg/gpg.conf
+
+          SECRET_CONTENT="${{ secrets.HELM_RSA_PRIVATE_KEY }}"
+
+          echo "${{ secrets.HELM_RSA_PRIVATE_KEY }}" | gpg --batch --import
+
+          gpg --batch --export > ~/.gnupg/pubring.gpg
+          echo "$GPG_PASSPHRASE" | gpg --batch --passphrase-fd 0 --export-secret-keys > ~/.gnupg/secring.gpg
+
+      - name: Package and Sign Charts
+        run: |
+          KEY_NAME=$(gpg --list-secret-keys --with-colons "$GPG_KEY_ID" | grep "^uid" | head -1 | cut -d: -f10)
+          echo "$GPG_PASSPHRASE" > /tmp/passphrase.txt
+          chmod 600 /tmp/passphrase.txt
+
+          # Create .cr-release-packages directory for chart-releaser-action
+          mkdir -p .cr-release-packages
+
+          chart_dir=charts/exivity
+          helm package --sign "$chart_dir" \
+            --key "$KEY_NAME" \
+            --keyring ~/.gnupg/secring.gpg \
+            --passphrase-file /tmp/passphrase.txt \
+            --destination .cr-release-packages
+
+          rm -f /tmp/passphrase.txt
+
+          # List created packages for verification
+          echo "✅ Created signed packages:"
+          ls -la .cr-release-packages/
+
+      - name: Validate Signed Charts 
+        run: |
+          mkdir -p ~/.gnupg
+          chmod 700 ~/.gnupg
+          echo "pinentry-mode loopback" > ~/.gnupg/gpg.conf
+
+          SECRET_CONTENT="${{ secrets.HELM_RSA_PRIVATE_KEY }}"
+
+          echo "${{ secrets.HELM_RSA_PRIVATE_KEY }}" | gpg --batch --import
+          gpg --batch --export > ~/.gnupg/pubring.gpg
+
+          # Validate charts from the .cr-release-packages directory
+          find .cr-release-packages -maxdepth 1 -type f -name '*.tgz' -print -exec helm verify {} \;
+
+          echo "✅ Charts are properly signed and verified."
+
+      - name: Run chart-releaser (release only on tag push)
+        if: startsWith(github.ref, 'refs/tags/')
+        uses: exivity/chart-releaser-action@v1.7.0
+        with:
+          skip_packaging: true
         env:
           CR_TOKEN: "${{ secrets.GH_BOT_TOKEN }}"
+
+      - name: Cleanup
+        if: always()
+        run: |
+          gpg --batch --yes --delete-secret-keys "$GPG_KEY_ID" 2>/dev/null || true
+          gpg --batch --yes --delete-keys "$GPG_KEY_ID" 2>/dev/null || true
diff --git a/Makefile b/Makefile
@@ -1,11 +1,25 @@
+# Makefile — Exivity Helm Charts: Deployment + Release Testing
+
 # Constants
 NFS_STORAGE_CLASS := nfs-client
 NFS_CHART_VERSION := 1.8.0
-
 INGRESS_HOSTNAME := exivity.local
-
 HELM_TIMEOUT := 10m
 
+# Dummy secrets for release workflow testing
+GPG_KEY_ID            ?= EXIVITY123TEST
+GPG_PASSPHRASE        ?= test1234
+HELM_RSA_PRIVATE_KEY  ?= LS0tLS1CRUdJTiBQR1AgUFJJVkFURSBLRVkgQkxPQ0stLS0tLQpFeGl2aXR5IFRlc3QgS2V5IDx0ZXN0QGV4aXZpdHkuY29tPgotLS0tLUVORCBQR1AgUFJJVkFURSBLRVkgQkxPQ0stLS0tLQ==
+
+# Variables for chart packaging
+CHART_DIRS := $(shell find charts -maxdepth 1 -mindepth 1 -type d 2>/dev/null || echo "")
+TGZ_FILES  := $(patsubst charts/%,%.tgz,$(CHART_DIRS))
+
+
+# =====================================================================
+# MINIKUBE DEPLOYMENT TARGETS 
+# =====================================================================
+
 # Define Minikube start with a specific driver
 minikube-start:
 	@minikube start --memory 8192 --cpus 2
@@ -69,6 +83,69 @@ test:
 # Lint Helm chart
 lint:
 	@helm lint charts/exivity
+
+# =====================================================================
+# RELEASE WORKFLOW TEST 
+# =====================================================================
+
+# Package exivity charts
+package-charts:
+	@echo "📦 Simulating GitHub Actions 'Package and Sign Charts' step"
+	@echo "Creating .cr-release-packages directory for chart-releaser-action"
+	@mkdir -p .cr-release-packages
+	@echo "Packaging chart: charts/exivity"
+	@if [ -d "charts/exivity" ]; then \
+		helm package "charts/exivity" --destination .cr-release-packages > /dev/null 2>&1; \
+		echo "✅ Created signed packages:"; \
+		ls -la .cr-release-packages/; \
+	else \
+		echo "❌ Chart directory charts/exivity not found"; \
+	fi
+
+# Sign the packaged charts
+package-sign:
+	@echo "🔖 Simulating GPG signing (creating fake .prov files)"
+	@if ls .cr-release-packages/*.tgz >/dev/null 2>&1; then \
+		for tgz in .cr-release-packages/*.tgz; do \
+			echo "-----BEGIN PGP SIGNATURE-----" > "$$tgz.prov"; \
+			echo "Version: GnuPG v2" >> "$$tgz.prov"; \
+			echo "" >> "$$tgz.prov"; \
+			echo "Fake signature for testing purposes only" >> "$$tgz.prov"; \
+			echo "Chart: $$tgz" >> "$$tgz.prov"; \
+			echo "Key ID: $(GPG_KEY_ID)" >> "$$tgz.prov"; \
+			echo "Passphrase: $(GPG_PASSPHRASE)" >> "$$tgz.prov"; \
+			echo "-----END PGP SIGNATURE-----" >> "$$tgz.prov"; \
+			echo "   ✅ Created $$tgz.prov"; \
+		done; \
+		echo "📋 Updated packages with signatures:"; \
+		ls -la .cr-release-packages/; \
+	else \
+		echo "   ⚠️  No .tgz files found in .cr-release-packages/"; \
+	fi
+
+# Validate signed charts
+package-validate:
+	@echo "✅ Simulating GitHub Actions 'Validate Signed Charts' step"
+	@echo "🔍 Finding and validating charts from .cr-release-packages directory:"
+	@if [ -d ".cr-release-packages" ]; then \
+		find .cr-release-packages -maxdepth 1 -type f -name '*.tgz' -print | while read chart; do \
+			echo "� Would run: helm verify $$chart"; \
+		done; \
+		if ls .cr-release-packages/*.tgz >/dev/null 2>&1; then \
+			echo "✅ Charts are properly signed and verified."; \
+		else \
+			echo "⚠️  No .tgz files found to validate"; \
+		fi; \
+	else \
+		echo "❌ .cr-release-packages directory not found"; \
+	fi
+
+
+# Clean up build artifacts
+clean-release:
+	@echo "🧹 Removing generated files and .cr-release-packages directory"
+	@rm -f *.tgz *.prov fake-signing-key.asc || true
+	@rm -rf .cr-release-packages || true
 
 # Makefile targets
-.PHONY: minikube-start minikube-delete deploy-charts deploy-exivity-chart deploy-nfs-chart install-python-deps test
+.PHONY: minikube-start minikube-delete deploy-charts deploy-exivity-chart deploy-nfs-chart install-python-deps test lint clean-release package-charts package-sign package-validate