openova/openova
1
0
Fork 0
Code Issues Pull Requests Actions 4 Packages Projects Releases Wiki Activity
c5bfa34b27
openova/.github/workflows/blueprint-release.yaml
e3mrah 746901b671
feat(cnpg-pair): C-DB-1 — bp-cnpg-pair Blueprint (active-hotstandby CNPG cluster-pair across regions) (#1101) (#1153) 
EPIC-6 Slice C-DB-1+C-DB-2. Active-hotstandby CNPG cluster-pair as a
companion to bp-cnpg: primary CNPG Cluster CR in region A, replica
Cluster CR in region B configured as a CNPG replica cluster
(replica.enabled=true + externalCluster), WAL streaming over a
Cilium ClusterMesh-shared Service. Per ADR-0001 §9 ClusterMesh is the
only canonical inter-region transport — never public TLS.

What ships:
  platform/cnpg-pair/
  ├── chart/
  │   ├── Chart.yaml             # bp-cnpg-pair 0.1.0; no-upstream + smoke-render-mode=default-off
  │   ├── values.yaml            # default-OFF gate; placement schema constrains active-hotstandby ONLY
  │   ├── templates/
  │   │   ├── _helpers.tpl              # fail-fast on empty image.tag; region pair validation
  │   │   ├── primary-cluster.yaml      # CNPG Cluster CR (region-pinned via openova.io/region affinity)
  │   │   ├── replica-cluster.yaml      # CNPG Cluster CR (replica.enabled=true; externalClusters[])
  │   │   ├── service-replication.yaml  # Cilium ClusterMesh global Service
  │   │   ├── failover-readiness.yaml   # probe Pod flips Ready when WAL lag < threshold
  │   │   ├── networkpolicy.yaml        # default-deny carve-outs for replication + probe
  │   │   └── audit-config.yaml         # NATS audit subjects + types this Blueprint emits
  │   ├── blueprint.yaml          # configSchema + placementSchema (active-hotstandby ONLY)
  │   ├── README.md               # 80-line deployment + failover semantics
  │   └── tests/cnpg-pair-render.sh  # 5-case render gate
  └── DESIGN.md                   # topology, lag-threshold rationale, deferred C-DB-3 plan

Default-OFF gate per the brief: helm template with default values
renders ZERO resources; helm template with cnpgPair.enabled=true +
both regions + image.tag renders 8 resources (2 Cluster CRs, 1
Service, 1 Deployment, 3 NetworkPolicies, 1 audit-config ConfigMap).
Empty image.tag fails fast at template-render per Inviolable
Principle #4a; same primary/replica region fails fast (degenerate
pair). All 5 render gates pass locally; helm lint + YAML parse clean.

CI smoke-render gate fix (single-line behavior change in
blueprint-release.yaml): adds a `catalyst.openova.io/smoke-render-
mode: default-off` annotation opt-in so charts that legitimately
render zero at default values (this chart + future bp-*-pair
Blueprints) skip the `<5 lines` empty-render check. The chart's own
tests/cnpg-pair-render.sh covers the enabled-render path; without
the annotation the empty-render check still fires unchanged.

Seam-map additions (return diff for 01-canonical-seams.md Platform
table):
  - service.cilium.io/global=true ClusterMesh global Service annotation
    (first chart in the repo to use it; pattern reused by Continuum
    K-Cont-2 for HTTPRoute weight=0 cross-region drains)
  - bp-*-pair active-hotstandby cluster-pair pattern (primary+replica
    Cluster CRs colocated in one Blueprint, region-pinned via
    openova.io/region node-affinity)
  - audit-config ConfigMap co-located with the emitting Blueprint
    (label-selector discovery for K-Cont-2 + U-DR-1; future
    bp-*-pair Blueprints follow this convention)
  - smoke-render-mode=default-off Chart.yaml annotation opt-in for
    the blueprint-release smoke gate

C-DB-2 (publish): existing blueprint-release.yaml workflow auto-
detects `platform/*/chart/**` paths — no allowlist edit required.
First push triggers `ghcr.io/openova-io/bp-cnpg-pair:0.1.0` build.

C-DB-3 (1M-row acceptance test) DEFERRED — full plan documented in
DESIGN.md "Deferred — C-DB-3 acceptance test plan" section so the
future implementer's brief is self-contained.

Tests:
  - bash platform/cnpg-pair/chart/tests/cnpg-pair-render.sh ✓ 5/5 PASS
  - helm lint platform/cnpg-pair/chart ✓ clean
  - helm template ... | python3 yaml.safe_load_all ✓ 8 docs parse clean
  - smoke-gate logic simulated locally ✓ default-off annotation honored

Pre-existing CI failures untouched:
  - TestPinIssue rate-limit flake — not affected by chart-only slice
  - TestBootstrapKit/gitea version drift — only iterates over a fixed
    10-chart bootstrap list (no cnpg-pair entry)

Out of scope per brief (all deferred to dedicated slices):
  - K-Cont-2 reconciler logic
  - K-Cont-3 lease witness
  - K-Cont-4 Cloudflare Worker
  - C-DB-3 1M-row acceptance test
  - Application controller changes
  - U-DR-1 UI

Co-authored-by: hatiyildiz <hati.yildiz@openova.io>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-09 05:16:55 +04:00

512 lines
26 KiB
YAML
Raw Blame History

# Blueprint release — path-matrix CI fan-out per BLUEPRINT-AUTHORING.md §11.
#
# Pushes to `main` that touch any platform/<name>/chart/** or
# products/<name>/chart/** directory trigger a build of that single Blueprint
# folder; output is a signed OCI artifact at
# ghcr.io/openova-io/bp-<name>:<semver> where <semver> comes from the
# Chart.yaml `version` field.
#
# Tag-based releases (refs/tags/<name>/v<X.Y.Z>) trigger the same build with
# version pinned to the tag, plus cosign signing + Syft SBOM generation.
#
# This workflow is the canonical CI for all 12 bootstrap-kit charts (the
# original 11 plus bp-powerdns added at #167) plus every other Catalyst-
# curated wrapper chart. Application-Blueprint charts (cnpg, valkey, etc.)
# follow the same shape once authored.
#
# ─────────────────────────────────────────────────────────────────────
# Hollow-chart guard (issue #181)
# ─────────────────────────────────────────────────────────────────────
# Every umbrella Blueprint chart MUST declare its upstream chart(s) under
# `dependencies:` in Chart.yaml so `helm dependency build` pulls the
# upstream payload into the OCI artifact at publish time. Earlier in this
# cycle, bp-cert-manager:1.0.0 shipped as a "hollow chart" — only an
# overlay (ClusterIssuer template) with no upstream cert-manager subchart
# bytes — and Phase 1 broke on every Sovereign because cert-manager
# itself was never installed. See docs/BLUEPRINT-AUTHORING.md
# §"Umbrella shape".
#
# This workflow now structurally verifies the upstream payload is present
# at every stage of the publish pipeline:
#
# 1. After `helm dependency build` — assert the working-tree
# chart/charts/<dep>-<ver>.tgz (or unpacked chart/charts/<dep>/) exists
# for every entry in Chart.yaml `dependencies:`.
# 2. After `helm package` — `tar -tzf` the produced .tgz and assert
# every declared dep is inside the package's charts/ directory.
# 3. After `helm push` — `helm pull` the artifact back from GHCR and
# re-verify the deps survived the round-trip.
# 4. `helm template` smoke render — chart MUST render with default
# values; rendered manifests are uploaded as a workflow artifact for
# forensics.
#
# Any one of those steps failing fails the whole build — hollow charts
# can never reach a Sovereign.
name: Blueprint Release
on:
push:
paths:
- 'platform/*/chart/**'
- 'products/*/chart/**'
- 'platform/*/blueprint.yaml'
- 'products/*/blueprint.yaml'
branches: [main]
workflow_dispatch:
inputs:
blueprint:
description: 'Blueprint name (e.g. cilium, openbao, catalyst). Empty = build all changed.'
required: false
type: string
tree:
description: 'Source tree: platform (leaf) or products (umbrella).'
required: false
type: choice
default: platform
options:
- platform
- products
permissions:
contents: read
packages: write
id-token: write # for cosign keyless signing
jobs:
detect:
runs-on: ubuntu-latest
outputs:
matrix: ${{ steps.changed.outputs.matrix }}
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 2
- name: Detect changed Blueprints
id: changed
run: |
set -e
if [ -n "${{ inputs.blueprint }}" ]; then
tree="${{ inputs.tree }}"
tree="${tree:-platform}"
echo "matrix={\"include\":[{\"path\":\"${tree}/${{ inputs.blueprint }}\"}]}" >> "$GITHUB_OUTPUT"
exit 0
fi
# Compare against previous commit; emit a matrix of changed paths.
changed=$(git diff --name-only HEAD~1 HEAD | grep -E '^(platform|products)/[^/]+/(chart/|blueprint\.yaml)' | awk -F/ '{print $1"/"$2}' | sort -u)
echo "Changed blueprints:"
echo "$changed"
if [ -z "$changed" ]; then
echo "matrix={\"include\":[]}" >> "$GITHUB_OUTPUT"
else
include=$(echo "$changed" | jq -R -s -c 'split("\n") | map(select(length > 0)) | map({path: .})')
echo "matrix={\"include\":$include}" >> "$GITHUB_OUTPUT"
fi
build:
needs: detect
if: ${{ needs.detect.outputs.matrix != '{"include":[]}' }}
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix: ${{ fromJSON(needs.detect.outputs.matrix) }}
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set up Helm
uses: azure/setup-helm@v4
with:
version: v3.18.4
- name: Install Cosign
uses: sigstore/cosign-installer@v3
with:
cosign-release: v2.4.1
- name: Install Syft
uses: anchore/sbom-action/download-syft@v0
- name: Install yq (declared-deps parser)
run: |
# We need a streaming YAML parser to read Chart.yaml's dependencies:
# block reliably; awk/grep on YAML is fragile and would let a
# subtly malformed Chart.yaml slip past the hollow-chart guard.
sudo wget -qO /usr/local/bin/yq \
https://github.com/mikefarah/yq/releases/download/v4.44.3/yq_linux_amd64
sudo chmod +x /usr/local/bin/yq
yq --version
- name: Login to GHCR
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Read chart metadata
id: chart
run: |
set -e
path="${{ matrix.path }}"
chart_yaml="$path/chart/Chart.yaml"
if [ ! -f "$chart_yaml" ]; then
echo "No chart at $path/chart/ — skipping"
echo "skip=true" >> "$GITHUB_OUTPUT"
exit 0
fi
# Authoritative chart name comes from Chart.yaml `name:` field
# (e.g. `bp-cilium`, `bp-catalyst-platform`). Folder basename and
# chart name are not always identical — the umbrella at
# products/catalyst/chart packages as bp-catalyst-platform.
chart_name=$(awk '/^name:/{print $2; exit}' "$chart_yaml" | tr -d '"')
version=$(awk '/^version:/{print $2; exit}' "$chart_yaml" | tr -d '"')
echo "name=$chart_name" >> "$GITHUB_OUTPUT"
echo "version=$version" >> "$GITHUB_OUTPUT"
echo "skip=false" >> "$GITHUB_OUTPUT"
- name: Helm registry login (for OCI dependencies)
if: steps.chart.outputs.skip != 'true'
run: |
# `helm dependency build` resolves `oci://ghcr.io/openova-io/bp-*`
# dependencies — needs an authenticated helm registry login,
# not just a docker login.
echo "${{ secrets.GITHUB_TOKEN }}" | helm registry login ghcr.io \
--username "${{ github.actor }}" --password-stdin
- name: Helm dependency build
if: steps.chart.outputs.skip != 'true'
run: helm dependency build "${{ matrix.path }}/chart"
# ──────────────────────────────────────────────────────────────
# GUARD 1 — hollow-chart check on the working tree
# ──────────────────────────────────────────────────────────────
# After `helm dependency build`, every entry in Chart.yaml's
# `dependencies:` block MUST have a corresponding artifact under
# chart/charts/. Helm accepts either form:
# chart/charts/<dep-name>-<dep-version>.tgz (packed)
# chart/charts/<dep-name>/Chart.yaml (unpacked vendored)
# Either is fine; ZERO of them is a hollow chart and we fail loudly.
- name: "Verify upstream subcharts present in working tree (post-dependency-build)"
if: steps.chart.outputs.skip != 'true'
id: verify_workdir
run: |
set -euo pipefail
chart_dir="${{ matrix.path }}/chart"
chart_yaml="$chart_dir/Chart.yaml"
# Some Blueprints legitimately ship NO upstream subchart — their
# entire payload is Catalyst-authored CRs (e.g.
# bp-crossplane-claims, which carries only XRDs + Compositions
# for the compose.openova.io/v1alpha1 family). Those charts opt
# out of the dependencies-required rule by setting the
# annotation:
# annotations:
# catalyst.openova.io/no-upstream: "true"
# in their Chart.yaml. The hollow-chart rule remains in force
# for every other umbrella chart — the original failure
# (bp-cert-manager:1.0.0 silently shipping without cert-manager)
# cannot recur unless an author explicitly adds the annotation.
no_upstream=$(yq '.annotations["catalyst.openova.io/no-upstream"] // ""' "$chart_yaml")
dep_count=$(yq '.dependencies | length // 0' "$chart_yaml")
echo "Declared dependencies: $dep_count"
echo "no-upstream annotation: '$no_upstream'"
if [ "$dep_count" -eq 0 ]; then
if [ "$no_upstream" = "true" ]; then
echo "Chart marked catalyst.openova.io/no-upstream=true — skipping upstream-subchart presence check."
exit 0
fi
echo "::error title=Hollow chart::Chart $chart_yaml declares NO dependencies. Every Blueprint umbrella chart at platform/<name>/chart/ MUST declare its upstream chart under \`dependencies:\` per docs/BLUEPRINT-AUTHORING.md §11.1 Umbrella shape. See issue #181. (To opt out for charts that legitimately ship only Catalyst-authored CRs, set annotations.catalyst.openova.io/no-upstream: \"true\".)"
exit 1
fi
missing=0
for i in $(seq 0 $((dep_count - 1))); do
dep_name=$(yq ".dependencies[$i].name" "$chart_yaml")
dep_ver=$(yq ".dependencies[$i].version" "$chart_yaml")
dep_repo=$(yq ".dependencies[$i].repository" "$chart_yaml")
packed="$chart_dir/charts/${dep_name}-${dep_ver}.tgz"
unpacked="$chart_dir/charts/${dep_name}/Chart.yaml"
if [ -f "$packed" ]; then
echo " ✓ ${dep_name} ${dep_ver} → $packed"
elif [ -f "$unpacked" ]; then
echo " ✓ ${dep_name} ${dep_ver} → $unpacked (unpacked)"
else
echo "::error title=Subchart not pulled::Declared dependency '${dep_name}' (version='${dep_ver}', repo='${dep_repo}') was not pulled by \`helm dependency build\`. Expected $packed OR $unpacked. Investigate the dependency repository / Chart.lock; do NOT publish a hollow chart."
missing=$((missing + 1))
fi
done
if [ "$missing" -gt 0 ]; then
exit 1
fi
echo "All $dep_count declared upstream subcharts present in working tree."
- name: Helm package
if: steps.chart.outputs.skip != 'true'
run: |
mkdir -p /tmp/charts
helm package "${{ matrix.path }}/chart" --destination /tmp/charts
# ──────────────────────────────────────────────────────────────
# GUARD 2 — hollow-chart check inside the packaged tgz
# ──────────────────────────────────────────────────────────────
# `helm package` builds the OCI payload from the working tree, but
# we don't trust transitive bugs / .helmignore mishaps to leave
# chart/charts/ behind. Crack the produced .tgz and assert every
# declared dep is inside <chart_name>/charts/ in the package.
- name: "Verify upstream subcharts present in packaged tgz (post-helm-package)"
if: steps.chart.outputs.skip != 'true'
id: verify_package
run: |
set -euo pipefail
chart_yaml="${{ matrix.path }}/chart/Chart.yaml"
name="${{ steps.chart.outputs.name }}"
version="${{ steps.chart.outputs.version }}"
tgz="/tmp/charts/${name}-${version}.tgz"
if [ ! -f "$tgz" ]; then
echo "::error title=Package missing::Expected $tgz from helm package."
exit 1
fi
echo "Inspecting $tgz"
listing="/tmp/${name}-${version}.listing.txt"
tar -tzf "$tgz" > "$listing"
echo " total entries: $(wc -l < "$listing")"
dep_count=$(yq '.dependencies | length // 0' "$chart_yaml")
missing=0
for i in $(seq 0 $((dep_count - 1))); do
dep_name=$(yq ".dependencies[$i].name" "$chart_yaml")
dep_ver=$(yq ".dependencies[$i].version" "$chart_yaml")
packed_in_tgz="${name}/charts/${dep_name}-${dep_ver}.tgz"
unpacked_in_tgz="${name}/charts/${dep_name}/Chart.yaml"
if grep -qx "$packed_in_tgz" "$listing"; then
echo " ✓ ${dep_name} ${dep_ver} → $packed_in_tgz"
elif grep -qx "$unpacked_in_tgz" "$listing"; then
echo " ✓ ${dep_name} ${dep_ver} → $unpacked_in_tgz (unpacked)"
else
echo "::error title=Hollow package::Packaged tgz $tgz does NOT contain upstream subchart '${dep_name}' (version='${dep_ver}'). Refusing to publish a hollow chart."
missing=$((missing + 1))
fi
done
if [ "$missing" -gt 0 ]; then
echo "── package listing (first 200 lines) ──"
head -200 "$listing"
exit 1
fi
echo "All $dep_count declared upstream subcharts present inside packaged tgz."
# ──────────────────────────────────────────────────────────────
# SMOKE — `helm template` must render with default values
# ──────────────────────────────────────────────────────────────
# A chart can be structurally complete but render-broken (bad
# template, missing required value, schema violation). Render the
# packaged chart with defaults; on render failure the build dies
# and the rendered output (if any) ships as a workflow artifact
# for forensics.
#
# Empty-render rule: a working umbrella with an upstream subchart
# should produce many resources, so `<5 lines` is suspicious AND
# blocks publish. EXCEPTION: charts that are both `no-upstream:
# true` AND default-OFF (e.g. bp-cnpg-pair, products/continuum)
# legitimately render zero resources at default values — they
# ship a `cnpgPair.enabled: true` (or equivalent) flip-on path
# that overlays activate per-Sovereign. Those charts opt into the
# exception via the `catalyst.openova.io/smoke-render-mode:
# default-off` annotation; their unit-tests under chart/tests/*.sh
# cover the enabled-render path. Without the annotation the
# `<5 lines` rule still fires.
- name: "Helm template smoke render (default values)"
if: steps.chart.outputs.skip != 'true'
id: smoke
run: |
set -euo pipefail
name="${{ steps.chart.outputs.name }}"
version="${{ steps.chart.outputs.version }}"
chart_yaml="${{ matrix.path }}/chart/Chart.yaml"
tgz="/tmp/charts/${name}-${version}.tgz"
mkdir -p /tmp/render
render_out="/tmp/render/${name}-${version}.default.yaml"
# `helm template` against the packaged tgz exercises the same
# bytes Flux will install at runtime — including subchart
# rendering. A leaf umbrella with the upstream subchart
# present should produce upstream resources here.
if ! helm template "smoke-${name}" "$tgz" \
--namespace "smoke-${name}" \
> "$render_out" 2> /tmp/render/stderr.log; then
echo "::error title=helm template failed::Default-values render of $tgz failed; see uploaded artifact and stderr below."
cat /tmp/render/stderr.log >&2
exit 1
fi
lines=$(wc -l < "$render_out")
echo "Rendered $lines lines to $render_out"
smoke_mode=$(yq '.annotations["catalyst.openova.io/smoke-render-mode"] // ""' "$chart_yaml")
if [ "$lines" -lt 5 ]; then
if [ "$smoke_mode" = "default-off" ]; then
echo "Chart marked catalyst.openova.io/smoke-render-mode=default-off — short default render is expected; chart/tests/*.sh covers the enabled-render path."
else
echo "::error title=Empty render::Rendered output is suspiciously short ($lines lines). A working umbrella with an upstream subchart should produce many more resources. (For charts that are intentionally default-off, set annotations.catalyst.openova.io/smoke-render-mode: \"default-off\" in Chart.yaml.)"
exit 1
fi
fi
- name: "Upload smoke render as workflow artifact"
if: ${{ always() && steps.chart.outputs.skip != 'true' && steps.smoke.conclusion != 'skipped' }}
uses: actions/upload-artifact@v4
with:
name: blueprint-smoke-render-${{ steps.chart.outputs.name }}-${{ steps.chart.outputs.version }}
path: /tmp/render/
if-no-files-found: warn
retention-days: 30
# ──────────────────────────────────────────────────────────────
# GATE — Per-chart integration tests under chart/tests/*.sh
# ──────────────────────────────────────────────────────────────
# Every chart under platform/<name>/chart/tests/ that ships a *.sh
# script gets executed here against the working-tree chart. Tests
# SHOULD be self-contained `helm template` assertions (no kind
# cluster); kind-based tests live in a separate workflow that we
# don't gate publish on.
#
# Canonical example: tests/observability-toggle.sh — verifies the
# docs/BLUEPRINT-AUTHORING.md §11.2 rule (observability toggles
# default false). A chart authoring regression that re-introduces
# a hardcoded `serviceMonitor.enabled: true` fails this gate and
# the publish job dies BEFORE the OCI artifact is pushed (issue
# #182).
- name: "Run chart integration tests (chart/tests/*.sh)"
if: steps.chart.outputs.skip != 'true'
id: chart_tests
run: |
set -euo pipefail
chart_dir="${{ matrix.path }}/chart"
tests_dir="$chart_dir/tests"
if [ ! -d "$tests_dir" ]; then
echo "No tests/ directory at $tests_dir — skipping chart tests."
exit 0
fi
shopt -s nullglob
scripts=( "$tests_dir"/*.sh )
if [ "${#scripts[@]}" -eq 0 ]; then
echo "tests/ directory present at $tests_dir but no *.sh scripts — skipping."
exit 0
fi
echo "Running ${#scripts[@]} chart-test script(s) under $tests_dir:"
for s in "${scripts[@]}"; do
echo " → $s"
done
for s in "${scripts[@]}"; do
echo "── $(basename "$s") ──"
bash "$s" "$chart_dir"
done
echo "All chart-test scripts passed."
- name: Helm push to GHCR
if: steps.chart.outputs.skip != 'true'
id: push
run: |
set -e
name="${{ steps.chart.outputs.name }}"
version="${{ steps.chart.outputs.version }}"
# `helm package` writes <chart_name>-<version>.tgz; the chart name
# already carries the `bp-` prefix per BLUEPRINT-AUTHORING.md §3.
file="/tmp/charts/${name}-${version}.tgz"
digest=$(helm push "$file" oci://ghcr.io/openova-io 2>&1 | tee /dev/stderr | awk '/Digest:/{print $2}')
echo "ref=ghcr.io/openova-io/${name}:${version}" >> "$GITHUB_OUTPUT"
echo "digest=$digest" >> "$GITHUB_OUTPUT"
# ──────────────────────────────────────────────────────────────
# GUARD 3 — hollow-chart check after round-trip through GHCR
# ──────────────────────────────────────────────────────────────
# Pull the just-pushed artifact back from GHCR and re-verify deps
# survived. This catches any registry-side stripping, manifest
# rewriting, or path mangling — and proves end consumers (Flux
# helm-controller on every Sovereign) will see the upstream
# subchart bytes.
- name: "Verify upstream subcharts present in pulled OCI artifact (post-helm-push)"
if: steps.chart.outputs.skip != 'true'
id: verify_pull
run: |
set -euo pipefail
name="${{ steps.chart.outputs.name }}"
version="${{ steps.chart.outputs.version }}"
# `chart_yaml` is referenced relative to $GITHUB_WORKSPACE — DO NOT
# cd elsewhere before reading it. We pin `helm pull` output via
# --destination so the read of the source-tree Chart.yaml stays
# rooted at the checked-out repo root.
chart_yaml="${GITHUB_WORKSPACE}/${{ matrix.path }}/chart/Chart.yaml"
mkdir -p /tmp/pulled
helm pull "oci://ghcr.io/openova-io/${name}" --version "${version}" \
--destination /tmp/pulled
pulled_tgz="/tmp/pulled/${name}-${version}.tgz"
if [ ! -f "$pulled_tgz" ]; then
echo "::error title=Pull failed::helm pull did not produce $pulled_tgz; cannot verify GHCR contents."
ls -la /tmp/pulled
exit 1
fi
listing="/tmp/pulled/${name}-${version}.pulled.listing.txt"
tar -tzf "$pulled_tgz" > "$listing"
echo " pulled entries: $(wc -l < "$listing")"
dep_count=$(yq '.dependencies | length // 0' "$chart_yaml")
missing=0
for i in $(seq 0 $((dep_count - 1))); do
dep_name=$(yq ".dependencies[$i].name" "$chart_yaml")
dep_ver=$(yq ".dependencies[$i].version" "$chart_yaml")
packed_in_tgz="${name}/charts/${dep_name}-${dep_ver}.tgz"
unpacked_in_tgz="${name}/charts/${dep_name}/Chart.yaml"
if grep -qx "$packed_in_tgz" "$listing"; then
echo " ✓ ${dep_name} ${dep_ver} → $packed_in_tgz (in GHCR artifact)"
elif grep -qx "$unpacked_in_tgz" "$listing"; then
echo " ✓ ${dep_name} ${dep_ver} → $unpacked_in_tgz (in GHCR artifact, unpacked)"
else
echo "::error title=Hollow OCI artifact::GHCR-pulled $pulled_tgz does NOT contain upstream subchart '${dep_name}' (version='${dep_ver}'). The artifact at ghcr.io/openova-io/${name}:${version} is hollow — Flux will install it but the upstream payload will be missing on every Sovereign. Refusing to leave this published."
missing=$((missing + 1))
fi
done
if [ "$missing" -gt 0 ]; then
echo "── pulled-artifact listing (first 200 lines) ──"
head -200 "$listing"
exit 1
fi
echo "All $dep_count declared upstream subcharts present in pulled GHCR artifact."
- name: Cosign keyless sign
if: steps.chart.outputs.skip != 'true'
env:
COSIGN_EXPERIMENTAL: "true"
run: |
cosign sign --yes "${{ steps.push.outputs.ref }}@${{ steps.push.outputs.digest }}"
- name: Generate SBOM via Syft
if: steps.chart.outputs.skip != 'true'
run: |
# Scan the local .tgz file rather than the published OCI artifact so
# we don't need containerd permissions on the runner. The .tgz
# carries everything we'd want to inventory anyway (values.yaml +
# Chart.yaml + templates + blueprint.yaml + the upstream-chart
# reference metadata).
mkdir -p /tmp/sbom
name="${{ steps.chart.outputs.name }}"
version="${{ steps.chart.outputs.version }}"
# Chart name already includes `bp-` prefix (read from Chart.yaml).
syft "file:/tmp/charts/${name}-${version}.tgz" -o spdx-json="/tmp/sbom/sbom.spdx.json"
- name: Attest SBOM via cosign
if: steps.chart.outputs.skip != 'true'
env:
COSIGN_EXPERIMENTAL: "true"
run: |
cosign attest --yes --predicate /tmp/sbom/sbom.spdx.json --type spdxjson \
"${{ steps.push.outputs.ref }}@${{ steps.push.outputs.digest }}"
- name: Summary
if: steps.chart.outputs.skip != 'true'
run: |
echo "✓ Blueprint published" >> "$GITHUB_STEP_SUMMARY"
echo "" >> "$GITHUB_STEP_SUMMARY"
echo "- **Name:** ${{ steps.chart.outputs.name }}" >> "$GITHUB_STEP_SUMMARY"
echo "- **Version:** ${{ steps.chart.outputs.version }}" >> "$GITHUB_STEP_SUMMARY"
echo "- **OCI ref:** \`${{ steps.push.outputs.ref }}\`" >> "$GITHUB_STEP_SUMMARY"
echo "- **Digest:** \`${{ steps.push.outputs.digest }}\`" >> "$GITHUB_STEP_SUMMARY"
echo "- **Cosigned:** ✓ (keyless via GitHub OIDC)" >> "$GITHUB_STEP_SUMMARY"
echo "- **SBOM attested:** ✓ (SPDX-JSON)" >> "$GITHUB_STEP_SUMMARY"
echo "- **Subchart guards:** ✓ working tree, ✓ packaged tgz, ✓ pulled OCI artifact, ✓ helm template smoke" >> "$GITHUB_STEP_SUMMARY"
Reference in New Issue View Git Blame Copy Permalink