From 519797092fa27adac6d1d6e45fd1d6d31d3b377f Mon Sep 17 00:00:00 2001 From: Eric Hibbs Date: Mon, 8 Jun 2026 15:21:01 -0700 Subject: [PATCH 1/2] Add release workflow publishing chart to socket-firewall-helm gh-pages Cross-repo publish (Option A): packages helm/ and pushes to the gh-pages of socketdev-demo/socket-firewall-helm via the HELM_PAGES_DEPLOY_KEY deploy key, keeping the existing download URL stable. Fires on helm/Chart.yaml change or manual dispatch. --- .github/workflows/release.yaml | 60 ++++++++++++++++++++++++++++++++++ 1 file changed, 60 insertions(+) create mode 100644 .github/workflows/release.yaml diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml new file mode 100644 index 0000000..8417cb5 --- /dev/null +++ b/.github/workflows/release.yaml @@ -0,0 +1,60 @@ +name: Release Chart + +# Publishes the Helm chart in helm/ to the gh-pages branch of +# socketdev-demo/socket-firewall-helm, so the existing download URL +# (https://socketdev-demo.github.io/socket-firewall-helm) keeps serving and +# existing `helm repo add` users are unaffected (Option A). Cross-repo push +# uses the HELM_PAGES_DEPLOY_KEY deploy key (write access on the old repo). + +on: + push: + branches: [main] + paths: ['helm/Chart.yaml'] # fires on a chart version bump + workflow_dispatch: {} # manual re-publish of the current version + +permissions: + contents: read # we never write to THIS repo; the old repo is reached via SSH key + +jobs: + release: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + persist-credentials: false + + - name: Install Helm + uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4 + + - name: Package chart + run: helm package helm --destination .deploy + + - name: Configure deploy key + run: | + mkdir -p ~/.ssh + printf '%s\n' "${{ secrets.HELM_PAGES_DEPLOY_KEY }}" > ~/.ssh/pages_key + chmod 600 ~/.ssh/pages_key + ssh-keyscan -t ed25519 github.com >> ~/.ssh/known_hosts 2>/dev/null + + - name: Publish to socket-firewall-helm gh-pages + env: + GIT_SSH_COMMAND: "ssh -i ~/.ssh/pages_key -o IdentitiesOnly=yes" + run: | + set -euo pipefail + git clone --branch gh-pages --single-branch \ + git@github.com:socketdev-demo/socket-firewall-helm.git pages + cp .deploy/*.tgz pages/ + # Re-index against the full gh-pages contents so all prior versions are + # preserved; the published URL is unchanged. + helm repo index pages --url https://socketdev-demo.github.io/socket-firewall-helm + cd pages + git config user.name "socket-firewall-release" + git config user.email "release@socket.dev" + git add . + if git diff --staged --quiet; then + echo "No changes to publish." + exit 0 + fi + git commit -m "Publish $(ls ../.deploy/*.tgz | xargs -n1 basename | tr '\n' ' ')" + git push origin gh-pages From a4d4fb9d1aa4e99d40029b4397a9b3624a33f310 Mon Sep 17 00:00:00 2001 From: Eric Hibbs Date: Mon, 8 Jun 2026 16:54:14 -0700 Subject: [PATCH 2/2] Scope release job to the publish environment (zizmor secrets-outside-env) --- .github/workflows/release.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 8417cb5..dda9932 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -18,6 +18,7 @@ permissions: jobs: release: runs-on: ubuntu-latest + environment: publish # scope the deploy-key secret behind a GitHub Environment (zizmor secrets-outside-env) steps: - name: Checkout uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4