fix: repair public Helm release publishing#295
fix: repair public Helm release publishing#295guanzhousongmicrosoft wants to merge 3 commits intodocumentdb:mainfrom
Conversation
guanzhousongmicrosoft
requested review from
alaye-ms and
hossain-rayhan
as code owners
There was a problem hiding this comment.
Pull request overview
This PR fixes Helm chart drift in the public GitHub Pages Helm repository by ensuring chart publication is rebuilt from an immutable git ref, and by adding a dedicated repair workflow to republish a released chart and regenerate index.yaml.
Changes:
- Adds a reusable/manual workflow to rebuild a released Helm chart from an immutable ref and republish it to the GitHub Pages Helm repo.
- Requires
release_images.ymlto take an explicitsource_refand uses that ref when publishing the public Helm repository. - Reuses the repair workflow from
release_images.ymlto keep future Pages publications aligned with the chosen immutable source.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| .github/workflows/repair_helm_pages_release.yml | New reusable/manual workflow to rebuild a released chart from a specified ref, validate it, and republish Helm repo files to the Pages branch. |
| .github/workflows/release_images.yml | Adds required source_ref, checks out that ref for chart packaging, and invokes the new reusable workflow to publish the Helm repo to GitHub Pages. |
You can also share your feedback on Copilot code review. Take the survey.
| publish-helm-pages: | ||
| name: Publish Helm Repository | ||
| needs: publish-helm-chart | ||
| if: ${{ always() && needs.publish-helm-chart.result == 'success' }} | ||
| permissions: | ||
| contents: write | ||
| uses: ./.github/workflows/repair_helm_pages_release.yml | ||
| with: | ||
| version: ${{ inputs.version }} | ||
| release_ref: ${{ inputs.source_ref }} | ||
| publish_branch: gh-pages | ||
| repo_url: https://documentdb.github.io/documentdb-kubernetes-operator | ||
| dry_run: false | ||
| confirm_version: ${{ inputs.version }} | ||
| # Follow the same gh-pages branch used by mike in deploy_docs.yml. |
There was a problem hiding this comment.
publish-helm-pages reuses repair_helm_pages_release.yml, which hard-fails if Chart.yaml at release_ref already has version == inputs.version. In this repo the release workflow currently rewrites Chart.yaml/values.yaml during publish-helm-chart (via sed), so it’s possible for source_ref to not have the target version yet (e.g., when Chart.yaml stays at the previous release). In that case the new Pages publication step will fail even though chart packaging succeeded. Consider either (1) enforcing/automating a precondition that source_ref points at a commit/tag where operator/documentdb-helm-chart/Chart.yaml is already bumped, or (2) adding an input to the reusable workflow to skip the Chart.yaml version equality check when invoked from release_images.yml (and rely on the packaged tgz/version checks instead).
| confirm_version: ${{ inputs.version }} | ||
| # Follow the same gh-pages branch used by mike in deploy_docs.yml. | ||
| allow_pages_source_mismatch: true |
There was a problem hiding this comment.
allow_pages_source_mismatch: true disables the safety check that the repo’s configured GitHub Pages source branch matches publish_branch. That makes it easier to accidentally push Helm repo changes to gh-pages even if Pages is currently publishing from a different branch/path (which could leave the public repo unchanged but still mutate history). If this repo’s Pages source is expected to be gh-pages, it’s safer to keep the check enabled here and only use the override for exceptional/manual repair runs.
| - name: Mirror current published chart artifacts | ||
| env: | ||
| REPO_URL: ${{ inputs.repo_url }} | ||
| run: | | ||
| set -euo pipefail | ||
| mkdir -p build live backups/live-artifacts | ||
| if curl -fsSL "${REPO_URL}/index.yaml" -o live/index.yaml; then | ||
| ruby <<'RUBY' > live/chart-urls.txt | ||
| require "yaml" | ||
|
|
||
| data = YAML.load_file("live/index.yaml") | ||
| entries = data.fetch("entries", {}) | ||
| urls = entries.values.flatten.flat_map { |entry| Array(entry["urls"]) }.uniq | ||
|
|
||
| puts urls | ||
| RUBY | ||
| else | ||
| cat > live/index.yaml <<'EOF' | ||
| apiVersion: v1 | ||
| entries: {} | ||
| EOF | ||
| : > live/chart-urls.txt | ||
| fi | ||
| while IFS= read -r url; do | ||
| if [[ ! "${url}" =~ ^https?:// ]]; then | ||
| relative_url="${url#./}" | ||
| relative_url="${relative_url#/}" | ||
| url="${REPO_URL%/}/${relative_url}" | ||
| fi | ||
| filename="$(basename "${url}")" | ||
| curl -fsSL "${url}" -o "backups/live-artifacts/${filename}" | ||
| cp "backups/live-artifacts/${filename}" "pages/${filename}" | ||
| done < live/chart-urls.txt |
There was a problem hiding this comment.
The “Mirror current published chart artifacts” step downloads every chart URL from the live index.yaml on every run, even when invoked from release_images.yml as part of a normal release. As the repo accumulates versions, this adds avoidable network time and introduces a new failure mode (any transient 404/timeout for an older tgz will fail the publish). Consider making this mirroring conditional (e.g., only for manual repair), or optimizing it to only fetch/copy artifacts that are missing from the checked-out publish_branch working tree while still using --merge to preserve existing entries.
Publish the public Helm repository from an immutable source ref and add a reusable repair workflow for correcting released chart artifacts. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: Guanzhou Song <guanzhousong@microsoft.com>
Make the reusable Helm Pages workflow support release-time chart metadata normalization so it can publish from the same immutable source ref as the GHCR chart release path. Also remove the invalid Chart.lock requirement and validate packaged appVersion explicitly. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: Guanzhou Song <guanzhousong@microsoft.com>
- Remove dead sed for tag: field that doesn't exist in values.yaml (chart resolves image tags via Chart.appVersion, not a tag: key) - Add semver format validation on version input to prevent sed injection - Fix heredoc indentation bug that caused YAML parse error: replace unindented EOF heredoc delimiter with printf to stay within the YAML block scalar indentation Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: Guanzhou Song <guanzhousong@microsoft.com>
guanzhousongmicrosoft
force-pushed
the
developer/fix-issue-288-helm-pages
branch
from
9bfcf9a to
9f34105
Compare
Summary
release_images.ymlto take an explicitsource_refand use that same ref when publishing the public Helm repoHow this addresses #288
Issue #288 happened because the public Helm artifact for
0.1.3drifted away from the release tag and picked up changes frommain.This PR fixes that in two ways:
REPAIR - Republish Helm Chart to Pages, a one-off/manual workflow that can rebuild0.1.3from the immutable0.1.3tag and overwrite the bad public artifact plus regenerateindex.yaml.release_images.ymlso future public Helm publications come from a required immutablesource_refinstead of drifting frommain.After this PR merges, running the repair workflow once with
version=0.1.3,release_ref=0.1.3, andconfirm_version=0.1.3will repair the already-published bad artifact.Refs #288.
Validation
0.1.3from tag0.1.30.1.3chart currently resolvescloudnative-pg0.27.00.1.3chart resolvescloudnative-pg0.23.2index.yamldigest matches the repaired chart tarball