.github/workflows/build-artifacts.yml

#
# MIT License
#
# (C) Copyright 2022 Hewlett Packard Enterprise Development LP
#
# Permission is hereby granted, free of charge, to any person obtaining a
# copy of this software and associated documentation files (the "Software"),
# to deal in the Software without restriction, including without limitation
# the rights to use, copy, modify, merge, publish, distribute, sublicense,
# and/or sell copies of the Software, and to permit persons to whom the
# Software is furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included
# in all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
# THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR
# OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
# ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
# OTHER DEALINGS IN THE SOFTWARE.
name: Build Artifacts

# Globals
env:

  # Package/artifact names
  IMAGE_NAME: cray-product-catalog-update
  CHART_NAME: cray-product-catalog
  PYMOD_NAME: cray-product-catalog

  # Artifact repository locations
  REGISTRY: artifactory.algol60.net
  REGISTRY_USERNAME: github-actions-cray-hpe
  REGISTRY_DOWNLOAD_PATH: artifactory
  IMAGE_REPOSITORY: csm-docker
  CHART_REPOSITORY: csm-helm-charts
  PYMOD_REPOSITORY: csm-python-modules

  # Testing variables
  CHART_UNITTEST_IMAGE: quintush/helm-unittest:3.3.0-0.2.5

  # Code checker variables
  SNYK_SEVERITY_THRESHOLD: high

on:

  push:
    # Do not build pushes to the main/master branch, tags build prod releases
    # Do not build release branches from historical CSM/Shasta release branches
    branches:
      - feature/**
      - hotfix/**
      - support/**
      - develop
      - 'release/**'
      - '!release/csm-**'
      - '!release/shasta-**'

  # Make this a reusable workflow for the purposes of building production
  # releases from tags on main/master, or beta releases from release or hotfix
  # branches.
  workflow_call:
    secrets:
      SNYK_TOKEN:
        required: true
      ARTIFACTORY_ALGOL60_JFROG_CLI_CONFIGURATION:
        required: true
      ARTIFACTORY_ALGOL60_USERNAME:
        required: true
      ARTIFACTORY_ALGOL60_TOKEN:
        required: true
      COSIGN_GCP_PROJECT_ID:
        required: true
      COSIGN_GCP_SA_KEY:
        required: true
      COSIGN_KEY:
        required: true
    outputs:
      run-id:
        value: ${{ jobs.publish-deploy-script.outputs.run-id }}
      semVer:
        value: ${{ jobs.build-prep.outputs.semVer }}
      image-version:
        value: ${{ jobs.build-prep.outputs.image-version }}
      chart-version:
        value: ${{ jobs.build-prep.outputs.chart-version }}
      py-version:
        value: ${{ jobs.build-prep.outputs.chart-version }}
      is-stable:
        value: ${{ jobs.build-prep.outputs.is-stable }}
      build-date-time:
        value: ${{ jobs.build-prep.outputs.build-date-time }}
      image:
        value: ${{ jobs.publish-deploy-script.outputs.image }}
      image_url:
        value: ${{ jobs.publish-deploy-script.outputs.image_url }}
      chart:
        value: ${{ jobs.publish-deploy-script.outputs.chart }}
      chart_url:
        value: ${{ jobs.publish-deploy-script.outputs.chart_url }}
      pymod:
        value: ${{ jobs.publish-deploy-script.outputs.pymod }}
      pymod_url:
        value: ${{ jobs.publish-deploy-script.outputs.pymod_url }}

# Workflow Jobs
jobs:

  build-prep:
    runs-on: self-hosted
    outputs:
      semVer: ${{ steps.buildprepversion.outputs.version }}
      image-version: ${{ steps.buildversion.outputs.image-version }}
      chart-version: ${{ steps.buildversion.outputs.chart-version }}
      py-version: ${{ steps.buildversion.outputs.py-version }}
      is-stable: ${{ steps.buildprepversion.outputs.is-stable }}
      build-date-time: ${{ steps.buildprepversion.outputs.build-date-time }}
      short-sha: ${{ steps.buildprepversion.outputs.short-sha }}
      major: ${{ steps.buildprepversion.outputs.major }}
      minor: ${{ steps.buildprepversion.outputs.minor }}
      patch: ${{ steps.buildprepversion.outputs.patch }}
      commits-since-last-version: ${{ steps.buildprepversion.outputs.commits-since-last-version }}
      pre-release-tag: ${{ steps.buildprepversion.outputs.pre-release-tag }}

    steps:
      - name: Prep build metdata and fetch version
        id: buildprepversion
        uses: Cray-HPE/.github/actions/csm-run-build-prep@v2-csm-run-build-prep

      - name: Set version info
        id: buildversion
        shell: bash
        run: |
          echo ::set-output name=chart-version::$(echo ${{ steps.buildprepversion.outputs.version }}+${{ steps.buildprepversion.outputs.build-date-time }}.${{ steps.buildprepversion.outputs.short-sha }})
          echo ::set-output name=pre-release-tag::$(echo ${{ env.GITVERSION_PRERELEASETAG }})
          if [[ "${{ env.GITVERSION_PRERELEASETAG }}" = "" ]]; then
            echo ::set-output name=image-version::$(echo ${{ steps.buildprepversion.outputs.version }}-${{ steps.buildprepversion.outputs.build-date-time }}.${{ steps.buildprepversion.outputs.short-sha }})
          else
            echo ::set-output name=image-version::$(echo ${{ steps.buildprepversion.outputs.version }}.${{ steps.buildprepversion.outputs.build-date-time }}.${{ steps.buildprepversion.outputs.short-sha }})
          fi
          if [[ ${{ steps.buildprepversion.outputs.is-stable }} = unstable ]]; then
            echo ::set-output name=py-version::$(echo ${{ steps.buildprepversion.outputs.major }}.${{ steps.buildprepversion.outputs.minor }}.${{ steps.buildprepversion.outputs.patch }}.dev${{ steps.buildprepversion.outputs.commits-since-last-version }})
          else
            echo ::set-output name=py-version::$(echo ${{ steps.buildprepversion.outputs.major }}.${{ steps.buildprepversion.outputs.minor }}.${{ steps.buildprepversion.outputs.patch }})
          fi

  scan-pymod:
    runs-on: ubuntu-latest
    needs: build-prep
    outputs:
      snyk-passed: ${{ steps.snyk-result.outputs.snyk-passed }}

    steps:
      - uses: actions/checkout@master
      - name: Set Python Package Version
        run: |
          echo ${PYMOD_VERSION} > .version
        env:
          PYMOD_VERSION: ${{ needs.build-prep.outputs.py-version }}

      - name: Run Snyk to check for vulnerabilities
        uses: snyk/actions/python@master
        continue-on-error: true
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          args: --sarif-file-output=py.snyk.sarif --json-file-output=py.snyk.json --skip-unresolved=true --severity-threshold=${{ env.SNYK_SEVERITY_THRESHOLD }}

      - name: Get Snyk Result
        id: snyk-result
        run: |
          echo ::set-output name=snyk-passed::$(echo `cat py.snyk.json | jq -r .ok`)

      - name: Upload result to GitHub Code Scanning
        uses: github/codeql-action/upload-sarif@v1
        with:
          sarif_file: py.snyk.sarif

  test-pymod:
    runs-on: ubuntu-latest
    needs: build-prep
    steps:
      - uses: actions/checkout@master

      - name: Set up Python
        uses: actions/setup-python@v2
        with:
          python-version: '3.9'

      - name: Test Python Package
        run: |
          echo ${PYMOD_VERSION} > .version
          pip3 install -r requirements.txt
          pip3 install -r requirements-test.txt
          mkdir -p pymod_test
          python3 setup.py install --user
          python3 -m unittest discover tests
          pycodestyle --config=.pycodestyle cray_product_catalog tests
          # Run pylint, but only fail the build if the code scores lower than 8.0
          pylint --fail-under=8.0 cray_product_catalog tests
        env:
          PYMOD_VERSION: ${{ needs.build-prep.outputs.py-version }}

  build-publish-pymod:
    runs-on: ubuntu-latest
    if: ${{ fromJSON(needs.scan-pymod.outputs.snyk-passed) }}
    needs:
      - build-prep
      - scan-pymod
      - test-pymod

    steps:
      - uses: actions/checkout@v2
      - name: Set up Python
        uses: actions/setup-python@v2
        with:
          python-version: '3.9'

      - name: Install dependencies
        shell: bash
        run: |
          pip install --upgrade pip setuptools wheel

      - name: Build Python Package
        run: |
          echo ${PYMOD_VERSION} > .version
          python setup.py sdist bdist_wheel
        env:
          PYMOD_VERSION: ${{ needs.build-prep.outputs.py-version }}

      - name: Setup JFrog/Artifactory CLI
        uses: jfrog/setup-jfrog-cli@v1
        env:
          JF_ARTIFACTORY_1: ${{ secrets.ARTIFACTORY_ALGOL60_JFROG_CLI_CONFIGURATION }}

      - name: Verify connectivity to Artifactory
        run: jfrog rt ping

      - name: Publish Python Module
        shell: bash
        env:
          STABLE_PATH: ${{ needs.build-prep.outputs.is-stable }}
          PYMOD_VERSION: ${{ needs.build-prep.outputs.py-version }}
        run: |
          ls -lRa dist/
          jfrog rt upload "dist/*.tar.gz" "${PYMOD_REPOSITORY}/simple/${PYMOD_NAME}/"
          jfrog rt upload "dist/*.whl" "${PYMOD_REPOSITORY}/simple/${PYMOD_NAME}/"

      - name: Upload Python Module as Build Artifact
        uses: actions/upload-artifact@v2
        with:
          name: pymod
          path: |
            dist/*.tar.gz
            dist/*.whl
          retention-days: 7

  build-scan-sign-publish-image:
    runs-on: ubuntu-latest
    needs: build-prep
    outputs:
      full-image: ${{ steps.buildvars.outputs.full-image }}
      full-image-download-path: ${{ steps.buildvars.outputs.image-download }}
      image-base: ${{ steps.buildvars.outputs.image-base }}
      image-tag: ${{ steps.buildvars.outputs.image-tag }}
      snyk-passed: ${{ steps.snyk-result.outputs.snyk-passed }}

    steps:
      - uses: actions/checkout@v2
      - name: Set variables
        id: buildvars
        run: |
          echo ::set-output name=image-base::$(echo ${{ env.REGISTRY }}/${{ env.IMAGE_REPOSITORY }}/${{ needs.build-prep.outputs.is-stable }}/${{ env.IMAGE_NAME }})
          echo ::set-output name=image-tag::$(echo ${{ needs.build-prep.outputs.image-version }})
          echo ::set-output name=full-image::$(echo ${{ env.REGISTRY }}/${{ env.IMAGE_REPOSITORY }}/${{ needs.build-prep.outputs.is-stable }}/${{ env.IMAGE_NAME }}:${{ needs.build-prep.outputs.image-version }})
          echo ::set-output name=image-download::$(echo ${{ env.REGISTRY }}/${{ env.REGISTRY_DOWNLOAD_PATH }}/${{ env.IMAGE_REPOSITORY }}/${{ needs.build-prep.outputs.is-stable }}/${{ env.IMAGE_NAME }}:${{ needs.build-prep.outputs.image-version }})

      - name: Set up QEMU
        uses: docker/setup-qemu-action@v1

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v1

      - name: Docker meta
        id: meta
        uses: docker/metadata-action@v3
        with:
          images: ${{ steps.buildvars.outputs.image-base }}
          tags: |
            type=semver,pattern={{version}},value=${{ steps.buildvars.outputs.image-tag }}
            type=semver,pattern={{major}}.{{minor}}
            type=semver,pattern={{major}}
          labels: |
            org.opencontainers.image.vendor=Hewlett Packard Enterprise Development LP

      # Build and load the image into the local docker registry first. This
      # allows it to undergo security scans before being pushed to the remote
      # registry.
      - name: Build Image (local build, no push)
        uses: docker/build-push-action@v2
        id: build-docker-image
        with:
          push: false
          load: true
          build-args: |
            PYMOD_VERSION=${{ needs.build-prep.outputs.py-version }}
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}

      - name: Save the Docker Image
        shell: bash
        run: |
          docker save ${{ steps.buildvars.outputs.image-base }}:${{ steps.buildvars.outputs.image-tag }} | gzip > docker-image.tar.gz

      - name: Upload Docker image as Build Artifact
        uses: actions/upload-artifact@v2
        with:
          name: docker-image
          path: docker-image.tar.gz
          retention-days: 7

      # Run the scanner, continue on if errors are found so the results can be
      # reported to the Github Code Scanning alerts tab
      - name: Run Snyk to check Docker images for vulnerabilities
        uses: snyk/actions/docker@master
        id: snyk-scan
        continue-on-error: true
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          image: ${{ steps.buildvars.outputs.full-image }}
          args: --severity-threshold=${{ env.SNYK_SEVERITY_THRESHOLD }} --skip-unresolved=true --file=Dockerfile
          sarif: true
          json: true

      - name: Get Snyk Result
        id: snyk-result
        run: |
          echo ::set-output name=snyk-passed::$(echo `cat snyk.json | jq -r .ok`)

      - name: Upload Snyk result to GitHub Code Scanning
        uses: github/codeql-action/upload-sarif@v1
        id: snyk-upload
        with:
          sarif_file: snyk.sarif

      # Push the image to the remote registry if the snyk scan was clean
      - name: Login to algol60 Container Registry
        if: ${{ fromJSON(steps.snyk-result.outputs.snyk-passed) }}
        uses: docker/login-action@v1
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ env.REGISTRY_USERNAME }}
          password: ${{ secrets.ARTIFACTORY_ALGOL60_TOKEN }}

      - name: Push Image to Registry
        if: ${{ fromJSON(steps.snyk-result.outputs.snyk-passed) }}
        shell: bash
        run: 
          docker push ${{ env.IMAGE }}
        env:
          IMAGE: ${{ steps.buildvars.outputs.full-image }}

  publish-deploy-script:
    runs-on: ubuntu-latest
    if: ${{ fromJSON(needs.build-scan-sign-publish-image.outputs.snyk-passed) }}
    needs:
      - build-prep
      - build-scan-sign-publish-image
      - build-publish-helm-chart
    env:
      IMAGE_TAG: ${{ needs.build-scan-sign-publish-image.outputs.image-tag }}
      STABLE: ${{ needs.build-prep.outputs.is-stable }}
      CHART_VERSION: ${{ needs.build-prep.outputs.chart-version }}
      PYMOD_VERSION: ${{ needs.build-prep.outputs.py-version }}
    outputs:
      run-id: ${{ github.run_id }}
      image: ${{ steps.vars.outputs.image }}
      image_tag: ${{ steps.vars.outputs.image_tag }}
      image_url: ${{ steps.vars.outputs.image_url }}
      chart: ${{ steps.vars.outputs.chart }}
      chart_version: ${{ steps.vars.outputs.chart_version }}
      chart_url: ${{ steps.vars.outputs.chart_url }}
      pymod: ${{ steps.vars.outputs.pymod }}
      pymod_url: ${{ steps.vars.outputs.pymod_url }}

    steps:
      - name: Checkout repo
        uses: actions/checkout@v2

      - name: Create additional template vars
        id: vars
        run: |
          echo ::set-output name=repo_name::$(echo ${GITHUB_REPOSITORY}_${GITHUB_REF_NAME} | sed 's|/|_|g')
          echo ::set-output name=image::$(echo ${IMAGE_NAME}:${IMAGE_TAG})
          echo ::set-output name=image_tag::$(echo ${IMAGE_TAG})
          echo ::set-output name=image_url::$(echo https://artifactory.algol60.net/ui/repos/tree/General/csm-docker%2F${STABLE}%2F${IMAGE_NAME}%2F${IMAGE_TAG})
          echo ::set-output name=chart::$(echo ${CHART_NAME}-${CHART_VERSION})
          echo ::set-output name=chart_version::$(echo ${CHART_VERSION})
          echo ::set-output name=chart_url::$(echo https://artifactory.algol60.net/ui/repos/tree/General/csm-helm-charts%2F${STABLE}%2F${CHART_NAME}%2F${CHART_NAME}-${CHART_VERSION}.tgz)
          echo ::set-output name=pymod::$(echo ${PYMOD_NAME}-${PYMOD_VERSION})
          echo ::set-output name=pymod_url::$(echo https://artifactory.algol60.net/ui/repos/tree/General/csm-python-modules%2Fsimple%2Fcray-product-catalog%2Fcray_product_catalog-${PYMOD_VERSION}-py3-none-any.whl)

      - name: Render deploy script template
        uses: chuhlomin/render-template@v1.4
        id: template
        with:
          result_path: deploy-script.sh
          template: .github/templates/deploy-script.sh.tmpl
          vars: |
            buildDateTime: ${{ needs.build-prep.outputs.build-date-time }} 
            repository: ${{ github.repository }}
            run: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}
            fullImage: ${{ needs.build-scan-sign-publish-image.outputs.full-image }}
            imageName: ${{ env.IMAGE_NAME }}
            imageTag: ${{ env.IMAGE_TAG }}
            zypperRepoName: ${{ steps.vars.outputs.repo_name }}
            commit: ${{ needs.build-prep.outputs.short-sha }}
            ref: ${{ github.ref_name }}
            ref_type: ${{ github.ref_type }}
            chartName: ${{ env.CHART_NAME }}
            chartVersion: ${{ env.CHART_VERSION }}
            pymodVersion: ${{ env.PYMOD_VERSION }}

      - name: Upload Deploy Script as Build Artifact
        uses: actions/upload-artifact@v2
        with:
          name: deploy-script.sh
          path: deploy-script.sh
          retention-days: 90

      - name: Capture the artifactory locations of the build artifacts
        uses: schdck/create-env-json@v1
        with:
          file-name: 'artifacts.json'
          image: ${{ steps.vars.outputs.image }}
          image_tag: ${{ steps.vars.outputs.image_tag }}
          image_url: ${{ steps.vars.outputs.image_url }}
          chart: ${{ steps.vars.outputs.chart }}
          chart_version: ${{ steps.vars.outputs.chart_version }}
          chart_url: ${{ steps.vars.outputs.chart_url }}
          pymod: ${{ steps.vars.outputs.pymod }}
          pymod_url: ${{ steps.vars.outputs.pymod_url }}

      - name: Upload artifactory artifact metadata as a Build Artifact
        uses: actions/upload-artifact@v2
        with:
          name: artifacts.json
          path: artifacts.json
          retention-days: 90

  sign-image-sbom:
    runs-on: ubuntu-latest
    if: ${{ fromJSON(needs.build-scan-sign-publish-image.outputs.snyk-passed) }}
    needs: 
      - build-scan-sign-publish-image

    steps:

      - name: Sign the image in Artifactory
        id: image-sign
        uses: Cray-HPE/.github/actions/csm-sign-image@v2-csm-sign-image
        with:
          cosign-gcp-project-id: ${{ secrets.COSIGN_GCP_PROJECT_ID }}
          cosign-gcp-sa-key: ${{ secrets.COSIGN_GCP_SA_KEY }}
          cosign-key: ${{ secrets.COSIGN_KEY }}
          registry: ${{ env.REGISTRY }}
          registry-username: ${{ env.REGISTRY_USERNAME }}
          registry-password: ${{ secrets.ARTIFACTORY_ALGOL60_TOKEN }}
          github-sha: ${{ env.GITHUB_SHA }}
          image: ${{ needs.build-scan-sign-publish-image.outputs.full-image }}

      - name: Generate, Attach, and Sign container image SBOM
        uses: Cray-HPE/.github/actions/csm-generate-attach-sign-sbom@v1-csm-generate-attach-sign-sbom
        id: sbom
        with:
          cosign-gcp-project-id: ${{ secrets.COSIGN_GCP_PROJECT_ID }}
          cosign-gcp-sa-key: ${{ secrets.COSIGN_GCP_SA_KEY }}
          cosign-key: ${{ secrets.COSIGN_KEY }}
          registry: ${{ env.REGISTRY }}
          registry-username: ${{ secrets.ARTIFACTORY_ALGOL60_USERNAME }}
          registry-password: ${{ secrets.ARTIFACTORY_ALGOL60_TOKEN }}
          github-sha: ${{ env.GITHUB_SHA }}
          image: ${{ needs.build-scan-sign-publish-image.outputs.full-image }}

  build-publish-helm-chart:
    if: ${{ fromJSON(needs.build-scan-sign-publish-image.outputs.snyk-passed) }}
    runs-on: ubuntu-latest
    needs:
      - build-prep
      - build-scan-sign-publish-image

    steps:
      - name: Checkout repo
        uses: actions/checkout@v2

      - name: Set Github commit annotation
        uses: mikefarah/yq@master
        with:
          cmd: yq eval --inplace '.annotations."github.com/sha" = strenv(GITHUB_SHA)' charts/${{ env.CHART_NAME }}/Chart.yaml

      - name: Set Github ref annotation
        uses: mikefarah/yq@master
        with:
          cmd: yq eval --inplace '.annotations."github.com/ref" = strenv(GITHUB_REF)' charts/${{ env.CHART_NAME }}/Chart.yaml

      - name: Set Github commit time annotation
        uses: mikefarah/yq@master
        with:
          cmd: yq eval --inplace '.annotations."github.com/timestamp" = strenv(COMMIT_TIMESTAMP)' charts/${{ env.CHART_NAME }}/Chart.yaml
        env:
          COMMIT_TIMESTAMP: ${{ github.event.head_commit.timestamp }}

      - name: Determine Prerelease
        uses: haya14busa/action-cond@v1
        id: prerelease-annotation
        with:
          cond: ${{ needs.build-prep.outputs.is-stable }} == 'stable'
          if_true: "false"
          if_false: "true"

      - name: Set Prerelease annotation (as a string)
        uses: mikefarah/yq@master
        with:
          cmd: yq eval --inplace '.annotations."artifacthub.io/prerelease" = strenv(PRERELEASE)' charts/${{ env.CHART_NAME }}/Chart.yaml
        env:
          PRERELEASE: ${{ steps.prerelease-annotation.outputs.value }}

      - name: Update ${{ env.IMAGE_NAME }} image ref
        run: |
          sed -i 's|${{ env.IMAGE_NAME }}:0.0.0|${{ needs.build-scan-sign-publish-image.outputs.full-image }}|g' charts/${{ env.CHART_NAME }}/Chart.yaml

      - name: Sort annotation keys
        uses: mikefarah/yq@master
        with:
          cmd: yq eval --inplace 'sort_keys(.annotations)' charts/${{ env.CHART_NAME }}/Chart.yaml

      - name: Lint Chart
        run: |
          helm lint charts/${{ env.CHART_NAME }}
          docker run --rm -v ${PWD}/charts:/apps ${{ env.CHART_UNITTEST_IMAGE }} -3 ${{ env.CHART_NAME }}

      - name: Build Helm Chart
        run: |
          mkdir -p charts/.packaged
          helm dep up charts/${{ env.CHART_NAME }}
          helm package charts/${{ env.CHART_NAME }} -d charts/.packaged --app-version ${{ needs.build-prep.outputs.image-version }} --version ${{ needs.build-prep.outputs.chart-version }}

      - name: Print Chart.yaml contents
        run: |
          tar -axf charts/.packaged/${{ env.CHART_NAME}}-${{ needs.build-prep.outputs.chart-version }}.tgz ${{ env.CHART_NAME }}/Chart.yaml -O

      - name: Setup JFrog/Artifactory CLI
        uses: jfrog/setup-jfrog-cli@v1
        env:
          JF_ARTIFACTORY_1: ${{ secrets.ARTIFACTORY_ALGOL60_JFROG_CLI_CONFIGURATION }}

      - name: Verify connectivity to Artifactory
        run: jfrog rt ping

      - name: Publish Helm charts
        shell: bash
        env:
          STABLE_PATH: ${{ needs.build-prep.outputs.is-stable }}
          CHARTS_PATH: charts/.packaged
          CHARTS_PATTERN: "*.tgz"
          CHART_VERSION: ${{ needs.build-prep.outputs.chart-version }}
        run: |
          jfrog rt upload "charts/.packaged/${CHART_NAME}-${CHART_VERSION}.tgz" "${CHART_REPOSITORY}/${STABLE_PATH}/${CHART_NAME}/"

          # Provide links for downloading
          for packaged_chart in $(find charts/.packaged -mindepth 1 -maxdepth 1); do
            CHART_FILE_NAME=$(basename "$packaged_chart")
            echo "Download link: https://artifactory.algol60.net/artifactory/$TARGET_PATTERN$CHART_FILE_NAME"
          done

      - name: Upload Helm Chart as Build Artifact
        uses: actions/upload-artifact@v2
        with:
          name: helm-chart
          path: charts/.packaged/${{ env.CHART_NAME }}-${{ needs.build-prep.outputs.chart-version }}.tgz
          retention-days: 7