name: Publish charts
permissions: read-all

on:
  push:
    tags:
      - 'v*'

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

jobs:
  publish-helm:
    # Skip this Release on forks
    if: github.repository_owner == 'projectcapsule'
    runs-on: ubuntu-24.04
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: "Extract Version"
        id: extract_version
        run: |
          GIT_TAG=${GITHUB_REF##*/}
          VERSION=${GIT_TAG##*v}
          echo "version=$(echo $VERSION)" >> $GITHUB_OUTPUT
      - name: Publish Helm chart
        uses: stefanprodan/helm-gh-pages@0ad2bb377311d61ac04ad9eb6f252fb68e207260 # v1.7.0
        with:
          token: "${{ secrets.HELM_CHARTS_PUSH_TOKEN }}"
          linting: off
          chart_version: ${{ steps.extract_version.outputs.version }}
          app_version: ${{ steps.extract_version.outputs.version }}
          charts_dir: charts
          charts_url: https://${{ github.repository_owner }}.github.io/charts
          owner: ${{ github.repository_owner }}
          repository: charts
          branch: gh-pages
          commit_username: ${{ github.actor }}
  publish-helm-oci:
    runs-on: ubuntu-24.04
    permissions:
      contents: write
      id-token: write
      packages: write
    outputs:
      chart-digest: ${{ steps.helm_publish.outputs.digest }}
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
      - name: "Extract Version"
        id: extract_version
        run: |
          GIT_TAG=${GITHUB_REF##*/}
          VERSION=${GIT_TAG##*v}
          echo "version=$(echo $VERSION)" >> $GITHUB_OUTPUT
      - name: Helm | Publish
        id: helm_publish
        uses: peak-scale/github-actions/helm-oci-chart@a441cca016861c546ab7e065277e40ce41a3eb84 # v0.2.0
        with:
          registry: ghcr.io
          repository: ${{ github.repository_owner }}/charts
          name: "capsule"
          version: ${{ steps.extract_version.outputs.version }}
          app-version: ${{ steps.extract_version.outputs.version }}
          registry-username: ${{ github.actor }}
          registry-password: ${{ secrets.GITHUB_TOKEN }}
          update-dependencies: 'true' # Defaults to false
          sign-image: 'true'
          signature-repository: ghcr.io/${{ github.repository_owner }}/charts/capsule
  helm-provenance:
    needs: publish-helm-oci
    permissions:
      id-token: write   # To sign the provenance.
      packages: write   # To upload assets to release.
      actions: read     # To read the workflow path.
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.1.0
    with:
      image: ghcr.io/${{ github.repository_owner }}/charts/capsule
      digest: "${{ needs.publish-helm-oci.outputs.chart-digest }}"
      registry-username: ${{ github.actor }}
    secrets:
      registry-password: ${{ secrets.GITHUB_TOKEN }}