## Reference: https://github.com/helm/chart-releaser-action
name: Chart Publish
on:
  push:
    branches:
      - main
    paths:
      - "charts/**"

permissions:
  contents: read

jobs:
  publish:
    if: github.repository == 'argoproj/argo-helm'
    permissions:
      contents: write  # for helm/chart-releaser-action to push chart release and create a release
      packages: write  # to push OCI chart package to GitHub Registry
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 0

      - name: Install Helm
        uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
        with:
          version: v3.10.1 # Also update in lint-and-test.yaml

      - name: Add dependency chart repos
        run: |
          helm repo add dandydeveloper https://dandydeveloper.github.io/charts/

      - name: Configure Git
        run: |
          git config user.name "$GITHUB_ACTOR"
          git config user.email "$GITHUB_ACTOR@users.noreply.github.com"

      ## This is required to consider the old Circle-CI Index and to stay compatible with all the old releases.
      - name: Fetch current Chart Index
        run: |
          git checkout origin/gh-pages index.yaml

      # The GitHub repository secret `PGP_PRIVATE_KEY` contains the private key
      # in ASCII-armored format. To export a (new) key, run this command:
      # `gpg --armor --export-secret-key <my key>`
      - name: Prepare PGP key
        run: |
          IFS=""
          echo "$PGP_PRIVATE_KEY" | gpg --dearmor > $HOME/secring.gpg
          echo "$PGP_PASSPHRASE" > $HOME/passphrase.txt

          # Tell chart-releaser-action where to find the key and its passphrase
          echo "CR_KEYRING=$HOME/secring.gpg" >> "$GITHUB_ENV"
          echo "CR_PASSPHRASE_FILE=$HOME/passphrase.txt" >> "$GITHUB_ENV"
        env:
          PGP_PRIVATE_KEY: "${{ secrets.PGP_PRIVATE_KEY }}"
          PGP_PASSPHRASE: "${{ secrets.PGP_PASSPHRASE }}"

      - name: Run chart-releaser
        uses: helm/chart-releaser-action@cae68fefc6b5f367a0275617c9f83181ba54714f # v1.7.0
        with:
          config: "./.github/configs/cr.yaml"
        env:
          CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"

      - name: Login to GHCR
        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Push chart to GHCR
        run: |
          shopt -s nullglob
          for pkg in .cr-release-packages/*.tgz; do
            if [ -z "${pkg:-}" ]; then
              break
            fi
            helm push "${pkg}" oci://ghcr.io/${{ github.repository }}
          done