ci: update helm release to use vault

Author: yorugac

.github/actions/publish-helm-release.yaml

@@ -0,0 +1,26 @@
+name: publish-helm-release
+
+runs:
+  steps:
+    - id: get-secrets
+      uses: grafana/shared-workflows/actions/[email protected]
+      with:
+        repo_secrets: |
+          APP_ID=github-app:app-id
+          APP_PRIVATE_KEY=github-app:private-key
+        # Set to false to get secrets as outputs instead of environment variables
+        export_env: false
+
+    - id: publish-helm-release
+      env:
+        K6_OPERATOR_HELM_RELEASE_APP_ID: ${{ fromJSON(steps.get-secrets.outputs.secrets).APP_ID }}
+        K6_OPERATOR_HELM_RELEASE_PEM_KEY: ${{ fromJSON(steps.get-secrets.outputs.secrets).APP_PRIVATE_KEY }}
+      uses: grafana/helm-charts/.github/workflows/update-helm-repo.yaml@main
+      with:
+        charts_dir: charts
+        cr_configfile: charts/cr.yaml
+        ct_configfile: charts/ct.yaml
+        helm_tag_prefix: helm
+      secrets:
+        github_app_id: ${K6_OPERATOR_HELM_RELEASE_APP_ID}
+        github_app_pem: ${K6_OPERATOR_HELM_RELEASE_PEM_KEY}

.github/actions/publish-helm-release/action.yaml

@@ -0,0 +1,27 @@
+name: publish-helm-release
+
+runs:
+  using: 'composite'
+  steps:
+    - id: get-secrets
+      uses: grafana/shared-workflows/actions/[email protected]
+      with:
+        repo_secrets: |
+          APP_ID=github-app:app-id
+          APP_PRIVATE_KEY=github-app:private-key
+        # Set to false to get secrets as outputs instead of environment variables
+        export_env: false
+
+    - id: publish-helm-release
+      env:
+        K6_OPERATOR_HELM_RELEASE_APP_ID: ${{ fromJSON(steps.get-secrets.outputs.secrets).APP_ID }}
+        K6_OPERATOR_HELM_RELEASE_PEM_KEY: ${{ fromJSON(steps.get-secrets.outputs.secrets).APP_PRIVATE_KEY }}
+      uses: grafana/helm-charts/.github/workflows/update-helm-repo.yaml@main
+      with:
+        charts_dir: charts
+        cr_configfile: charts/cr.yaml
+        ct_configfile: charts/ct.yaml
+        helm_tag_prefix: helm
+      secrets:
+        github_app_id: ${K6_OPERATOR_HELM_RELEASE_APP_ID}
+        github_app_pem: ${K6_OPERATOR_HELM_RELEASE_PEM_KEY}

.github/workflows/helm-release.yaml

@@ -1,6 +1,9 @@
 
 name: Helm release
-permissions: {}
+# These permissions are needed to assume roles from Github's OIDC.
+permissions:
+  contents: read
+  id-token: write
 
 on:
   workflow_dispatch: {}
@@ -55,12 +58,4 @@ jobs:
   call-update-helm-repo:
     needs:
       - generate-chart-schema
-    uses: grafana/helm-charts/.github/workflows/update-helm-repo.yaml@main
-    with:
-      charts_dir: charts
-      cr_configfile: charts/cr.yaml
-      ct_configfile: charts/ct.yaml
-      helm_tag_prefix: helm
-    secrets:
-      github_app_id: ${{ secrets.K6_OPERATOR_HELM_RELEASE_APP_ID }}
-      github_app_pem: ${{ secrets.K6_OPERATOR_HELM_RELEASE_PEM_KEY }}
+    uses: ./.github/actions/publish-helm-release