Proper helm chart and chart release

.dockerignore

@@ -1,11 +1,12 @@
-Dockerfile
-bin/
-examples/
-README.MD
-LICENCE
-.github/
-.git/
-docs
-tests
-.dockerignore
-.gitignore
+# Deny-by-default. Ship only what the Dockerfile actually reads.
+
+*
+
+# Allow the Go source tree
+!src
+!src/**
+
+# Trim cruft that sneaks into src/
+**/coverage.out
+**/*.test
+**/.DS_Store

.github/workflows/build.yml

@@ -86,17 +86,18 @@ jobs:
 
   docker-build:
     needs: [tests]
-    if: github.event_name == 'workflow_dispatch' || contains(github.event.pull_request.labels.*.name, 'image-push') || github.event_name == 'push'
     runs-on: parity-ubuntu
     environment: ${{ github.event_name == 'workflow_dispatch' && 'main' || null }}
     env:
       REGISTRY_PATH: docker.io/${{ github.event_name == 'workflow_dispatch' && 'paritytech' || 'paritypr' }}/cattery
       VERSION: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.tag_name || (github.event.pull_request.head.sha || github.sha) }}
       EXTRA_TAG: ${{ github.event_name == 'workflow_dispatch' && 'latest' || 'main' }}
+      PUSH: ${{ github.event_name == 'workflow_dispatch' || contains(github.event.pull_request.labels.*.name, 'image-push') || github.event_name == 'push' }}
     steps:
       - uses: actions/checkout@v4
 
       - name: Docker login
+        if: env.PUSH == 'true'
         uses: docker/login-action@v3
         with:
           username: ${{ secrets.REGISTRY_USER }}
@@ -110,6 +111,6 @@ jobs:
           tags: |
             ${{ env.REGISTRY_PATH }}:${{ env.VERSION }}
             ${{ env.REGISTRY_PATH }}:${{ env.EXTRA_TAG }}
-          push: true
+          push: ${{ env.PUSH }}
           build-args: |
             CATTERY_VERSION=${{ env.VERSION }}

.github/workflows/chart-release.yml

@@ -0,0 +1,128 @@
+name: chart-release
+
+on:
+  pull_request:
+    paths:
+      - 'charts/**'
+      - '.github/workflows/chart-release.yml'
+  push:
+    branches:
+      - main
+    paths:
+      - 'charts/**'
+      - '.github/workflows/chart-release.yml'
+
+permissions:
+  contents: read
+  packages: write
+
+env:
+  CHART_PATH: charts/cattery
+  CHART_NAME: cattery
+  REGISTRY: ghcr.io
+  # Chart lands at: oci://ghcr.io/<owner>/charts/cattery
+  OCI_NAMESPACE: ${{ github.repository_owner }}/charts
+  HELM_VERSION: v3.16.3
+
+jobs:
+  lint:
+    name: lint & template
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: azure/setup-helm@v4
+        with:
+          version: ${{ env.HELM_VERSION }}
+
+      - name: helm lint
+        run: helm lint "${CHART_PATH}"
+
+      - name: helm template (defaults)
+        run: helm template smoke "${CHART_PATH}" > /dev/null
+
+      - name: helm template (smoke values)
+        run: helm template smoke "${CHART_PATH}" -f "${CHART_PATH}/ci/smoke-values.yaml" > /dev/null
+
+  check-version:
+    name: check for version bump
+    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+    needs: lint
+    runs-on: ubuntu-latest
+    outputs:
+      bumped: ${{ steps.v.outputs.bumped }}
+      version: ${{ steps.v.outputs.version }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 2
+
+      - uses: azure/setup-helm@v4
+        with:
+          version: ${{ env.HELM_VERSION }}
+
+      - name: compare Chart.yaml version with previous commit
+        id: v
+        run: |
+          set -euo pipefail
+          CURRENT=$(helm show chart "${CHART_PATH}" | awk '/^version:/ {print $2}')
+          PREVIOUS=$(git show "HEAD^:${CHART_PATH}/Chart.yaml" 2>/dev/null | awk '/^version:/ {print $2}' || true)
+
+          echo "current=${CURRENT}"
+          echo "previous=${PREVIOUS:-<none>}"
+
+          if [ -z "${CURRENT}" ]; then
+            echo "::error::Could not read version from ${CHART_PATH}/Chart.yaml"
+            exit 1
+          fi
+
+          if [ "${CURRENT}" = "${PREVIOUS}" ]; then
+            echo "Chart version unchanged (${CURRENT}); skipping publish."
+            echo "bumped=false" >> "${GITHUB_OUTPUT}"
+          else
+            echo "Chart version bumped: ${PREVIOUS:-<none>} -> ${CURRENT}"
+            echo "bumped=true" >> "${GITHUB_OUTPUT}"
+          fi
+          echo "version=${CURRENT}" >> "${GITHUB_OUTPUT}"
+
+  publish:
+    name: package & push to ghcr.io
+    needs: check-version
+    if: needs.check-version.outputs.bumped == 'true'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: azure/setup-helm@v4
+        with:
+          version: ${{ env.HELM_VERSION }}
+
+      - name: helm package
+        run: |
+          mkdir -p dist
+          helm package "${CHART_PATH}" --destination dist/
+
+      - name: helm registry login
+        run: |
+          echo "${{ secrets.GITHUB_TOKEN }}" | \
+            helm registry login "${REGISTRY}" \
+              --username "${{ github.actor }}" \
+              --password-stdin
+
+      - name: helm push
+        run: |
+          helm push \
+            "dist/${CHART_NAME}-${{ needs.check-version.outputs.version }}.tgz" \
+            "oci://${REGISTRY}/${OCI_NAMESPACE}"
+
+      - name: summary
+        run: |
+          cat <<EOF >> "${GITHUB_STEP_SUMMARY}"
+          Published \`${CHART_NAME}\` chart \`${{ needs.check-version.outputs.version }}\` to:
+
+              oci://${REGISTRY}/${OCI_NAMESPACE}/${CHART_NAME}
+
+          Install with:
+
+              helm install ${CHART_NAME} oci://${REGISTRY}/${OCI_NAMESPACE}/${CHART_NAME} --version ${{ needs.check-version.outputs.version }}
+          EOF

Dockerfile

@@ -1,21 +1,45 @@
-FROM golang:1.25.5-alpine AS builder
+ARG GO_VERSION=1.25.5
+ARG ALPINE_VERSION=3.20
+
+FROM golang:${GO_VERSION}-alpine AS builder
 
 ARG CATTERY_VERSION="0.0.0"
 
-WORKDIR /app
+WORKDIR /src
+
+COPY src/go.mod src/go.sum ./
+RUN go mod download
 
 COPY src/ .
 
-RUN go build -o bin/cattery -ldflags="-X cattery/cmd.Version=$CATTERY_VERSION"
+ENV CGO_ENABLED=0 GOOS=linux
+
+RUN go build \
+      -trimpath \
+      -ldflags="-s -w -X cattery/cmd.Version=${CATTERY_VERSION}" \
+      -o /out/cattery \
+    && /out/cattery --version
 
-FROM alpine:latest
+FROM alpine:${ALPINE_VERSION}
+
+ARG CATTERY_VERSION="0.0.0"
 
-ARG CONFIG_PATH="/etc/cattery/config.yaml"
+LABEL org.opencontainers.image.title="cattery" \
+      org.opencontainers.image.description="Scheduler and lifecycle manager for GitHub Actions self-hosted runners" \
+      org.opencontainers.image.source="https://github.com/paritytech/cattery" \
+      org.opencontainers.image.url="https://github.com/paritytech/cattery" \
+      org.opencontainers.image.licenses="MIT" \
+      org.opencontainers.image.version="${CATTERY_VERSION}"
 
-WORKDIR /cattery
+# ca-certificates: required for outbound HTTPS (api.github.com, googleapis.com)
+# tzdata:         lets users override timezone with TZ env var
+RUN apk add --no-cache ca-certificates tzdata \
+    && addgroup -S -g 65532 cattery \
+    && adduser  -S -u 65532 -G cattery -H -h /nonexistent cattery
 
-COPY --from=builder /app/bin/cattery .
+COPY --from=builder /out/cattery /usr/local/bin/cattery
 
-RUN ./cattery --version
+USER 65532:65532
 
-ENTRYPOINT ["./cattery", "server", "-c", "/etc/cattery/config.yaml"]
+ENTRYPOINT ["/usr/local/bin/cattery"]
+CMD ["server", "-c", "/etc/cattery/config.yaml"]

charts/cattery/.helmignore

@@ -0,0 +1,20 @@
+# Patterns to ignore when building packages.
+.DS_Store
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+.project
+.idea/
+*.tmproj
+.vscode/
+OWNERS
+ci/

charts/cattery/Chart.yaml

@@ -0,0 +1,17 @@
+apiVersion: v2
+name: cattery
+description: Scheduler and lifecycle manager for GitHub Actions self-hosted runners
+type: application
+version: 0.2.0
+appVersion: "0.2.0"
+home: https://github.com/paritytech/cattery
+sources:
+  - https://github.com/paritytech/cattery
+keywords:
+  - github-actions
+  - self-hosted-runners
+  - ci
+  - runner-scale-set
+maintainers:
+  - name: paritytech
+    url: https://github.com/paritytech/cattery