formbricks-formbricks/.github/workflows/release-helm-chart.yml

name: Publish Helm Chart

on:
  workflow_call:
    inputs:
      VERSION:
        description: "The version of the Helm chart to release"
        required: true
        type: string

permissions:
  contents: read

jobs:
  publish:
    runs-on: ubuntu-latest
    permissions:
      packages: write
      contents: read
    steps:
      - name: Harden the runner (Audit all outbound calls)
        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
        with:
          egress-policy: audit

      - name: Checkout repository
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Validate input version
        env:
          INPUT_VERSION: ${{ inputs.VERSION }}
        run: |
          set -euo pipefail
          # Validate input version format (expects clean semver without 'v' prefix)
          if [[ ! "$INPUT_VERSION" =~ ^[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z0-9.-]+)?(\+[a-zA-Z0-9.-]+)?$ ]]; then
            echo "❌ Error: Invalid version format. Must be clean semver (e.g., 1.2.3, 1.2.3-alpha)"
            echo "Expected: clean version without 'v' prefix"
            echo "Provided: $INPUT_VERSION"
            exit 1
          fi

          # Store validated version in environment variable
          echo "VERSION<<EOF" >> $GITHUB_ENV
          echo "$INPUT_VERSION" >> $GITHUB_ENV
          echo "EOF" >> $GITHUB_ENV

      - name: Set up Helm
        uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5
        with:
          version: latest

      - name: Log in to GitHub Container Registry
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          GITHUB_ACTOR: ${{ github.actor }}
        run: printf '%s' "$GITHUB_TOKEN" | helm registry login ghcr.io --username "$GITHUB_ACTOR" --password-stdin

      - name: Install YQ
        uses: dcarbone/install-yq-action@4075b4dca348d74bd83f2bf82d30f25d7c54539b # v1.3.1

      - name: Update Chart.yaml with new version
        env:
          VERSION: ${{ env.VERSION }}
        run: |
          set -euo pipefail

          echo "Updating Chart.yaml with version: ${VERSION}"
          yq -i ".version = \"${VERSION}\"" helm-chart/Chart.yaml
          yq -i ".appVersion = \"${VERSION}\"" helm-chart/Chart.yaml

          echo "✅ Successfully updated Chart.yaml"

      - name: Package Helm chart
        env:
          VERSION: ${{ env.VERSION }}
        run: |
          set -euo pipefail

          echo "Packaging Helm chart version: ${VERSION}"
          helm package ./helm-chart

          echo "✅ Successfully packaged formbricks-${VERSION}.tgz"

      - name: Push Helm chart to GitHub Container Registry
        env:
          VERSION: ${{ env.VERSION }}
        run: |
          set -euo pipefail

          echo "Pushing Helm chart to registry: formbricks-${VERSION}.tgz"
          helm push "formbricks-${VERSION}.tgz" oci://ghcr.io/formbricks/helm-charts

          echo "✅ Successfully pushed Helm chart to registry"