name: Publish Helm Chart

on:
  workflow_call:
    inputs:
      VERSION:
        description: "The version of the Helm chart to release"
        required: true
        type: string

permissions:
  contents: read

jobs:
  publish:
    runs-on: ubuntu-latest
    permissions:
      packages: write
      contents: read
    steps:
      - name: Harden the runner (Audit all outbound calls)
        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
        with:
          egress-policy: audit

      - name: Checkout repository
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Extract release version
        run: echo "VERSION=${{ github.event.release.tag_name }}" >> $GITHUB_ENV

      - name: Set up Helm
        uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5
        with:
          version: latest

      - name: Log in to GitHub Container Registry
        run: echo "${{ secrets.GITHUB_TOKEN }}" | helm registry login ghcr.io --username ${{ github.actor }} --password-stdin

      - name: Install YQ
        uses: dcarbone/install-yq-action@4075b4dca348d74bd83f2bf82d30f25d7c54539b # v1.3.1

      - name: Update Chart.yaml with new version
        run: |
          yq -i ".version = \"${{ inputs.VERSION }}\"" helm-chart/Chart.yaml
          yq -i ".appVersion = \"v${{ inputs.VERSION }}\"" helm-chart/Chart.yaml

      - name: Package Helm chart
        run: |
          helm package ./helm-chart

      - name: Push Helm chart to GitHub Container Registry
        run: |
          helm push formbricks-${{ inputs.VERSION }}.tgz oci://ghcr.io/formbricks/helm-charts