harmony/.gitea/workflows/harmony-fleet-operator.yaml

name: harmony-fleet-operator — release
# A `harmony-fleet-operator-v*` tag builds + publishes the operator image
# and helm chart (one tag → both at the same version). Deploying the
# published chart is `harmony apply`
# (harmony-fleet-deploy --operator-chart-version), run manually today; a
# CD job lands once the cluster KUBECONFIG + NATS secrets are provisioned.
# Tag parsing lives in Rust (harmony-fleet-release), not in YAML.
on:
  push:
    tags:
      - 'harmony-fleet-operator-v*'
  workflow_dispatch:
    inputs:
      tag:
        description: 'Release tag, e.g. harmony-fleet-operator-v0.1.0'
        required: true
        type: string

jobs:
  release:
    container:
      image: hub.nationtech.io/harmony/harmony_composer:latest
    runs-on: dind
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Log in to hub.nationtech.io (docker)
        uses: docker/login-action@v3
        with:
          registry: hub.nationtech.io
          username: ${{ secrets.HUB_BOT_USER }}
          password: ${{ secrets.HUB_BOT_PASSWORD }}

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      # TODO: bake helm into harmony_composer so this step disappears.
      - name: Install helm
        run: curl -fsSL https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash

      - name: Log in to hub.nationtech.io (helm OCI)
        run: |
          echo "${{ secrets.HUB_BOT_PASSWORD }}" \
            | helm registry login hub.nationtech.io \
                --username "${{ secrets.HUB_BOT_USER }}" --password-stdin

      - name: Build + push image and chart
        env:
          TAG: ${{ inputs.tag || github.ref_name }}
        run: cargo run --release -p harmony-fleet-deploy --bin harmony-fleet-release -- --from-tag "$TAG"