Add workflow_dispatch to Helm chart release action

.github/workflows/helm.yml

@@ -1,21 +1,61 @@
 name: Build and Release Helm Chart
 on:
+  # Trigger workflow when a tag is pushed (executed when tags are created with a PAT / non-default GitHub token)
   push:
     tags:
       - '[0-9]+.[0-9]+.[0-9]+'     # 1.2.3 (exact match) - release candidates are excluded
+
+    # Add workflow dispatch for manual triggering
+  workflow_dispatch:
+    inputs:
+     tag:
+       description: 'Tag to build and release (e.g., 2.3.0)'
+       required: true
+       type: string
+     dry_run:
+        description: 'Dry run (skip actual release steps)'
+        required: false
+        type: boolean
+        default: false
 
 jobs:
   helm:
     runs-on: ubuntu-latest
     steps:
+      - name: Determine tag reference
+        id: tag_ref
+        run: |
+          if [ "${{ github.event_name }}" == "workflow_dispatch" ]; then
+            TAG_NAME="${{ github.event.inputs.tag }}"
+            echo "tag_name=${TAG_NAME}" >> $GITHUB_OUTPUT
+            echo "checkout_ref=${TAG_NAME}" >> $GITHUB_OUTPUT
+            echo "triggered_by=manual" >> $GITHUB_OUTPUT
+          else
+            # Extract tag from push event
+            TAG_NAME=${GITHUB_REF#refs/tags/}
+            echo "tag_name=${TAG_NAME}" >> $GITHUB_OUTPUT
+            echo "checkout_ref=${GITHUB_REF}" >> $GITHUB_OUTPUT
+            echo "triggered_by=automatic" >> $GITHUB_OUTPUT
+          fi
+
+          echo "Building release for tag: ${TAG_NAME}"
+
       - name: Set IMAGE_NAME
         run: |
           echo "IMAGE_NAME=${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV}
 
       # Checkout code
-      # https://github.com/actions/checkout
-      - name: Checkout code
-        uses: actions/checkout@v4.1.0
+      - name: Checkout code at tag
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ steps.tag_ref.outputs.checkout_ref }}
+          fetch-depth: 0  # Fetch full history for better context
+
+      - name: Verify checkout
+        run: |
+          echo "Current commit: $(git rev-parse HEAD)"
+          echo "Current tag: $(git describe --tags --exact-match 2>/dev/null || echo 'No exact tag match')"
+          echo "Triggered by: ${{ steps.tag_ref.outputs.triggered_by }}"
 
       # Extract metadata (tags, labels) to use in Helm chart
       # https://github.com/docker/metadata-action
@@ -28,7 +68,7 @@ jobs:
       # Set version from DOCKER_METADATA_OUTPUT_VERSION as environment variable
       - name: Set Version
         run: |
-          echo "VERSION=${{ github.ref_name }}" >> $GITHUB_ENV # Eventually will build this into Keyfactor bootstrap
+          echo "VERSION=${{ steps.tag_ref.outputs.tag_name }}" >> $GITHUB_ENV # Eventually will build this into Keyfactor bootstrap
 
       # Change version and appVersion in Chart.yaml to the tag in the closed PR
       - name: Update Helm App/Chart Version
@@ -50,9 +90,20 @@ jobs:
           git config user.name "$GITHUB_ACTOR"
           git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
 
+      - name: Dry Run - Show what would be built
+        if: ${{ github.event.inputs.dry_run == 'true' }}
+        run: |
+          echo "DRY RUN MODE - Would build:"
+          echo "  Tag: ${{ steps.tag_ref.outputs.tag_name }}"
+          echo "  Image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}"
+          echo "  Version: ${{ env.VERSION }}"
+          echo "  Commit: $(git rev-parse HEAD)"
+          cat deploy/charts/command-cert-manager-issuer/Chart.yaml
+
       # Build and release Helm chart to GitHub Pages
       # https://github.com/helm/chart-releaser-action
       - name: Run chart-releaser
+        if: ${{ github.event.inputs.dry_run != 'true' }}
         uses: helm/chart-releaser-action@v1.5.0
         env:
           CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"

.github/workflows/keyfactor-bootstrap-workflow.yml

@@ -46,11 +46,10 @@ jobs:
         run: go test -v ./...
 
   call-starter-workflow:
-    uses: keyfactor/actions/.github/workflows/starter.yml@3.2.0
+    uses: keyfactor/actions/.github/workflows/starter.yml@v4
     needs: test
     secrets:
       token: ${{ secrets.V2BUILDTOKEN}}
-      APPROVE_README_PUSH: ${{ secrets.APPROVE_README_PUSH}}
       gpg_key: ${{ secrets.KF_GPG_PRIVATE_KEY }}
       gpg_pass: ${{ secrets.KF_GPG_PASSPHRASE }}
       scan_token: ${{ secrets.SAST_TOKEN }}

CHANGELOG.md

@@ -1,3 +1,7 @@
+# v2.3.1
+## Fixes
+- Add a manual dispatch of Helm chart release.
+
 # v2.3.0
 ## Features
 - Added support for `OwnerRoleName` and `OwnerRoleId` to Issuer specification, which will specify the owner of the enrolling certificate.