Add: input value gpg-secret-key-password (#704)

* Add: input value gpg-secret-key-password

* Change: update Readme.md for gpg-secret-key-password input value

* Fix: typo

* Change: Put the description in quotation marks

* Apply suggestions from code review

---------

Co-authored-by: Jaspar S <jaspar.stach@greenbone.net>

helm-build-push/README.md

@@ -21,16 +21,17 @@ jobs:
 
 ## Action Configuration
 
-|Input Variable|Description| |
-|--------------|-----------|-|
-| charts-path | Path to charts base folder | Optional(default ./charts) |
-| chart-name | Chart to build and push | Required |
-| registry | registry to push | Optional(default ghcr.io) |
-| registry-subpath| Registry subpath to place the helm chart in | Optional |
-| registry-user | Registry login user | Required |
-| registry-token | Registry login password/token | Required |
-| gpg-secret-key | Base64 encoded gpg secret key for chart sign | Optional |
-| gpg-secret-name | Gpg secret key name from gpg secret key | Optional |
+| Input Variable          | Description                                                                     |          |
+|-------------------------|---------------------------------------------------------------------------------|----------|
+| charts-path             | Path to charts base folder. Default: ./charts                                   | Optional |
+| chart-name              | Chart to build and push.                                                        | Required |
+| registry                | registry name. Default: ghcr.io                                                 | Optional |
+| registry-subpath        | Registry subpath to push the helm chart to.                                     | Optional |
+| registry-user           | Registry login user.                                                            | Required |
+| registry-token          | Registry login password/token.                                                  | Required |
+| gpg-secret-name         | Gpg secret key name from gpg secret key. Needed to use gpg sign.                | Optional |
+| gpg-secret-key          | Base64 encoded gpg secret key for chart sign. Needed if gpg-secret-name is set. | Optional |
+| gpg-secret-key-password | The password for the gpg secret key. Needed if gpg-secret-name is set.          | Optional |
 
 ## Action Output
 

helm-build-push/action.yaml

@@ -2,35 +2,38 @@ name: Helm build and push chart
 description: Push helm chart to OCI-based registries
 inputs:
   charts-path:
-    description: Path to charts base folder
+    description: "Path to charts base folder. Default: ./charts"
     default: ./charts
   chart-name:
-    description: "Chart to build and push"
+    description: "Chart to build and push."
     required: true
   registry:
-    description: Registry
+    description: "Registry name. Default: ghcr.io"
     default: "ghcr.io"
   registry-subpath:
-    description: Registry subpath to place the helm chart in
+    description: "Registry subpath to push the helm chart to."
   registry-user:
-    description: Registry login user
+    description: "Registry login user."
     required: true
   registry-token:
-    description: Registry login password/token
+    description: "Registry login password/token."
     required: true
+  gpg-secret-name:
+    description: "Gpg secret key name from gpg secret key. Needed to use gpg sign."
+    required: false
   gpg-secret-key:
-    description: Base64 encoded gpg secret key for chart sign
+    description: "Base64 encoded gpg secret key for chart sign. Required if gpg-secret-name is set."
     required: false
-  gpg-secret-name:
-    description: Gpg secret key name from gpg secret key
+  gpg-secret-key-password:
+    description: "The password for the gpg secret key. Required if gpg-secret-name is set."
     required: false
 
 outputs:
   tag:
-    description: Helm chart url's with tag.
+    description: "Helm chart url's with tag."
     value: ${{ steps.push.outputs.tag }}
   digest:
-    description: The helm chart digest.
+    description: "The helm chart digest."
     value: ${{ steps.push.outputs.digest }}
 
 branding:
@@ -52,33 +55,40 @@ runs:
       shell: bash
       run: |
         echo "${{ inputs.gpg-secret-key }}" | base64 -d > /tmp/secret-key.gpg
+        echo "${{ inputs.gpg-secret-key-password }}" > /tmp/secret-key-password
         chmod 0600 /tmp/secret-key.gpg
+        chmod 0600 /tmp/secret-key-password
+    - name: Update chart dependencies
+      shell: bash
+      run: |
+        helm dependency update "${{ inputs.charts-path }}/${{ inputs.chart-name }}"
     - name: Build and signing
       id: build
       shell: bash
       run: |
         chart="${{ inputs.charts-path }}/${{ inputs.chart-name }}"
-        # Load helm chart dependency's
-        helm dependency update "$chart"
         # Build helm chart
+        # The stderr into stdout redirection
+        # is needed to get the chart file name
         if [ "${{ inputs.gpg-secret-name }}" ]; then
           echo "Sign used"
           output="$(helm package \
             --sign \
-            --key "${{ inputs.gpg-secret-name }}" \
+            --key '${{ inputs.gpg-secret-name }}' \
             --keyring /tmp/secret-key.gpg \
+            --passphrase-file /tmp/secret-key-password \
             "$chart" \
             2>&1)"
         else
           echo "No sign used"
           output="$(helm package "$chart" 2>&1)"
         fi
+        echo "$output"
         # Get helm chart tgz file name
         chart_file="${output##*/}"
         # Check if output is correct
         if ! [ -f "$chart_file" ]; then
-          echo "$output"
-          echo "Chart filename: $chart_file"
+          echo "Chart filename: $chart_file not found."
           exit 1
         fi
         # Echo outputs
@@ -112,3 +122,4 @@ runs:
         rm -f "${{ steps.build.outputs.chart-file }}"
         rm -f "${{ steps.build.outputs.chart-file }}.prov"
         rm -f /tmp/secret-key.gpg
+        rm -f /tmp/secret-key-password