refactor push-helm-artifacts
We need to improve what the push-helm-artifacts CI job does.
It is implemented in sylva-core/tools/oci/push-helm-charts-artifacts.py.
It currently plays multiple roles:
- (A) ensure that an OCI artifact exists for all the charts used by sylva-units for the current MR
- this allows an MR that adds a chart, or that changes the version for a chart, to have the needed OCI artifact ready for use in its deployment pipelines
- (B) for every chart used by sylva-units and for which we already have an OCI artifact, ensure that the OCI artifact does not differ from the upstream chart
- this allows us to catch upstream pinning violations: the case where the content for version X of an upstream chart changes
- in such cases we have to take a decision on whether or not we want to use the new content
- (C) sign or re-sign our OCI artifacts
- note that we don't want to automatically do this without also doing (B)
- this action cannot be done in MR pipelines, only pipelines running on "gitlab Protected Branches" (
mainorrelease-*branches) have access to the cosign private key
Today, all these 3 things are done on each CI pipelines, ie. on all MRs, all tags, all nightly pipelines. This is quite costly (3 minutes per run), and in fact one of the major consumer of our CI compute credits.
The proposal (details to be discussed) would be to split this:
- on MR pipelines, only do (A)
- do (C) only on merge pipelines that merge to a protected branch
- also on tag pipelines
- do (B) in nightly pipelines
- (but maybe not in all pipelines ?)