openbao · pree · Sep 12, 2025 · Jul 10, 2025 · Jul 14, 2025 · Jul 14, 2025
@@ -0,0 +1,87 @@
+name: OCM
+on: [workflow_call]
+
+jobs:
+  ocm:
+    runs-on: ubuntu-latest
+    permissions:
+      packages: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Install Helm
+        uses: azure/setup-helm@v3.5
+        id: helm-install
+
+      - name: Setup yq
+        run: |
+          VERSION="4.47.2"
+          FILE="yq_linux_amd64"
+          wget https://github.com/mikefarah/yq/releases/download/v${VERSION}/${FILE} -O /usr/local/bin/yq
+          chmod a+x /usr/local/bin/yq
+
+      - name: Setup ocm-cli
+        run: |
+          VERSION="0.26.0"
+          ARCHIVE_FILE="ocm-${VERSION}-linux-amd64.tar.gz"
+          URL="https://github.com/open-component-model/ocm/releases/download/v${VERSION}/$ARCHIVE_FILE"
+
+          echo "Installing ocm-cli version v${VERSION} from ${URL}"
+
+          curl -LsS -o ocm-cli.tgz "$URL"
+          tar --overwrite -xvzf ocm-cli.tgz -C /usr/local/bin
+          chmod a+x /usr/local/bin/ocm
+
+      - name: Write .ocmconfig
+        run: |
+          cat <<EOF > $HOME/.ocmconfig
+          type: generic.config.ocm.software/v1
+          configurations:
+            - type: credentials.config.ocm.software
+              consumers:
+                - identity:
+                    type: OCIRegistry
+                    scheme: https
+                    hostname: ghcr.io
+                  credentials:
+                    - type: Credentials
+                      properties:
+                        username: ${{ github.actor }}
+                        password: ${{ secrets.GITHUB_TOKEN }}
+          EOF
+
+      - name: Create Helm Chart archive
+        run: |
+          helm package charts/openbao
+
+      - name: Create OCM component archive
+        run: |
+          OPENBAO_REGISTRY=$(yq '.server.image.registry' ./charts/openbao/values.yaml)
+          OPENBAO_VERSION=$(yq '.appVersion | sub("v", "")' ./charts/openbao/Chart.yaml)
+          CHART_VERSION=$(yq '.version' ./charts/openbao/Chart.yaml)
+          OPENBAO_CSI_VERSION=$(yq '.csi.image.tag' ./charts/openbao/values.yaml)
+          INJECTOR_REGISTRY=$(yq '.injector.image.registry' ./charts/openbao/values.yaml)
+          INJECTOR_REPOSITORY=$(yq '.injector.image.repository' ./charts/openbao/values.yaml)
+          INJECTOR_VERSION=$(yq '.injector.image.tag' ./charts/openbao/values.yaml)
+
+          echo "Building OCM artifact for ${CHART_VERSION}"
+
+          ocm add componentversions --create --templater=go --file=ocm/transport.ctf ocm/component-constructor.yaml -- \
+                            COMPONENT_NAME="openbao.org/openbao" \
+                            PROVIDER="openbao" \
+                            OPENBAO_REGISTRY=${OPENBAO_REGISTRY} \
+                            OPENBAO_VERSION=${OPENBAO_VERSION} \
+                            OPENBAO_CHART_VERSION=${CHART_VERSION} \
+                            OPENBAO_CSI_VERSION=${OPENBAO_CSI_VERSION} \
+                            INJECTOR_REGISTRY=${INJECTOR_REGISTRY} \
+                            INJECTOR_REPOSITORY=${INJECTOR_REPOSITORY} \
+                            INJECTOR_VERSION=${INJECTOR_VERSION}
+
+      - name: Push OCM artifact to OCI
+        run: |
+          OCI_REGISTRY="ghcr.io/openbao"
+          echo "Pushing to ${OCI_REGISTRY} as user '${{ github.actor }}'"
+          ocm transfer ctf ./ocm/transport.ctf OCIRegistry::${OCI_REGISTRY}
@@ -55,3 +55,10 @@ jobs:
 
             helm push "${pkg}" "oci://${chart_registry}"
           done
+
+  ocm:
+    needs:
+      - release
+    name: Release OCM Artifact
+    uses: ./.github/workflows/job-ocm.yaml
+    secrets: inherit
@@ -0,0 +1,61 @@
+# specify a schema to validate the configuration and get auto-completion in your editor
+# yaml-language-server: $schema=https://ocm.software/schemas/configuration-schema.yaml
+components:
+  - name: "{{ .COMPONENT_NAME }}"
+    version: "{{ .OPENBAO_CHART_VERSION }}"
+    provider:
+      name: "{{ .PROVIDER }}"
+    resources:
+      # Helm chart in OCI registry
+      - name: openbao-helm-chart-external-oci
+        type: helmChart
+        version: "{{ .OPENBAO_CHART_VERSION }}"
+        relation: local
+        access:
+          type: ociArtifact
+          imageReference: "ghcr.io/openbao/charts/openbao:{{ .OPENBAO_CHART_VERSION }}"
+
+      # Image referenced in the Helm chart
+      - name: openbao-image
+        type: ociImage
+        version: "{{ .OPENBAO_VERSION }}"
+        relation: local
+        access:
+          type: ociArtifact
+          imageReference: "{{ .OPENBAO_REGISTRY }}/openbao/openbao:{{ .OPENBAO_VERSION }}"
+
+      # UBI Image referenced in the Helm chart
+      - name: openbao-ubi-image
+        type: ociImage
+        version: "{{ .OPENBAO_VERSION }}"
+        relation: local
+        access:
+          type: ociArtifact
+          imageReference: "{{ .OPENBAO_REGISTRY }}/openbao/openbao-ubi:{{ .OPENBAO_VERSION }}"
+
+      # HSM Image referenced in the Helm chart
+      - name: openbao-hsm-ubi-image
+        type: ociImage
+        version: "{{ .OPENBAO_VERSION }}"
+        relation: local
+        access:
+          type: ociArtifact
+          imageReference: "{{ .OPENBAO_REGISTRY }}/openbao/openbao-hsm-ubi:{{ .OPENBAO_VERSION }}"
+
+      # CSI Image referenced in the Helm chart
+      - name: openbao-csi-provider
+        type: ociImage
+        version: "{{ .OPENBAO_CSI_VERSION }}"
+        relation: local
+        access:
+          type: ociArtifact
+          imageReference: "{{ .OPENBAO_REGISTRY }}/openbao/openbao-csi-provider:{{ .OPENBAO_CSI_VERSION }}"
+
+      # Injector Image referenced in the Helm chart
+      - name: openbao-agent-injector
+        type: ociImage
+        version: "{{ .INJECTOR_VERSION }}"
+        relation: external
+        access:
+          type: ociArtifact
+          imageReference: "{{ .INJECTOR_REGISTRY }}/{{ .INJECTOR_REPOSITORY }}:{{ .INJECTOR_VERSION }}"