Develop

.github/workflows/build.yml

@@ -92,6 +92,18 @@ on:
         description: 'Whether to detect new environment variables for Helm'
         type: boolean
         default: true
+      helm_dispatch_on_rc:
+        description: 'Enable Helm dispatch for release-candidate (rc) tags'
+        type: boolean
+        default: false
+      helm_dispatch_on_beta:
+        description: 'Enable Helm dispatch for beta tags'
+        type: boolean
+        default: false
+      helm_values_key_mappings:
+        description: 'JSON mapping of component names to values.yaml keys. If not mapped, uses component name as fallback. Example: {"my-app": "api", "my-app-worker": "worker"}'
+        type: string
+        default: ''
 
 permissions:
   contents: read
@@ -286,14 +298,21 @@ jobs:
       SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
 
   # Dispatch to Helm repository for chart updates
+  # By default only runs on production releases (non-beta, non-rc tags)
+  # Can be enabled for rc/beta via helm_dispatch_on_rc and helm_dispatch_on_beta inputs
   dispatch-helm:
     name: Dispatch Helm Update
     needs: [prepare, build]
     if: |
       inputs.enable_helm_dispatch &&
       needs.prepare.outputs.has_builds == 'true' &&
       needs.build.result == 'success' &&
-      inputs.helm_chart != ''
+      inputs.helm_chart != '' &&
+      (
+        needs.prepare.outputs.is_release == 'true' ||
+        (contains(github.ref, '-rc') && inputs.helm_dispatch_on_rc) ||
+        (contains(github.ref, '-beta') && inputs.helm_dispatch_on_beta)
+      )
     uses: ./.github/workflows/dispatch-helm.yml
     with:
       helm_repository: ${{ inputs.helm_repository }}
@@ -304,6 +323,7 @@ jobs:
       components_base_path: ${{ inputs.helm_components_base_path }}
       env_file: ${{ inputs.helm_env_file }}
       detect_env_changes: ${{ inputs.helm_detect_env_changes }}
+      values_key_mappings: ${{ inputs.helm_values_key_mappings }}
       runner_type: ${{ inputs.runner_type }}
     secrets:
       helm_repo_token: ${{ secrets.HELM_REPO_TOKEN }}

.github/workflows/dispatch-helm.yml

@@ -81,6 +81,10 @@ on:
         description: 'Whether to detect new environment variables'
         type: boolean
         default: true
+      values_key_mappings:
+        description: 'JSON mapping of component names to values.yaml keys. If not mapped, uses component name as fallback.'
+        type: string
+        default: ''
       runner_type:
         description: 'GitHub runner type to use'
         type: string
@@ -106,6 +110,7 @@ jobs:
           BASE_PATH="${{ inputs.components_base_path }}"
           ENV_FILE="${{ inputs.env_file }}"
           DETECT_ENV="${{ inputs.detect_env_changes }}"
+          VALUES_KEY_MAPPINGS='${{ inputs.values_key_mappings }}'
 
           # Determine BEFORE_SHA for comparison
           # For tags, github.event.before is 0000..., so we need to find the previous tag
@@ -185,6 +190,20 @@ jobs:
 
             echo "Processing component: $COMP_NAME (path: $COMP_PATH)"
 
+            # Determine values_key (from mapping or fallback to component name)
+            VALUES_KEY="$COMP_NAME"
+            if [ -n "$VALUES_KEY_MAPPINGS" ] && [ "$VALUES_KEY_MAPPINGS" != "" ]; then
+              MAPPED_KEY=$(echo "$VALUES_KEY_MAPPINGS" | jq -r --arg name "$COMP_NAME" '.[$name] // empty')
+              if [ -n "$MAPPED_KEY" ]; then
+                VALUES_KEY="$MAPPED_KEY"
+                echo "  Values key (mapped): $VALUES_KEY"
+              else
+                echo "  Values key (fallback): $VALUES_KEY"
+              fi
+            else
+              echo "  Values key: $VALUES_KEY"
+            fi
+
             # Use component version or input version
             VERSION="$COMP_VERSION"
             echo "  Version: $VERSION"
@@ -234,7 +253,7 @@ jobs:
             fi
 
             # Build component object
-            COMP_OBJ="{\"name\":\"${COMP_NAME}\",\"version\":\"${VERSION}\",\"env_vars\":${ENV_VARS_JSON}}"
+            COMP_OBJ="{\"name\":\"${COMP_NAME}\",\"values_key\":\"${VALUES_KEY}\",\"version\":\"${VERSION}\",\"env_vars\":${ENV_VARS_JSON}}"
 
             if [ "$FIRST" = "true" ]; then
               PROCESSED_COMPONENTS="${PROCESSED_COMPONENTS}${COMP_OBJ}"

.github/workflows/gitops-update.yml

@@ -380,12 +380,22 @@ jobs:
           echo "--- Changes in $FILE ($ENV_NAME) ---"
           git diff -- "$FILE" || true
 
+      - name: Import GPG key
+        uses: crazy-max/ghaction-import-gpg@v6
+        with:
+          gpg_private_key: ${{ secrets.LERIAN_CI_CD_USER_GPG_KEY }}
+          passphrase: ${{ secrets.LERIAN_CI_CD_USER_GPG_KEY_PASSWORD }}
+          git_committer_name: ${{ secrets.LERIAN_CI_CD_USER_NAME }}
+          git_committer_email: ${{ secrets.LERIAN_CI_CD_USER_EMAIL }}
+          git_config_global: true
+          git_user_signingkey: true
+          git_commit_gpgsign: true
+          workdir: gitops
+
       - name: Commit & push (GitOps)
         run: |
           set -e
           cd gitops
-          git config user.name "${{ secrets.LERIAN_CI_CD_USER_NAME }}"
-          git config user.email "${{ secrets.LERIAN_CI_CD_USER_EMAIL }}"
           # Detect environment for commit message
           if [[ "${{ env.IS_RC }}" == "true" ]]; then
             ENV_LABEL="rc/stg"

.github/workflows/helm-update-chart.yml

@@ -239,8 +239,11 @@ jobs:
           CHART_TEMPLATE_NAME=$(yq '.name' "${CHART_FILE}")
 
           # Function to create secret template if it doesn't exist
+          # $1 = comp_name (for directory/file path)
+          # $2 = values_key (for .Values references)
           create_secret_template() {
             local comp_name="$1"
+            local values_key="${2:-$1}"  # fallback to comp_name if not provided
             local secret_file="${TEMPLATES_BASE}/${comp_name}/secret.yaml"
 
             if [ ! -f "$secret_file" ]; then
@@ -257,8 +260,8 @@ jobs:
                 "type: Opaque" \
                 "data:" \
                 "  # Extra Secret Vars" \
-                "  {{- if .Values.${comp_name}.extraSecretVars }}" \
-                "  {{- toYaml .Values.${comp_name}.extraSecretVars | nindent 2 }}" \
+                "  {{- if .Values.${values_key}.extraSecretVars }}" \
+                "  {{- toYaml .Values.${values_key}.extraSecretVars | nindent 2 }}" \
                 "  {{- end }}" > "$secret_file"
             fi
           }
@@ -270,15 +273,18 @@ jobs:
             COMP_NAME=$(echo "$row" | jq -r '.name')
             COMP_VERSION=$(echo "$row" | jq -r '.version')
             COMP_ENV_VARS=$(echo "$row" | jq -c '.env_vars // {}')
+            # Use values_key if provided, otherwise fallback to name
+            VALUES_KEY=$(echo "$row" | jq -r '.values_key // .name')
 
             echo ""
             echo "=== Processing: $COMP_NAME ==="
             echo "  Version: $COMP_VERSION"
+            echo "  Values Key: $VALUES_KEY"
             echo "  Env Vars: $COMP_ENV_VARS"
 
             # Update image tag in values.yaml
-            echo "  Updating ${COMP_NAME}.image.tag to ${COMP_VERSION}"
-            yq -i ".${COMP_NAME}.image.tag = \"${COMP_VERSION}\"" "${VALUES_FILE}"
+            echo "  Updating ${VALUES_KEY}.image.tag to ${COMP_VERSION}"
+            yq -i ".${VALUES_KEY}.image.tag = \"${COMP_VERSION}\"" "${VALUES_FILE}"
 
             # Track highest version for appVersion (using sort -V for version comparison)
             if [ -z "$HIGHEST_VERSION" ]; then
@@ -289,6 +295,8 @@ jobs:
 
             # Add new environment variables if any
             if [ "$COMP_ENV_VARS" != "{}" ] && [ "$COMP_ENV_VARS" != "null" ]; then
+              # Template paths use COMP_NAME (directory structure)
+              # Values references use VALUES_KEY (values.yaml structure)
               CONFIGMAP_FILE="${TEMPLATES_BASE}/${COMP_NAME}/configmap.yaml"
               SECRET_FILE="${TEMPLATES_BASE}/${COMP_NAME}/secret.yaml"
 
@@ -301,19 +309,19 @@ jobs:
                   if is_sensitive_var "$key"; then
                     echo "  Adding SECRET var: ${key}=***"
 
-                    # Create secret template if needed
-                    create_secret_template "$COMP_NAME"
+                    # Create secret template if needed (uses COMP_NAME for path, VALUES_KEY for .Values)
+                    create_secret_template "$COMP_NAME" "$VALUES_KEY"
 
                     # Add to secret template (using 2 spaces indentation for data section)
                     if [ -f "${SECRET_FILE}" ] && grep -q "# Extra Secret Vars" "${SECRET_FILE}"; then
-                      sed -i "/# Extra Secret Vars/i\\  ${key}: {{ .Values.${COMP_NAME}.secrets.${key} | default \"${escaped_value}\" | b64enc | quote }}" "${SECRET_FILE}"
+                      sed -i "/# Extra Secret Vars/i\\  ${key}: {{ .Values.${VALUES_KEY}.secrets.${key} | default \"${escaped_value}\" | b64enc | quote }}" "${SECRET_FILE}"
                     fi
                   else
                     echo "  Adding configmap var: ${key}=${value}"
 
                     # Add to configmap template if it exists (using 2 spaces indentation)
                     if [ -f "${CONFIGMAP_FILE}" ] && grep -q "# Extra Env Vars" "${CONFIGMAP_FILE}"; then
-                      sed -i "/# Extra Env Vars/i\\  ${key}: {{ .Values.${COMP_NAME}.configmap.${key} | default \"${escaped_value}\" | quote }}" "${CONFIGMAP_FILE}"
+                      sed -i "/# Extra Env Vars/i\\  ${key}: {{ .Values.${VALUES_KEY}.configmap.${key} | default \"${escaped_value}\" | quote }}" "${CONFIGMAP_FILE}"
                     fi
                   fi
                 fi