chore: support multi version in the release workflow

Signed-off-by: Ahmed AbouZaid <[email protected]>

.github/workflows/chart-release.yaml

@@ -57,20 +57,22 @@ jobs:
         run: |
           git config user.name "$GITHUB_ACTOR"
           git config user.email "[email protected]"
+      - name: Install Chart Releaser
+        uses: helm/chart-releaser-action@a917fd15b20e8b64b94d9158ad54cd6345335584 # v1.6.0
+        with:
+          install_only: true
+        env:
+          CR_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
+          CR_SKIP_EXISTING: 'true'
       - name: Add Helm repos
         run: |
           make helm.repos-add
       - name: Update Helm dependency
         run: |
-          export chartPath="charts/camunda-platform*"
-          make helm.dependency-update
+          chartPath="$(ct list-changed | tr '\n' ' ')" \
+            make helm.dependency-update
       - name: cosign-installer
         uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
-      - name: Set Helm chart version var
-        run: |
-          CHART_NAME="$(yq '.name' charts/camunda-platform-latest/Chart.yaml)"
-          CHART_VERSION="$(yq '.version' charts/camunda-platform-latest/Chart.yaml)"
-          echo "CHART_NAME_WITH_VERSION=${CHART_NAME}-${CHART_VERSION}" | tee -a $GITHUB_ENV
       # TODO: Move this step to pre-release workflow when we have it.
       - name: Generate release note footer
         run: |
@@ -79,28 +81,76 @@ jobs:
         run: |
           # Clean up badges from readme to avoid showing them in Artifact Hub.
           sed -ri '/Badge .+/d' charts/camunda-platform-latest/README.md
-      - name: Run Chart Releaser
+          mkdir release-packages
+
+      #
+      # We run Chart Releaser twice as a workaround because it's not possible to control the release order.
+      # CR by default will release "camunda-platform-10.x.x" first then "camunda-platform-8.x.x",
+      # however, we want the latest version to show as the latest release in GitHub releases.
+      #
+
+      # Release previous versions.
+      - name: Pre-Release - Previous versions
+        run: |
+          rm -rf charts/camunda-platform-latest
+      - name: Run Chart Releaser - Previous versions
+        uses: helm/chart-releaser-action@a917fd15b20e8b64b94d9158ad54cd6345335584 # v1.6.0
+        with:
+          config: .github/config/chart-releaser.yaml
+        env:
+          CR_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
+          CR_SKIP_EXISTING: 'true'
+      - name: Post-Release - Previous versions
+        run: |
+          mv .cr-release-packages/* release-packages/
+          git checkout :/
+
+      # Release the latest version.
+      - name: Pre-Release - Latest version
+        run: |
+          rm -rf charts/camunda-platform-8*
+      - name: Run Chart Releaser - Latest version
         uses: helm/chart-releaser-action@a917fd15b20e8b64b94d9158ad54cd6345335584 # v1.6.0
         with:
           config: .github/config/chart-releaser.yaml
         env:
           CR_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
           CR_SKIP_EXISTING: 'true'
+      - name: Post-Release - Latest version
+        run: |
+          mv .cr-release-packages/* release-packages/
+          git checkout :/
+
+      # Sign and upload the signature of the chart package.
+      - name: Set Helm chart vars
+        run: |
+          CHART_PACKAGES="$(find release-packages -maxdepth 1 -name "camunda-platform*.tgz" \
+            -exec basename {} \; | xargs)"
+          echo "CHART_PACKAGES=${CHART_PACKAGES}" | tee -a $GITHUB_ENV
       - name: Sign Helm chart with Cosign
         run: |
-          cosign sign-blob -y .cr-release-packages/${CHART_NAME_WITH_VERSION}.tgz \
-            --bundle ${CHART_NAME_WITH_VERSION}.cosign.bundle
+          for chart_package in ${CHART_PACKAGES}; do
+            echo "Package: ${chart_package}"
+            cosign sign-blob -y release-packages/${chart_package} \
+              --bundle "${chart_package%.*}.cosign.bundle"
+          done
       - name: Verify signed Helm chart with Cosign
         run: |
-          cosign verify-blob .cr-release-packages/${CHART_NAME_WITH_VERSION}.tgz \
-            --bundle ./${CHART_NAME_WITH_VERSION}.cosign.bundle \
-            --certificate-identity "https://github.com/${GITHUB_WORKFLOW_REF}" \
-            --certificate-oidc-issuer "https://token.actions.githubusercontent.com"
+          for chart_package in ${CHART_PACKAGES}; do
+            echo "Package: ${chart_package}"
+            cosign verify-blob release-packages/${chart_package} \
+              --bundle "${chart_package%.*}.cosign.bundle" \
+              --certificate-identity "https://github.com/${GITHUB_WORKFLOW_REF}" \
+              --certificate-oidc-issuer "https://token.actions.githubusercontent.com"
+          done
       - name: Upload Helm chart signature bundle
         run: |
-          gh release upload "${CHART_NAME_WITH_VERSION}" \
-            ./${CHART_NAME_WITH_VERSION}.cosign.bundle \
-            --repo "${GITHUB_REPOSITORY}"
+          for chart_package in ${CHART_PACKAGES}; do
+            echo "Package: ${chart_package}"
+            gh release upload "${chart_package%.*}" \
+              "${chart_package%.*}.cosign.bundle" \
+              --repo "${GITHUB_REPOSITORY}"
+          done
         env:
           GH_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
 
@@ -113,7 +163,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
         with:
-          # The verify step happens in the "release" branch before merging to the "main" branch.
+          # The verification step happens in the "release" branch before merging into the "main" branch.
           ref: release
           fetch-depth: 0
       - name: Install env dependencies