Sign helm chart artifact in ghcr.io (#4098)

* Install cosign for signing helm charts Signed-off-by: Aruuunn <arunmurugan.official@gmail.com> * Fix helm push failing when GITHUB_REPOSITORY_OWNER contains Uppercase alphabets Signed-off-by: Aruuunn <arunmurugan.official@gmail.com> * Sign helm chart in oci registry using cosign Signed-off-by: Aruuunn <arunmurugan.official@gmail.com> * Add permissions required for cosign signing and provenance attestations Signed-off-by: Aruuunn <arunmurugan.official@gmail.com> * Log helm push output Signed-off-by: Aruuunn <arunmurugan.official@gmail.com> * Attest build provenance for helm artifact Signed-off-by: Aruuunn <arunmurugan.official@gmail.com> * Format: break code block Signed-off-by: Aruuunn <arunmurugan.official@gmail.com> * Reformat: Remove temp variable Signed-off-by: Aruuunn <arunmurugan.official@gmail.com> * Verify signed helm chart after signing it Signed-off-by: Aruuunn <arunmurugan.official@gmail.com> * Remove unnecessary helm action changes for external-secrets repository Signed-off-by: Aruuunn <arunmurugan.official@gmail.com> --------- Signed-off-by: Aruuunn <arunmurugan.official@gmail.com> Co-authored-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
2024-12-14 11:57:59 +00:00 · 2024-11-18 12:23:38 +05:30 · 2024-11-18 12:23:38 +05:30 · b5cdec5687
commit b5cdec5687
parent 27c5f1f1f2
1 changed files with 33 additions and 2 deletions
--- a/.github/workflows/helm.yml
+++ b/.github/workflows/helm.yml
@ -71,6 +71,8 @@ jobs:
    permissions:
      contents: write  # for helm/chart-releaser-action to push chart release and create a release
      packages: write  # to push OCI chart package to GitHub Registry
+      id-token: write  # gives the action the ability to mint the OIDC token necessary to request a Sigstore signing certificate
+      attestations: write # this permission is necessary to persist the attestation
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
@ -125,12 +127,41 @@ jobs:
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

+      - name: Install cosign
+        uses: sigstore/cosign-installer@v3.7.0
+        with:
+          cosign-release: 'v2.4.1'
+
      - name: Push chart to GHCR
+        id: push_chart
        run: |
          shopt -s nullglob
          for pkg in .cr-release-packages/*.tgz; do
            if [ -z "${pkg:-}" ]; then
              break
            fi
-            helm push "${pkg}" "oci://ghcr.io/${GITHUB_REPOSITORY_OWNER}/charts"
-          done
+            chart_name=$(helm show chart "${pkg}" | yq .name)
+            # helm push fails when registry path contains Uppercase letters
+            chart_registry="ghcr.io/${GITHUB_REPOSITORY_OWNER}/charts"
+            
+            helm_push_output=$(helm push "${pkg}" "oci://${chart_registry}" 2>&1)
+            digest=$(echo "$helm_push_output" | grep -o 'sha256:[a-z0-9]*')
+            echo "$helm_push_output"
+            
+            artifact_digest_uri="${chart_registry}/${chart_name}@${digest}"
+            cosign sign --yes "$artifact_digest_uri"
+            cosign verify "$artifact_digest_uri" \
+                --certificate-identity-regexp "https://github.com/$GITHUB_REPOSITORY/*" \
+                --certificate-oidc-issuer https://token.actions.githubusercontent.com
+
+            echo "digest=${digest}" >> "$GITHUB_OUTPUT"
+            echo "chart_name=${chart_name}" >> "$GITHUB_OUTPUT"
+            echo "registry=${chart_registry}" >> "$GITHUB_OUTPUT"
+          done
+
+      - name: Generate provenance attestation and push to OCI registry
+        uses: actions/attest-build-provenance@v1.4.4
+        with:
+          push-to-registry: true
+          subject-name: ${{ steps.push_chart.outputs.registry }}/${{ steps.push_chart.outputs.chart_name }}
+          subject-digest: ${{ steps.push_chart.outputs.digest }}