Sign helm chart artifact in ghcr.io (#4098)

* Install cosign for signing helm charts

Signed-off-by: Aruuunn <arunmurugan.official@gmail.com>

* Fix helm push failing when GITHUB_REPOSITORY_OWNER contains Uppercase alphabets

Signed-off-by: Aruuunn <arunmurugan.official@gmail.com>

* Sign helm chart in oci registry using cosign

Signed-off-by: Aruuunn <arunmurugan.official@gmail.com>

* Add permissions required for cosign signing and provenance attestations

Signed-off-by: Aruuunn <arunmurugan.official@gmail.com>

* Log helm push output

Signed-off-by: Aruuunn <arunmurugan.official@gmail.com>

* Attest build provenance for helm artifact

Signed-off-by: Aruuunn <arunmurugan.official@gmail.com>

* Format: break code block

Signed-off-by: Aruuunn <arunmurugan.official@gmail.com>

* Reformat: Remove temp variable

Signed-off-by: Aruuunn <arunmurugan.official@gmail.com>

* Verify signed helm chart after signing it

Signed-off-by: Aruuunn <arunmurugan.official@gmail.com>

* Remove unnecessary helm action changes for external-secrets repository

Signed-off-by: Aruuunn <arunmurugan.official@gmail.com>

---------

Signed-off-by: Aruuunn <arunmurugan.official@gmail.com>
Co-authored-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>

.github/workflows/helm.yml

@@ -71,6 +71,8 @@ jobs:
     permissions:
       contents: write  # for helm/chart-releaser-action to push chart release and create a release
       packages: write  # to push OCI chart package to GitHub Registry
+      id-token: write  # gives the action the ability to mint the OIDC token necessary to request a Sigstore signing certificate
+      attestations: write # this permission is necessary to persist the attestation
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
@@ -125,12 +127,41 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
+      - name: Install cosign
+        uses: sigstore/cosign-installer@v3.7.0
+        with:
+          cosign-release: 'v2.4.1'
+
       - name: Push chart to GHCR
+        id: push_chart
         run: |
           shopt -s nullglob
           for pkg in .cr-release-packages/*.tgz; do
             if [ -z "${pkg:-}" ]; then
               break
             fi
-            helm push "${pkg}" "oci://ghcr.io/${GITHUB_REPOSITORY_OWNER}/charts"
+            chart_name=$(helm show chart "${pkg}" | yq .name)
-          done
+            # helm push fails when registry path contains Uppercase letters
+            chart_registry="ghcr.io/${GITHUB_REPOSITORY_OWNER}/charts"
+            
+            helm_push_output=$(helm push "${pkg}" "oci://${chart_registry}" 2>&1)
+            digest=$(echo "$helm_push_output" | grep -o 'sha256:[a-z0-9]*')
+            echo "$helm_push_output"
+            
+            artifact_digest_uri="${chart_registry}/${chart_name}@${digest}"
+            cosign sign --yes "$artifact_digest_uri"
+            cosign verify "$artifact_digest_uri" \
+                --certificate-identity-regexp "https://github.com/$GITHUB_REPOSITORY/*" \
+                --certificate-oidc-issuer https://token.actions.githubusercontent.com
+
+            echo "digest=${digest}" >> "$GITHUB_OUTPUT"
+            echo "chart_name=${chart_name}" >> "$GITHUB_OUTPUT"
+            echo "registry=${chart_registry}" >> "$GITHUB_OUTPUT"
+          done
+
+      - name: Generate provenance attestation and push to OCI registry
+        uses: actions/attest-build-provenance@v1.4.4
+        with:
+          push-to-registry: true
+          subject-name: ${{ steps.push_chart.outputs.registry }}/${{ steps.push_chart.outputs.chart_name }}
+          subject-digest: ${{ steps.push_chart.outputs.digest }}