From 29a26e54f7075d2d47bc30201fbb48600fcc2255 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Batuhan=20Apayd=C4=B1n?= <batuhan.apaydin@trendyol.com>
Date: Fri, 14 Oct 2022 15:48:32 +0300
Subject: [PATCH] chore: Push and sign install manifests to GHCR (#4895)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
Co-authored-by: Stefan Prodan <@stefanprodan>
Co-authored-by: Charles-Edouard Brétéché <@eddycharly>

Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
---
 .github/workflows/release.yaml | 32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index c5962f0bd4..167a1f4e2c 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -52,6 +52,10 @@ jobs:
 
   create-release:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write # needed to write releases
+      id-token: write # needed for keyless signing
+      packages: write # needed for ghcr access  
     needs:
       - release-init-kyverno
       - release-kyverno
@@ -71,6 +75,16 @@ jobs:
         with:
           go-version: ~1.18.6
 
+      - name: Setup Flux CLI
+        uses: fluxcd/flux2/action@1fa48bf916fa5ce5800190f8a0c9fdf7ae86559b # v0.35.0
+        with:
+          version: 0.35.0
+
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@7cc35d7fdbe70d4278a0c96779081e6fac665f88 # v2.8.0
+        with:
+          cosign-release: 'v1.13.0'
+
       - name: Cache Go modules
         uses: actions/cache@fd5de65bc895cf536527842281bea11763fefd77 # pin@v3
         with:
@@ -110,6 +124,24 @@ jobs:
           file: config/.release/install.yaml
           asset_name: install.yaml
           tag: ${{ github.ref }}
+      
+      - name: Push manifests to GHCR with Flux
+        run: |
+            set -e
+            cd config/.release/ && \
+            flux push artifact oci://ghcr.io/${{ github.repository_owner }}/manifests/kyverno:$(git rev-parse --short HEAD) \
+              --path="." \
+              --source="$(git config --get remote.origin.url)" \
+              --revision="(git tag --points-at HEAD)/$(git rev-parse HEAD)"
+              --creds flux:${{ secrets.CR_PAT_ARTIFACTS }}
+      
+      - name: Sign manifests in GHCR with Cosign
+        env:
+          COSIGN_EXPERIMENTAL: 1
+        run: |
+            set -e
+            cosign login --username ${GITHUB_ACTOR} --password ${{ secrets.CR_PAT_ARTIFACTS }} ghcr.io
+            cosign sign ghcr.io/${{ github.repository_owner }}/manifests/kyverno:$(git rev-parse --short HEAD)
 
   release-cli-via-krew:
     runs-on: ubuntu-latest