chore: signing helm releases (#4801)

Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com> Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com> Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2025-03-31 03:45:17 +00:00 · 2022-10-12 23:14:44 +03:00 · 2022-10-12 23:14:44 +03:00 · f45584bfd6
commit f45584bfd6
parent 25963aba60
2 changed files with 18 additions and 3 deletions
--- a/.github/workflows/helm-release.yaml
+++ b/.github/workflows/helm-release.yaml
@ -30,6 +30,11 @@ jobs:
  create-release:
    runs-on: ubuntu-latest
    needs: helm-tests
+    permissions:
+      contents: write
+      packages: write
+      id-token: write 
+      pages: write
    steps:
      - name: Checkout
        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
@ -41,6 +46,12 @@ jobs:
        with:
          version: v3.8.0

+      - name: Install Cosign
+        uses: sigstore/cosign-installer@7cc35d7fdbe70d4278a0c96779081e6fac665f88 # v2.8.0
+        with:
+          cosign-release: 'v1.13.0'
+
+
      - name: Set version
        run: echo "RELEASE_VERSION=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV

@ -72,10 +83,14 @@ jobs:
          helm registry login --username ${GITHUB_ACTOR} --password ${{ secrets.GITHUB_TOKEN }} ghcr.io
      
      - name: Publish OCI Charts
+        env:
+          COSIGN_EXPERIMENTAL: 1
        run: |
          for dir in `find charts-tmp -maxdepth 1 -mindepth 1 -type d -print`; do
            chart=${dir##*/}
            echo "Found chart: ${chart}"
            helm package charts-tmp/${chart} --destination .dist
-            helm push .dist/${chart}-*.tgz oci://ghcr.io/${{ github.repository_owner }}/charts
+            helm push .dist/${chart}-*.tgz oci://ghcr.io/${{ github.repository_owner }}/charts > .digest
+            cosign login --username ${GITHUB_ACTOR} --password ${{ secrets.CR_PAT_ARTIFACTS }} ghcr.io
+            cosign sign ghcr.io/${{ github.repository_owner }}/charts/${chart}@$(cat .digest | awk -F "[, ]+" '/Digest/{print $NF}')
          done
--- a/.github/workflows/reuse.yaml
+++ b/.github/workflows/reuse.yaml
@ -47,9 +47,9 @@ jobs:
          go-version: ~1.18.6

      - name: Install Cosign
-        uses: sigstore/cosign-installer@116dc6872c0a067bcb78758f18955414cdbf918f # v1.4.1
+        uses: sigstore/cosign-installer@7cc35d7fdbe70d4278a0c96779081e6fac665f88 # v2.8.0
        with:
-          cosign-release: 'v1.11.0'
+          cosign-release: 'v1.13.0'

      - name: Cache Go modules
        uses: actions/cache@fd5de65bc895cf536527842281bea11763fefd77 # pin@v3