From f45584bfd679f57cecc27e455eafa0f2e45f64d7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Batuhan=20Apayd=C4=B1n?= <batuhan.apaydin@trendyol.com>
Date: Wed, 12 Oct 2022 23:14:44 +0300
Subject: [PATCH] chore: signing helm releases (#4801)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>

Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
---
 .github/workflows/helm-release.yaml | 17 ++++++++++++++++-
 .github/workflows/reuse.yaml        |  4 ++--
 2 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/helm-release.yaml b/.github/workflows/helm-release.yaml
index 9c299abcf3..2839cc1bf4 100644
--- a/.github/workflows/helm-release.yaml
+++ b/.github/workflows/helm-release.yaml
@@ -30,6 +30,11 @@ jobs:
   create-release:
     runs-on: ubuntu-latest
     needs: helm-tests
+    permissions:
+      contents: write
+      packages: write
+      id-token: write 
+      pages: write
     steps:
       - name: Checkout
         uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
@@ -41,6 +46,12 @@ jobs:
         with:
           version: v3.8.0
 
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@7cc35d7fdbe70d4278a0c96779081e6fac665f88 # v2.8.0
+        with:
+          cosign-release: 'v1.13.0'
+
+
       - name: Set version
         run: echo "RELEASE_VERSION=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV
 
@@ -72,10 +83,14 @@ jobs:
           helm registry login --username ${GITHUB_ACTOR} --password ${{ secrets.GITHUB_TOKEN }} ghcr.io
       
       - name: Publish OCI Charts
+        env:
+          COSIGN_EXPERIMENTAL: 1
         run: |
           for dir in `find charts-tmp -maxdepth 1 -mindepth 1 -type d -print`; do
             chart=${dir##*/}
             echo "Found chart: ${chart}"
             helm package charts-tmp/${chart} --destination .dist
-            helm push .dist/${chart}-*.tgz oci://ghcr.io/${{ github.repository_owner }}/charts
+            helm push .dist/${chart}-*.tgz oci://ghcr.io/${{ github.repository_owner }}/charts > .digest
+            cosign login --username ${GITHUB_ACTOR} --password ${{ secrets.CR_PAT_ARTIFACTS }} ghcr.io
+            cosign sign ghcr.io/${{ github.repository_owner }}/charts/${chart}@$(cat .digest | awk -F "[, ]+" '/Digest/{print $NF}')
           done
diff --git a/.github/workflows/reuse.yaml b/.github/workflows/reuse.yaml
index 730028e1b7..7a71a1b8c1 100644
--- a/.github/workflows/reuse.yaml
+++ b/.github/workflows/reuse.yaml
@@ -47,9 +47,9 @@ jobs:
           go-version: ~1.18.6
 
       - name: Install Cosign
-        uses: sigstore/cosign-installer@116dc6872c0a067bcb78758f18955414cdbf918f # v1.4.1
+        uses: sigstore/cosign-installer@7cc35d7fdbe70d4278a0c96779081e6fac665f88 # v2.8.0
         with:
-          cosign-release: 'v1.11.0'
+          cosign-release: 'v1.13.0'
 
       - name: Cache Go modules
         uses: actions/cache@fd5de65bc895cf536527842281bea11763fefd77 # pin@v3