public/helm-charts
1
0
Fork 0
mirror of https://github.com/bjw-s-labs/helm-charts.git synced 2025-07-03 08:37:03 +02:00
Code Issues Projects Releases Packages Wiki Activity

ci: Update charts-release-oci.yaml for keyless cosigning (#343)

Browse source 
Co-authored-by: Bernd Schorgers <me@bjw-s.dev>
This commit is contained in:
St. Veit 2024-08-13 10:41:19 +02:00 committed by GitHub
parent a0b5fe2008
commit a78c21ab00
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 13 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

14
.github/workflows/charts-release-oci.yaml vendored
View file

@ -20,6 +20,10 @@ jobs:
release-charts: release-charts:
name: Release charts name: Release charts
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
permissions:
packages: write # needed for ghcr access
actions: read # for detecting the Github Actions environment.
id-token: write # for creating OIDC tokens for signing.
steps: steps:
- name: Checkout chart sources - name: Checkout chart sources
uses: actions/checkout@v4 uses: actions/checkout@v4
@ -33,6 +37,9 @@ jobs:
helmv3 helmv3
helm: "${{ env.HELM_VERSION }}" helm: "${{ env.HELM_VERSION }}"
- name: Install Cosign
uses: sigstore/cosign-installer@v3.6.0
- name: Login to GitHub Container Registry - name: Login to GitHub Container Registry
uses: docker/login-action@v3 uses: docker/login-action@v3
with: with:
@ -52,5 +59,10 @@ jobs:
CHART_VERSION=$(yq e '.version' ${{ env.CHARTS_SRC_DIR }}/${CHART}/Chart.yaml) CHART_VERSION=$(yq e '.version' ${{ env.CHARTS_SRC_DIR }}/${CHART}/Chart.yaml)
helm package "${{ env.CHARTS_SRC_DIR }}/${CHART_TYPE}/${CHART_NAME}" --dependency-update --destination "${{ env.CHARTS_SRC_DIR }}/${CHART_TYPE}" --version "${CHART_VERSION}" helm package "${{ env.CHARTS_SRC_DIR }}/${CHART_TYPE}/${CHART_NAME}" --dependency-update --destination "${{ env.CHARTS_SRC_DIR }}/${CHART_TYPE}" --version "${CHART_VERSION}"
helm push "${{ env.CHARTS_SRC_DIR }}/${CHART_TYPE}/${CHART_NAME}-${CHART_VERSION}.tgz" oci://${{ env.TARGET_REGISTRY }}/${{ github.actor }}/helm helm push "${{ env.CHARTS_SRC_DIR }}/${CHART_TYPE}/${CHART_NAME}-${CHART_VERSION}.tgz" oci://${{ env.TARGET_REGISTRY }}/${{ github.actor }}/helm &> push-metadata.txt
CHART_DIGEST=$(awk '/Digest: /{print $2}' push-metadata.txt)
cosign sign -y "${{ env.TARGET_REGISTRY }}/${{ github.actor }}/helm/${CHART_NAME}:${CHART_VERSION}@${CHART_DIGEST}"
cosign verify "${{ env.TARGET_REGISTRY }}/${{ github.actor }}/helm/${CHART_NAME}:${CHART_VERSION}@${CHART_DIGEST}" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
--certificate-identity "https://github.com/${GITHUB_WORKFLOW_REF}"
done done