helm-charts/.github/actions/charts-release-oci/action.yaml

---
name: "Release charts to OCI registry"
description: "Release charts to OCI registry"
inputs:
  chartName:
    description: "Name of the chart to release"
    required: true
  chartVersion:
    description: "Version of the chart to release"
    required: true
  workingDir:
    description: "Working directory"
    required: true
    default: "."
  ociRegistry:
    description: >
      Target OCI registry for Helm charts.
    required: true
    default: "ghcr.io"
  helmVersion:
    description: "Helm version to use for packaging"
    required: true
    default: 3.17.0

runs:
  using: "composite"
  steps:
    - name: Install Cosign
      uses: sigstore/cosign-installer@v3.6.0

    - name: Install Kubernetes tools
      uses: yokawasa/action-setup-kube-tools@v0.11.2
      with:
        setup-tools: |
          helmv3
        helm: ${{ inputs.helmVersion }}

    - name: Login to OCI Registry
      uses: docker/login-action@v3
      with:
        registry: ${{ inputs.ociRegistry }}
        username: ${{ github.actor }}
        password: ${{ github.token }}

    - name: Push Helm charts to OCI registry
      shell: bash
      working-directory: ${{ inputs.workingDir }}
      env:
        CHART_NAME: ${{ inputs.chartName }}
        CHART_VERSION: ${{ inputs.chartVersion }}
        CHART_TAG_BASE: ${{ inputs.ociRegistry }}/${{ github.actor }}/helm
        CHART_TAG: ${{ inputs.chartName }}:${{ inputs.chartVersion }}
      run: |
        helm push "${CHART_NAME}-${CHART_VERSION}.tgz" oci://${CHART_TAG_BASE} &> push-metadata.txt
        CHART_DIGEST=$(awk '/Digest: /{print $2}' push-metadata.txt)
        cosign sign --yes "${CHART_TAG_BASE}/${CHART_TAG}@${CHART_DIGEST}"
        cosign verify "${CHART_TAG_BASE}/${CHART_TAG}@${CHART_DIGEST}" \
          --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
          --certificate-identity "https://github.com/${{ github.repository }}/.github/workflows/charts-release-steps.yaml@${{ github.ref }}"