Merge pull request #644 from bobcallaway/rekor_bump_069 #418
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Release Charts | |
on: | |
push: | |
branches: | |
- main | |
paths: | |
- "charts/**" | |
jobs: | |
release: | |
runs-on: ubuntu-latest | |
permissions: | |
contents: write | |
packages: write | |
id-token: write | |
steps: | |
- name: Checkout | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
with: | |
fetch-depth: 0 | |
- name: Configure Git | |
run: | | |
git config user.name "$GITHUB_ACTOR" | |
git config user.email "[email protected]" | |
- name: Set up Helm | |
uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5 | |
with: | |
version: v3.10.3 | |
- name: Add dependency chart repos | |
run: | | |
helm repo add sigstore https://sigstore.github.io/helm-charts | |
- name: Install sigstore Helm plugin | |
run: | | |
helm plugin install https://github.com/sigstore/helm-sigstore | |
- name: Install GPG Keys | |
run: | | |
cat <(echo -e "${{ secrets.GPG_PRIVATE_KEY }}") | gpg --import --batch | |
gpg --export > /home/runner/.gnupg/pubring.gpg | |
gpg --export-secret-keys > /home/runner/.gnupg/secring.gpg | |
- name: Run chart-releaser | |
uses: helm/chart-releaser-action@be16258da8010256c6e82849661221415f031968 # v1.5.0 | |
env: | |
CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" | |
CR_SIGN: "true" | |
CR_KEY: "${{ secrets.GPG_KEY_NAME }}" | |
CR_KEYRING: "/home/runner/.gnupg/secring.gpg" | |
- name: Upload Helm Charts to Rekor | |
run: | | |
for chart in `find .cr-release-packages -name '*.tgz' -print`; do | |
helm sigstore upload --keyring=/home/runner/.gnupg/secring.gpg ${chart} | |
done | |
- name: Login to GitHub Container Registry | |
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Install Cosign | |
uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2 | |
- name: Publish and Sign OCI Charts | |
run: | | |
for chart in `find .cr-release-packages -name '*.tgz' -print`; do | |
helm push ${chart} oci://ghcr.io/${GITHUB_REPOSITORY} |& tee helm-push-output.log | |
file_name=${chart##*/} | |
chart_name=${file_name%-*} | |
digest=$(awk -F "[, ]+" '/Digest/{print $NF}' < helm-push-output.log) | |
cosign sign "ghcr.io/${GITHUB_REPOSITORY}/${chart_name}@${digest}" | |
done | |
env: | |
COSIGN_YES: true |