-
Notifications
You must be signed in to change notification settings - Fork 92
83 lines (69 loc) · 2.59 KB
/
release.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
name: Release Charts
on:
push:
branches:
- main
paths:
- "charts/**"
jobs:
release:
runs-on: ubuntu-latest
permissions:
contents: write
packages: write
id-token: write
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
fetch-depth: 0
- name: Configure Git
run: |
git config user.name "$GITHUB_ACTOR"
git config user.email "[email protected]"
- name: Set up Helm
uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5
with:
version: v3.10.3
- name: Add dependency chart repos
run: |
helm repo add sigstore https://sigstore.github.io/helm-charts
- name: Install sigstore Helm plugin
run: |
helm plugin install https://github.com/sigstore/helm-sigstore
- name: Install GPG Keys
run: |
cat <(echo -e "${{ secrets.GPG_PRIVATE_KEY }}") | gpg --import --batch
gpg --export > /home/runner/.gnupg/pubring.gpg
gpg --export-secret-keys > /home/runner/.gnupg/secring.gpg
- name: Run chart-releaser
uses: helm/chart-releaser-action@be16258da8010256c6e82849661221415f031968 # v1.5.0
env:
CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
CR_SIGN: "true"
CR_KEY: "${{ secrets.GPG_KEY_NAME }}"
CR_KEYRING: "/home/runner/.gnupg/secring.gpg"
- name: Upload Helm Charts to Rekor
run: |
for chart in `find .cr-release-packages -name '*.tgz' -print`; do
helm sigstore upload --keyring=/home/runner/.gnupg/secring.gpg ${chart}
done
- name: Login to GitHub Container Registry
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Install Cosign
uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2
- name: Publish and Sign OCI Charts
run: |
for chart in `find .cr-release-packages -name '*.tgz' -print`; do
helm push ${chart} oci://ghcr.io/${GITHUB_REPOSITORY} |& tee helm-push-output.log
file_name=${chart##*/}
chart_name=${file_name%-*}
digest=$(awk -F "[, ]+" '/Digest/{print $NF}' < helm-push-output.log)
cosign sign "ghcr.io/${GITHUB_REPOSITORY}/${chart_name}@${digest}"
done
env:
COSIGN_YES: true