1 year ago · b5cdec5687
--- a/.github/workflows/helm.yml
+++ b/.github/workflows/helm.yml
@@ -71,6 +71,8 @@ jobs:
 
				     permissions:
			
 
				       contents: write  # for helm/chart-releaser-action to push chart release and create a release
			
 
				       packages: write  # to push OCI chart package to GitHub Registry
			
 
				+      id-token: write  # gives the action the ability to mint the OIDC token necessary to request a Sigstore signing certificate
			
 
				+      attestations: write # this permission is necessary to persist the attestation
			
 
				     runs-on: ubuntu-latest
			
 
				     steps:
			
 
				       - name: Checkout
			
@@ -125,12 +127,41 @@ jobs:
 
				           username: ${{ github.actor }}
			
 
				           password: ${{ secrets.GITHUB_TOKEN }}
			
 
				 
			
 
				+      - name: Install cosign
			
 
				+        uses: sigstore/cosign-installer@v3.7.0
			
 
				+        with:
			
 
				+          cosign-release: 'v2.4.1'
			
 
				+
			
 
				       - name: Push chart to GHCR
			
 
				+        id: push_chart
			
 
				         run: |
			
 
				           shopt -s nullglob
			
 
				           for pkg in .cr-release-packages/*.tgz; do
			
 
				             if [ -z "${pkg:-}" ]; then
			
 
				               break
			
 
				             fi
			
 
				-            helm push "${pkg}" "oci://ghcr.io/${GITHUB_REPOSITORY_OWNER}/charts"
			
 
				-          done
			
 
				+            chart_name=$(helm show chart "${pkg}" | yq .name)
			
 
				+            # helm push fails when registry path contains Uppercase letters
			
 
				+            chart_registry="ghcr.io/${GITHUB_REPOSITORY_OWNER}/charts"
			
 
				+            
			
 
				+            helm_push_output=$(helm push "${pkg}" "oci://${chart_registry}" 2>&1)
			
 
				+            digest=$(echo "$helm_push_output" | grep -o 'sha256:[a-z0-9]*')
			
 
				+            echo "$helm_push_output"
			
 
				+            
			
 
				+            artifact_digest_uri="${chart_registry}/${chart_name}@${digest}"
			
 
				+            cosign sign --yes "$artifact_digest_uri"
			
 
				+            cosign verify "$artifact_digest_uri" \
			
 
				+                --certificate-identity-regexp "https://github.com/$GITHUB_REPOSITORY/*" \
			
 
				+                --certificate-oidc-issuer https://token.actions.githubusercontent.com
			
 
				+
			
 
				+            echo "digest=${digest}" >> "$GITHUB_OUTPUT"
			
 
				+            echo "chart_name=${chart_name}" >> "$GITHUB_OUTPUT"
			
 
				+            echo "registry=${chart_registry}" >> "$GITHUB_OUTPUT"
			
 
				+          done
			
 
				+
			
 
				+      - name: Generate provenance attestation and push to OCI registry
			
 
				+        uses: actions/attest-build-provenance@v1.4.4
			
 
				+        with:
			
 
				+          push-to-registry: true
			
 
				+          subject-name: ${{ steps.push_chart.outputs.registry }}/${{ steps.push_chart.outputs.chart_name }}
			
 
				+          subject-digest: ${{ steps.push_chart.outputs.digest }}