Merge pull request #38 from controlplaneio-fluxcd/sign

Sign charts

Author: matheuscscp

.github/workflows/release.yml

@@ -25,6 +25,8 @@ jobs:
         uses: actions/[email protected]
       - name: Setup Helm
         uses: azure/[email protected]
+      - name: Setup Cosign
+        uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
       - name: Login to GitHub Container Registry
         uses: docker/[email protected]
         with:
@@ -35,3 +37,5 @@ jobs:
         run: make package
       - name: Push Helm charts
         run: make push
+      - name: Sign Helm charts
+        run: make sign

Makefile

@@ -20,13 +20,16 @@ lint:  ## Run Helm linter against all charts.
 
 .PHONY: package
 package: ## Package all Helm charts into the dist directory.
-	mkdir -p dist
-	helm package ./charts/* -d ./dist/
+	./scripts/package.sh
 
 .PHONY: push
 push: ## Push all Helm charts to the Helm repository.
 	./scripts/push.sh
 
+.PHONY: sign
+sign: ## Sign all Helm charts on the Helm repository.
+	./scripts/sign.sh
+
 .PHONY: plugins
 plugins: ## Install required Helm plugins.
 	helm plugin install https://github.com/losisin/helm-values-schema-json.git

scripts/package.sh

@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+
+# Copyright 2024 Stefan Prodan.
+# SPDX-License-Identifier: AGPL-3.0
+
+set -euo pipefail
+
+REPOSITORY_ROOT=$(git rev-parse --show-toplevel)
+REGISTRY="ghcr.io/controlplaneio-fluxcd/charts"
+
+for chartDir in ${REPOSITORY_ROOT}/charts/*; do
+  if [ -z "${chartDir:-}" ]; then
+    break
+  fi
+  chart=$(basename ${chartDir})
+  mkdir -p ${REPOSITORY_ROOT}/dist/${chart}
+  helm package ${chartDir} -d ${REPOSITORY_ROOT}/dist/${chart}
+done

scripts/push.sh

@@ -8,9 +8,9 @@ set -euo pipefail
 REPOSITORY_ROOT=$(git rev-parse --show-toplevel)
 REGISTRY="ghcr.io/controlplaneio-fluxcd/charts"
 
-for pkg in ${REPOSITORY_ROOT}/dist/*; do
+for pkg in ${REPOSITORY_ROOT}/dist/*/*.tgz; do
   if [ -z "${pkg:-}" ]; then
     break
   fi
-  helm push "${pkg}" oci://${REGISTRY}
+  helm push "${pkg}" oci://${REGISTRY} | grep Digest: | awk '{print $NF}' > "$(dirname ${pkg})/digest"
 done

scripts/sign.sh

@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+
+# Copyright 2024 Stefan Prodan.
+# SPDX-License-Identifier: AGPL-3.0
+
+set -euo pipefail
+
+REPOSITORY_ROOT=$(git rev-parse --show-toplevel)
+REGISTRY="ghcr.io/controlplaneio-fluxcd/charts"
+
+for pkg in ${REPOSITORY_ROOT}/dist/*/*.tgz; do
+  if [ -z "${pkg:-}" ]; then
+    break
+  fi
+  chart="$(basename $(dirname ${pkg}))"
+  digest="$(cat $(dirname ${pkg})/digest)"
+  image="${REGISTRY}/${chart}@${digest}"
+  cosign sign --yes ${image}
+done