|
| 1 | +name: Publish public signing key |
| 2 | + |
| 3 | +# Publishes the Helm chart signing public key to the gh-pages branch as pubkey.gpg |
| 4 | +# (a binary/dearmored GPG keyring) so users can import it and verify chart provenance: |
| 5 | +# curl https://grafana.github.io/helm-charts/pubkey.gpg | gpg --import |
| 6 | +# See the "Helm Provenance and Integrity" section of the README. |
| 7 | +on: |
| 8 | + workflow_dispatch: {} |
| 9 | + |
| 10 | +permissions: {} |
| 11 | + |
| 12 | +jobs: |
| 13 | + publish: |
| 14 | + runs-on: ubuntu-latest |
| 15 | + permissions: |
| 16 | + id-token: write # allows fetching the signing key from Vault via OIDC |
| 17 | + contents: write # allows committing pubkey.gpg to the gh-pages branch |
| 18 | + steps: |
| 19 | + # ghcommit-action computes the file change against the checked-out branch, so we |
| 20 | + # check out gh-pages at the workspace root and write pubkey.gpg there. |
| 21 | + - name: Checkout gh-pages |
| 22 | + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 |
| 23 | + with: |
| 24 | + ref: gh-pages |
| 25 | + persist-credentials: false |
| 26 | + |
| 27 | + - name: Fetch public signing key from Vault |
| 28 | + uses: grafana/shared-workflows/actions/get-vault-secrets@28361cdb22223e5f1e34358c86c20908e7248760 # v1.1.0 |
| 29 | + with: |
| 30 | + repo_secrets: | |
| 31 | + PUBLIC_KEY=helm-chart-signing-key:public_key |
| 32 | +
|
| 33 | + - name: Convert ASCII-armored key to binary GPG keyring |
| 34 | + run: | |
| 35 | + printf '%s' "${PUBLIC_KEY}" | gpg --dearmor > pubkey.gpg |
| 36 | +
|
| 37 | + # Commit via the GitHub GraphQL `createCommitOnBranch` mutation so the commit is signed |
| 38 | + # by GitHub's web-flow key (shown as Verified). This matches how index.yaml is published |
| 39 | + # and works with the "Require signed commits" branch protection on gh-pages. |
| 40 | + - name: Publish pubkey.gpg to gh-pages |
| 41 | + uses: planetscale/ghcommit-action@25309d8005ac7c3bcd61d3fe19b69e0fe47dbdde # v0.2.20 |
| 42 | + with: |
| 43 | + commit_message: "Publish Helm chart public signing key (pubkey.gpg)" |
| 44 | + repo: ${{ github.repository }} |
| 45 | + branch: gh-pages |
| 46 | + file_pattern: pubkey.gpg |
| 47 | + env: |
| 48 | + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
0 commit comments