Skip to content

Commit 40c9395

Browse files
committed
New workflow to publish the public key to gh-pages
Signed-off-by: Pete Wall <pete.wall@grafana.com>
1 parent 886e32c commit 40c9395

2 files changed

Lines changed: 73 additions & 0 deletions

File tree

Lines changed: 48 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,48 @@
1+
name: Publish public signing key
2+
3+
# Publishes the Helm chart signing public key to the gh-pages branch as pubkey.gpg
4+
# (a binary/dearmored GPG keyring) so users can import it and verify chart provenance:
5+
# curl https://grafana.github.io/helm-charts/pubkey.gpg | gpg --import
6+
# See the "Helm Provenance and Integrity" section of the README.
7+
on:
8+
workflow_dispatch: {}
9+
10+
permissions: {}
11+
12+
jobs:
13+
publish:
14+
runs-on: ubuntu-latest
15+
permissions:
16+
id-token: write # allows fetching the signing key from Vault via OIDC
17+
contents: write # allows committing pubkey.gpg to the gh-pages branch
18+
steps:
19+
# ghcommit-action computes the file change against the checked-out branch, so we
20+
# check out gh-pages at the workspace root and write pubkey.gpg there.
21+
- name: Checkout gh-pages
22+
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
23+
with:
24+
ref: gh-pages
25+
persist-credentials: false
26+
27+
- name: Fetch public signing key from Vault
28+
uses: grafana/shared-workflows/actions/get-vault-secrets@28361cdb22223e5f1e34358c86c20908e7248760 # v1.1.0
29+
with:
30+
repo_secrets: |
31+
PUBLIC_KEY=helm-chart-signing-key:public_key
32+
33+
- name: Convert ASCII-armored key to binary GPG keyring
34+
run: |
35+
printf '%s' "${PUBLIC_KEY}" | gpg --dearmor > pubkey.gpg
36+
37+
# Commit via the GitHub GraphQL `createCommitOnBranch` mutation so the commit is signed
38+
# by GitHub's web-flow key (shown as Verified). This matches how index.yaml is published
39+
# and works with the "Require signed commits" branch protection on gh-pages.
40+
- name: Publish pubkey.gpg to gh-pages
41+
uses: planetscale/ghcommit-action@25309d8005ac7c3bcd61d3fe19b69e0fe47dbdde # v0.2.20
42+
with:
43+
commit_message: "Publish Helm chart public signing key (pubkey.gpg)"
44+
repo: ${{ github.repository }}
45+
branch: gh-pages
46+
file_pattern: pubkey.gpg
47+
env:
48+
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

README.md

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -21,6 +21,31 @@ You can then run `helm search repo grafana` to see the charts.
2121
<!-- Keep full URL links to repo files because this README syncs from main to gh-pages. -->
2222
Chart documentation is available in [grafana directory](https://github.com/grafana/helm-charts/blob/main/charts/grafana/README.md).
2323

24+
## Helm Provenance and Integrity
25+
26+
Charts in this repository may be signed, allowing you to verify their integrity and
27+
origin. More information about how provenance works can be found in the official
28+
[Helm documentation](https://helm.sh/docs/topics/provenance/).
29+
30+
A local running GPG agent is required to complete the verification process.
31+
32+
To add the public signing key to your keyring, run:
33+
34+
```console
35+
curl https://grafana.github.io/helm-charts/pubkey.gpg | gpg --import
36+
```
37+
38+
Depending on your GnuPG version (2.1+ in particular), you may need to export the
39+
imported key so that Helm can find it:
40+
41+
```console
42+
gpg --export > ~/.gnupg/pubring.gpg
43+
```
44+
45+
Once your keyring is configured, pass the `--verify` flag to `helm install`,
46+
`helm upgrade`, `helm pull`, or `helm template` to validate a chart's signature and
47+
confirm its authenticity.
48+
2449
## Contributing
2550

2651
<!-- Keep full URL links to repo files because this README syncs from main to gh-pages. -->

0 commit comments

Comments
 (0)