added: cosgin simple and oci workflow

.github/workflows/sign.yaml

@@ -0,0 +1,48 @@
+name: Sign Helm chart artifact
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+    - main
+
+jobs:
+  sign:
+    name: Sign ${{ matrix.case.name }}
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+    strategy:
+      fail-fast: false
+      matrix:
+        case:
+        - name: TGZ Helm chart artifact
+          sign: |
+            cosign sign-blob -y my-app-1.0.0.tgz \
+              --bundle my-app-1.0.0.tgz.cosign.bundle
+          verify: |
+            cosign verify-blob my-app-1.0.0.tgz \
+              --bundle my-app-1.0.0.tgz.cosign.bundle \
+              --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
+              --certificate-identity "https://github.com/${GITHUB_WORKFLOW_REF}"
+        - name: OCI Helm chart artifact
+          sign: |
+            helm push my-app-1.0.0.tgz oci://ttl.sh/charts &> push-metadata.txt
+            CHART_DIGEST=$(awk '/Digest: /{print $2}' push-metadata.txt)
+            echo "CHART_DIGEST=${CHART_DIGEST}" | tee -a $GITHUB_ENV
+            cosign sign -y "ttl.sh/charts/my-app@${CHART_DIGEST}"
+          verify: |
+            cosign verify "ttl.sh/charts/my-app@${CHART_DIGEST}" \
+              --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
+              --certificate-identity "https://github.com/${GITHUB_WORKFLOW_REF}"
+    steps:
+    - name: Checkout Code
+      uses: actions/checkout@v3
+    - name: Setup Cosign
+      uses: sigstore/cosign-installer@main
+    - name: Create Helm chart package
+      run : helm package charts/my-app
+    - name: Sign Helm chart package
+      run : ${{ matrix.case.sign }}
+    - name: Verify Helm chart package
+      run : ${{ matrix.case.verify }}

.gitignore

@@ -0,0 +1 @@
+*.tgz

README.md

@@ -1,2 +1,10 @@
 # Cosign Helm chart keyless signing example
-An example of using Sigstore/Cosign to secure the Helm chart supply chain. For the full post: [Helm chart keyless signing with Sigstore/Cosign](https://tech.aabouzaid.com/2023/08/helm-chart-keyless-signing-with-sigstore-cosign.html)https://tech.aabouzaid.com/2023/08/helm-chart-keyless-signing-with-sigstore-cosign.html. 
+
+<div align="center" class="separator" style="clear: both; text-align: center;">
+  <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGSVfieFTUOTLbfxF7P06tz9LMdhf0rxoubZxcPUl8qkyTqbrx3lqq3JzjusQQ8hd_aicqy_A33OwkGCv-RgImMUjUjFqUnnit2NgufepKQFuQPOJfg2Z1D7Ta-NP1bgNCgeSK4utJ4CkxlpKE9f1g6Hj5xD8waQPxthh0sh-PlRXH-jmmcdWq030rHlqP/s1200/helm-chart-keyless-signing-with-sigstore-cosign.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="627" data-original-width="1200" height="334" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGSVfieFTUOTLbfxF7P06tz9LMdhf0rxoubZxcPUl8qkyTqbrx3lqq3JzjusQQ8hd_aicqy_A33OwkGCv-RgImMUjUjFqUnnit2NgufepKQFuQPOJfg2Z1D7Ta-NP1bgNCgeSK4utJ4CkxlpKE9f1g6Hj5xD8waQPxthh0sh-PlRXH-jmmcdWq030rHlqP/s1200/helm-chart-keyless-signing-with-sigstore-cosign.png" width="640" /></a>
+</div>
+
+An example of using Sigstore/Cosign to secure the Helm chart supply chain.
+- Full blog post: [Helm chart keyless signing with Sigstore/Cosign](https://tech.aabouzaid.com/2023/08/helm-chart-keyless-signing-with-sigstore-cosign.html).
+
+- Full GitHub Actions workflow: [Sign Helm chart artifact](.github/workflows/sign.yaml).

charts/my-app/Chart.yaml

@@ -0,0 +1,10 @@
+apiVersion: v2
+name: my-app
+version: 1.0.0
+appVersion: 1.0.0
+description: A dummy chart for Helm chart keyless signing with Cosign example.
+keywords:
+  - devsecops
+  - cosign
+  - helm
+  - kubernetes

push-metadata.txt

@@ -0,0 +1,2 @@
+Pushed: ttl.sh/charts/my-app:1.0.0
+Digest: sha256:07eadc88303da523e3030a2f4d4fb994dad25284b42842ab0fbbb1aa87df171a