diff --git a/.github/workflows/helm-publish.yaml b/.github/workflows/helm-publish.yaml index 7a9ea5c3..2096d9bc 100644 --- a/.github/workflows/helm-publish.yaml +++ b/.github/workflows/helm-publish.yaml @@ -3,7 +3,7 @@ name: Helm Publish on: push: branches: - - master + - master paths: - 'stable/**' workflow_dispatch: @@ -25,7 +25,18 @@ jobs: - name: Install Helm uses: azure/setup-helm@v4 with: - version: v3.12.3 # Lock version for now, helm v3.13.0 contains bugs related to oci that will be fixed in v3.13.1. https://github.com/helm/helm/issues/12423 + version: v3.16.4 + - name: Import GPG key + id: import_gpg + uses: crazy-max/ghaction-import-gpg@v6 + with: + gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} + passphrase: ${{ secrets.GPG_PASSPHRASE }} + - name: Save GPG passphrase + run: | + cat << EOF > passphrase.txt + ${{ secrets.GPG_PASSPHRASE }} + EOF - name: Package Helm Charts shell: bash run: | @@ -36,8 +47,9 @@ jobs: continue fi echo "$d" - helm package "$d" -u + helm package --sign "$d" -u --key ${{ steps.import_gpg.outputs.name }} --passphrase-file passphrase.txt done + rm passphrase.txt echo "Packing done" - name: Login to GitHub Container Registry shell: bash @@ -51,6 +63,14 @@ jobs: echo "$f" helm push $f oci://${REGISTRY,,} done + - name: Upload the Chart to Rekor + shell: bash + run: | + helm plugin install https://github.com/sigstore/helm-sigstore + for f in *.tgz ; do + echo "$f" + helm sigstore upload "$d" + done - name: Generate Helm repo index.yaml shell: bash run: helm repo index . --merge index.yaml @@ -62,10 +82,10 @@ jobs: id: cpr uses: peter-evans/create-pull-request@v7 with: - commit-message: "$GITHUB_ACTION is updating index.yaml for $GITHUB_REF" + commit-message: "Updating index.yaml for ${{ github.ref }}" branch: update-index delete-branch: true - title: "[stable/index] Updating index.yaml for $GITHUB_REF" + title: "[stable/index] Updating index.yaml for ${{ github.ref }}" add-paths: | index.yaml labels: | diff --git a/.gitignore b/.gitignore index 37cf43d6..d39c2adb 100644 --- a/.gitignore +++ b/.gitignore @@ -18,3 +18,5 @@ __pycache__ .vscode/ *.tgz +*.prov +passphrase.txt diff --git a/public_key.asc b/public_key.asc new file mode 100644 index 00000000..68c0f092 --- /dev/null +++ b/public_key.asc @@ -0,0 +1,52 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBGd79twBEADHi/ZnreApKrtBDKXVEvzpy1AbEqkczRVMDOB2x+nNmnKRYuIT +WIKM6P7J43mfaJ0ym4e6o6YJxgsGZmMJhYs1j7e3QNNiJfPEmIX8emDK/PJY1VD/ +oq7xSxpgofOzvacIVYU0pvZizzzTYRZ0dLDAvXJdMWHsATvOKQ0njKVBGXUTiLv2 +b5uPoATyA/KLHhMakZP1Liz9TZrTWagaosoauf8LBN+Xe3VHwVMBKsOYo0sBj+5t +8QyZe8i/KH6uv+7Cg0xBtM7Wp+lKmhzzQ6idHbhdEd1nRzal+lIyOc0lCZtkEV3Q +TNnn9KGvU63/btd3O1u1Pu6C0RAcqjh89GMWbj+vF7uCR/C5oYW5c33VwsCGVqdY +guHzOS8Dzw1hapQYkBWQfloy1X0Pqq2RPHAG/Ix6rQrJgpc9D9Rw4WwQLHDvTtsc +rX5GygZZgWPZhV8LOZbtepN3s0pYnBHzGRKhg08lWZn3hJatU/07Rc5CLdvxuvu3 +sMkq4FyjX8R1n4Nj3zlovn3UfgnCEeP7K3SlYvBRBMfpBDqBCaWkqF+kLTUSz8FS +FAMDEhHGq9aFhC713wtIjAwmwnwnoaLsFilh1uIZkvbCBYPxg/kzJ0uy33XzeIZF ++xOAeBzj+Dj81a/3rnRs3XAZLr/rfFAwTuck3Wq633Ah9xfjcPNv1gV20wARAQAB +tDdEZWxpdmVyeSBIZXJvIC0gaGVsbS1jaGFydHMgPG5vLXJlcGx5QGRlbGl2ZXJ5 +aGVyby5jb20+iQJRBBMBCAA7FiEExMKqdjWtwCgsN9HKQ//HBMtFhacFAmd79twC +GwMFCwkIBwICIgIGFQoJCAsCBBYCAwECHgcCF4AACgkQQ//HBMtFhaccjg/9HLDh +GKtuPnp7gGt2UNfZnjl8pze46azSjnee0pHgzO7Bcr/7n+rAP4XqREQINlYj5QXW +lOOknMEgnBBes9V3tgZdvqMfhUW98qGw0PcSKJLZ15bna0VeBEMYS+jx4cWqS0ps +YuELjDFfdPMxnWHh9g8aZfOd1otUKHJLi0KOWaM8+OJp7P9eG8SXvVUIn61MHmne +3xET6m56Euka8iE4/sxWgxmHfakkSiy4osGNnvLBIIsrhwTvcY5XZJvKwT+8KroF +FH96cCA16EiAVWYY1IDUt5rOlFzBB+SBMBLcIoTnEpIq9eki10vdALiHkQ3nyEGO +stR9scLg05gtDzHHfbjgIfW4Rvxj6bn64enajyfmazqmfavUauFJTfajyFIt/DYB +oLU0+lN0q2SLD9T8VFlSrle9Fp5iTJheyvLIGshht6su4kI+jsYR267qOcABmFWJ +lMEmnC3gKvqb7jScZLUtHKYbcRihqKLcRv63OkdJSSYCh/Q7qYx2Rj26c42x9r/e +XkC385j9Hqeh6t4QQ49E0wCntiamA22szn3q3xAToK3pfODDujlPBGqW6gdgmEkZ +zX2vCj/8XuCduqarKrYFaRgPTZMG/zGv+1rdkhRyqdd9YmZD4XY+Exq3EgW7LYFM +nosYMz1yGe5y/sir3OmIxHyp/leq26tSW6IlrSO5Ag0EZ3v23AEQAM/fEhUX/xNz +Sxm8+Cyhu+YXFu6kaO8qqnBsx6a89qVpZSQ97EAYXeLVn7E7/qSs6IXG9wviZKk8 +B+w4apQiz411nZA8fXMbi+ZgzKUdzSzoGsWBbwJX4rLAfpQ5pZZMmsmP7yDsI2tw +xaE0kAtO63mLH8Q6othIlZerSBFk5bwTqgEAouUXWCaCMy/mthQSwxRZbk0GrSJl +VCODesrv+lAKJKbn9OJB6ZfbBPYFhBWP8822KMp+9Q38p3aAADbIT8gUw5Vu9Yj0 +gMPCwfka9K6fMIB/6vjNhkOVcTfkArm0+150rwn/to5DoVc6ERXYvafzvG7Lb5sZ +qMeMI7oQZufLb+r5g7io9gdtW1d0BbbYil+T3lRzxrIcTsOrIVLMJ+/6pu9XLLaT +v3IRXVE7FIfTb+SBFZCsSjlWAlXsmIyvDRU6TmsP+q+Yii1/NKCMfV7RKoYjDL/E +dKw5WK7uYqa28jm9Pgda57qjsJNgVI2oCHQO2inlzmb/4y14b7j0+YwsT7mrmwpl +zFlfsn+KmssWlEStXGcAvpp3oMTAZ6dX5nDIHhQ+Q5KBuXNdoJt4jfxLHuqLejlV +CGVcjH7HluECpLdoZixh4TEgmaOuLzF8Kq/O2u9NdnmCsuF3ZguJOoHcRpvA6dEY +xZ9VFaP/tvUrlT8OssC7O/AIbUuww7n3ABEBAAGJAjYEGAEIACAWIQTEwqp2Na3A +KCw30cpD/8cEy0WFpwUCZ3v23AIbDAAKCRBD/8cEy0WFp8NmD/9+EBI1kFxYbfCN +7Ly4bw8eTqJ5h18pNwKtshgKJ6dOHB1hRmokW0CYP0VK20pYYioMVg442ijf7V/S +unPLUAz9SwOjSOrT7mA0Ctc5hZ7QIvh4fMQOdfJ8oy2Jfu/LOkYqULwmJzPIe8/r +aDqB5vU98A7wesikFbsnW3jHJAq4MUtuZWMSQL2V5JhY2LLBi3Pwf4VLgqmjNJ7C +OG2tOsR78jm5DEMAyO3Rw3ofA8DvVwBVI1mZ/mpTx6qmx3olgpHqWZ6y5n59KjGZ +oapuk+jD+z86zjeXH19VfSAf+FW+dl3JMIOnS1Hv5t78Se3rM4PQqZ0BPr30sa// +PulD6JpyO243DiDf6mRywl7bK6KvvzQytRNy3JGtu10W8ByMFVyNAM2tzQ5xN61R +//grNHAPMBwnWIB9uYFrUPAu6tq4GpZWSCq9QAf8ARd8RMS5loIH8EIohaN6qNOe +E2Rj0Z5g8lQqADecmpPMHc+NcwplZS93xC+tDMLWpPoIUdARPJbWqAg09W1jU+Go +9ECt2NTiu8/W0lY4NPP7/zYxSJmCJWKh7unNL+viGA36X2qFqc2cD1a3dRLjoK0t +I/INkOXVJgVtRP/JeToYj6Rt8JDv2mAJhOcULHpQV4cP7xu/K7XeRMs8/M9FA/gM +Aiyx8oFY5Bk6GxHW/GlRAewM4C+GSQ== +=rux+ +-----END PGP PUBLIC KEY BLOCK-----