sign helm chart using cosign

Signed-off-by: Rash419 <[email protected]> Change-Id: I977c2b5e3f5fdf940bb03af3127dc16f741ac15a
Rash419 · Jan 26, 2024 · 8b7ab25 · 8b7ab25
1 parent 6013d78
commit 8b7ab25
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 10 deletions.
diff --git a/.github/workflows/helm-release.yml b/.github/workflows/helm-release.yml
@@ -31,21 +31,23 @@ jobs:
         with:
           version: v3.12.1
 
-      - name: Import GPG key
-        run: |
-          echo "${{ secrets.GPG_PRIVATE_KEY }}" | gpg --dearmor --output keyring.gpg
-          echo "${{ secrets.GPG_PASSPHRASE }}" > passphrase-file.txt
+      - name: Install cosign
+        uses: sigstore/[email protected]
+      # - name: Import GPG key
+      #   run: |
+      #     echo "${{ secrets.GPG_PRIVATE_KEY }}" | gpg --dearmor --output keyring.gpg
+      #     echo "${{ secrets.GPG_PASSPHRASE }}" > passphrase-file.txt
 
       - name: Run chart-releaser
         # for use with make-release-latest
         uses: helm/[email protected]
         env:
           CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
           CR_SKIP_EXISTING: true
-          CR_KEY: Collabora Productivity
-          CR_KEYRING: keyring.gpg
-          CR_PASSPHRASE_FILE: passphrase-file.txt
-          CR_SIGN: true
+          # CR_KEY: Collabora Productivity
+          # CR_KEYRING: keyring.gpg
+          # CR_PASSPHRASE_FILE: passphrase-file.txt
+          # CR_SIGN: true
         with:
           charts_dir: "kubernetes/helm"
           config: kubernetes/helm/cr.yaml
@@ -58,7 +60,11 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Push charts to GHCR
+      - name: Push charts to GHCR and sign charts with cosign
+        env:
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+          COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }}
         run: |
           shopt -s nullglob
           for pkg in .cr-release-packages/*; do
@@ -78,4 +84,9 @@ jobs:
             
             echo "Pushing package - ${pkg} to repository - ${lowercase}"
             helm push "${pkg}" "oci://ghcr.io/${lowercase}/charts"
+
+            echo "Signing helm chart with cosign..."
+
+            cosign sign --yes --key ${COSIGN_PRIVATE_KEY} "oci://ghcr.io/${lowercase}/charts/${pkg}"
+            cosign verify --key ${COSIGN_PUBLIC_KEY} "oci://ghcr.io/${lowercase}/charts/${pkg}"
           done
diff --git a/kubernetes/helm/collabora-online/Chart.yaml b/kubernetes/helm/collabora-online/Chart.yaml
@@ -4,7 +4,7 @@ type: "application"
 name: collabora-online
 description: Collabora Online helm chart
 
-version: 1.1.10
+version: 1.1.14
 appVersion: "23.05.7.5.1"
 
 home: "https://www.collaboraoffice.com/code/"