Skip to content

Merge pull request #449 from redhat-cop/renovate/registry.redhat.io-r… #345

Merge pull request #449 from redhat-cop/renovate/registry.redhat.io-r…

Merge pull request #449 from redhat-cop/renovate/registry.redhat.io-r… #345

Workflow file for this run

name: Release Charts
on:
push:
branches:
- main
paths-ignore:
- '.github/**'
- 'README.md'
# Declare default permissions as read only.
permissions: read-all
jobs:
release:
concurrency: staging_environment
runs-on: ubuntu-latest
env:
# renovate: datasource=github-releases depName=helm/helm
HELM_VERSION: v3.14.3
permissions:
contents: write
id-token: write
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
with:
fetch-depth: 0
- name: Configure Git
run: |
git config user.name "$GITHUB_ACTOR"
git config user.email "[email protected]"
- name: Install Helm
uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5
with:
version: ${{ env.HELM_VERSION }}
- name: Add dependency chart repos
run: |
helm repo add stable https://charts.helm.sh/stable
helm repo add incubator https://charts.helm.sh/incubator
- name: Run chart-releaser
uses: helm/chart-releaser-action@a917fd15b20e8b64b94d9158ad54cd6345335584 # v1.6.0
env:
CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
- name: Setup cosign
uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3
- name: Cosign sign packaged chart and generate hashs
shell: bash
id: hash
run: |
packaged_charts=$(ls .cr-release-packages/*.tgz | xargs)
for chart in ${packaged_charts}; do
cosign sign-blob --yes ${chart}
done
echo "hashes=$(sha256sum ${packaged_charts} | base64 -w0)" >> "$GITHUB_OUTPUT"
outputs:
hashes: ${{ steps.hash.outputs.hashes }}
provenance:
needs: [release]
permissions:
actions: read
id-token: write
contents: write
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] # v1.10.0
with:
base64-subjects: "${{ needs.release.outputs.hashes }}"