2323 steps :
2424 - name : Checkout code
2525 uses : actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
26+
2627 - name : Setup Golang
2728 uses : actions/setup-go@v5
2829 with :
@@ -116,10 +117,15 @@ jobs:
116117
117118 helm-release :
118119 runs-on : ubuntu-latest
120+ permissions :
121+ id-token : write
119122 steps :
120123 - name : Checkout code
121124 uses : actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
122125
126+ - name : Setup Cosign
127+ uses : sigstore/cosign-installer@main
128+
123129 - name : checkout jetstack-charts
124130 uses : actions/checkout@v4
125131 with :
@@ -128,16 +134,22 @@ jobs:
128134 ref : main
129135 path : jetstack-charts
130136
131- - uses : azure/setup-helm@v4
137+ - name : Setup Helm
138+ uses : azure/setup-helm@v4
132139 with :
133140 token : ${{ github.token }}
134141
142+ - name : Login to Quay.io
143+ run : echo "${{ secrets.QUAY_ROBOT_TOKEN }}" | helm registry login quay.io -u ${{ secrets.QUAY_USERNAME }} --password-stdin
144+
135145 - name : package helm chart
136146 run : |
137147 helm package version-checker/deploy/charts/version-checker -d jetstack-charts/charts/
138148
139- name : Login to Quay.io
140- run : echo "${{ secrets.QUAY_ROBOT_TOKEN }}" | helm registry login quay.io -u ${{ secrets.QUAY_USERNAME }} --password-stdin
149+ name : Sign Helm Chart
150+ run : |
151+ cosign sign-blob -y jetstack-charts/charts/version-checker-${{steps.release_number.outputs.substring}}.tgz \
152+ --bundle jetstack-charts/charts/version-checker-${{steps.release_number.outputs.substring}}.tgz.cosign.bundle
141153
142154name : Creating PR
143155 if : startsWith(github.ref, 'refs/tags/')
@@ -148,7 +160,9 @@ jobs:
148160 commit-message : " Release version-checker ${{github.ref_name }}"
149161 branch : version-checker/${{github.ref_name}}
150162 path : jetstack-charts
151- add-paths : charts/*.tgz
163+ add-paths : |
164+ charts/*.tgz
165+ charts/*.tgz.cosign.bundle
152166delete-branch : true
153167 signoff : true
154168 base : main
@@ -160,10 +174,19 @@ jobs:
160174
161175docker-release :
162176 runs-on : ubuntu-latest
177+ permissions :
178+ id-token : write
163179 steps :
164180 - name : Checkout code
165181 uses : actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
166182
183+ # Install the cosign tool except on PR
184+ # https://github.com/sigstore/cosign-installer
185+ - name : Install cosign
186+ uses : sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
187+ with :
188+ cosign-release : " v2.2.4"
189+
167190 - name : Set up QEMU
168191 uses : docker/setup-qemu-action@v3
169192
@@ -180,6 +203,7 @@ jobs:
180203 password : ${{ secrets.QUAY_ROBOT_TOKEN }}
181204
182205 - name : Build and push (if applicable)
206+ id : build-and-push
183207 uses : docker/build-push-action@v6
184208 with :
185209 context : .
@@ -193,6 +217,21 @@ jobs:
193217 type=sbom
194218 type=provenance,mode=max
195219
220+ # Sign the resulting Docker image digest except on PRs.
221+ # This will only write to the public Rekor transparency log when the Docker
222+ # repository is public to avoid leaking data. If you would like to publish
223+ # transparency data even for private images, pass --force to cosign below.
224+ # https://github.com/sigstore/cosign
225+ - name : Sign the published Docker image
226+ if : ${{ startsWith(github.ref, 'refs/tags/') }}
227+ env :
228+ # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
229+ TAGS : ${{ steps.meta.outputs.tags }}
230+ DIGEST : ${{ steps.build-and-push.outputs.digest }}
231+ # This step uses the identity token to provision an ephemeral certificate
232+ # against the sigstore community Fulcio instance.
233+ run : echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}
234+
196235 github-release :
197236 name : Create/Update GitHub Release
198237 permissions :
0 commit comments