23
23
steps :
24
24
- name : Checkout code
25
25
uses : actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
26
+
26
27
- name : Setup Golang
27
28
uses : actions/setup-go@v5
28
29
with :
@@ -116,10 +117,15 @@ jobs:
116
117
117
118
helm-release :
118
119
runs-on : ubuntu-latest
120
+ permissions :
121
+ id-token : write
119
122
steps :
120
123
- name : Checkout code
121
124
uses : actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
122
125
126
+ - name : Setup Cosign
127
+ uses : sigstore/cosign-installer@main
128
+
123
129
- name : checkout jetstack-charts
124
130
uses : actions/checkout@v4
125
131
with :
@@ -128,16 +134,22 @@ jobs:
128
134
ref : main
129
135
path : jetstack-charts
130
136
131
- - uses : azure/setup-helm@v4
137
+ - name : Setup Helm
138
+ uses : azure/setup-helm@v4
132
139
with :
133
140
token : ${{ github.token }}
134
141
142
+ - name : Login to Quay.io
143
+ run : echo "${{ secrets.QUAY_ROBOT_TOKEN }}" | helm registry login quay.io -u ${{ secrets.QUAY_USERNAME }} --password-stdin
144
+
135
145
- name : package helm chart
136
146
run : |
137
147
helm package version-checker/deploy/charts/version-checker -d jetstack-charts/charts/
138
148
139
- - name : Login to Quay.io
140
- run : echo "${{ secrets.QUAY_ROBOT_TOKEN }}" | helm registry login quay.io -u ${{ secrets.QUAY_USERNAME }} --password-stdin
149
+ - name : Sign Helm Chart
150
+ run : |
151
+ cosign sign-blob -y jetstack-charts/charts/version-checker-${{steps.release_number.outputs.substring}}.tgz \
152
+ --bundle jetstack-charts/charts/version-checker-${{steps.release_number.outputs.substring}}.tgz.cosign.bundle
141
153
142
154
- name : Creating PR
143
155
if : startsWith(github.ref, 'refs/tags/')
@@ -148,7 +160,9 @@ jobs:
148
160
commit-message : " Release version-checker ${{github.ref_name }}"
149
161
branch : version-checker/${{github.ref_name}}
150
162
path : jetstack-charts
151
- add-paths : charts/*.tgz
163
+ add-paths : |
164
+ charts/*.tgz
165
+ charts/*.tgz.cosign.bundle
152
166
delete-branch : true
153
167
signoff : true
154
168
base : main
@@ -160,10 +174,19 @@ jobs:
160
174
161
175
docker-release :
162
176
runs-on : ubuntu-latest
177
+ permissions :
178
+ id-token : write
163
179
steps :
164
180
- name : Checkout code
165
181
uses : actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
166
182
183
+ # Install the cosign tool except on PR
184
+ # https://github.com/sigstore/cosign-installer
185
+ - name : Install cosign
186
+ uses : sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
187
+ with :
188
+ cosign-release : " v2.2.4"
189
+
167
190
- name : Set up QEMU
168
191
uses : docker/setup-qemu-action@v3
169
192
@@ -180,6 +203,7 @@ jobs:
180
203
password : ${{ secrets.QUAY_ROBOT_TOKEN }}
181
204
182
205
- name : Build and push (if applicable)
206
+ id : build-and-push
183
207
uses : docker/build-push-action@v6
184
208
with :
185
209
context : .
@@ -193,6 +217,21 @@ jobs:
193
217
type=sbom
194
218
type=provenance,mode=max
195
219
220
+ # Sign the resulting Docker image digest except on PRs.
221
+ # This will only write to the public Rekor transparency log when the Docker
222
+ # repository is public to avoid leaking data. If you would like to publish
223
+ # transparency data even for private images, pass --force to cosign below.
224
+ # https://github.com/sigstore/cosign
225
+ - name : Sign the published Docker image
226
+ if : ${{ startsWith(github.ref, 'refs/tags/') }}
227
+ env :
228
+ # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
229
+ TAGS : ${{ steps.meta.outputs.tags }}
230
+ DIGEST : ${{ steps.build-and-push.outputs.digest }}
231
+ # This step uses the identity token to provision an ephemeral certificate
232
+ # against the sigstore community Fulcio instance.
233
+ run : echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}
234
+
196
235
github-release :
197
236
name : Create/Update GitHub Release
198
237
permissions :
0 commit comments