ci: Publish signed Helm charts and manifests to GHCR

- Push Flagger Helm chart to `ghcr.io/fluxcd/charts/flagger` - Sign Flagger Helm chart with Cosign and GitHub OIDC - Push install manifests and overlays from `./kustomize` with Flux CLI to `ghcr.io/fluxcd/flagger-manifests` - Sign Flagger manifests with Cosign and GitHub OIDC Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
fluxcd · Oct 22, 2022 · e1431d5 · e1431d5
1 parent 300cd24
commit e1431d5
Showing 1 changed file with 17 additions and 0 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -70,6 +70,23 @@ jobs:
  token: ${{ secrets.GITHUB_TOKEN }}
  charts_url: https://flagger.app
  linting: off
+ - name: Publish signed Helm chart to GHCR
+ env:
+ COSIGN_EXPERIMENTAL: 1
+ run: |
+ helm package charts/flagger
+ helm push flagger-${{ steps.prep.outputs.VERSION }}.tgz oci://ghcr.io/fluxcd/charts
+ cosign sign ghcr.io/fluxcd/charts/flagger:${{ steps.prep.outputs.VERSION }}
+ rm flagger-${{ steps.prep.outputs.VERSION }}.tgz
+ - name: Publish signed manifests to GHCR
+ env:
+ COSIGN_EXPERIMENTAL: 1
+ run: |
+ flux push artifact oci://ghcr.io/fluxcd/flagger-manifests:${{ steps.prep.outputs.VERSION }} \
+ --path="./kustomize" \
+ --source="$(git config --get remote.origin.url)" \
+ --revision="${{ steps.prep.outputs.VERSION }}/$(git rev-parse HEAD)"
+ cosign sign ghcr.io/fluxcd/flagger-manifests:${{ steps.prep.outputs.VERSION }}
  - uses: anchore/sbom-action/download-syft@v0
  - name: Create release and SBOM
  uses: goreleaser/goreleaser-action@v2