feat(github): Introduce chart signing (#2040)

Signed-off-by: Marco Kilchhofer <mkilchhofer@users.noreply.github.com>
2023-05-10 15:06:56 +02:00 · 2023-05-10 15:06:56 +02:00 · 07aa087a19
parent cc64b0c9f5
commit 07aa087a19
2 changed files with 23 additions and 1 deletions
--- a/.github/configs/cr.yaml
+++ b/.github/configs/cr.yaml
@ -1,2 +1,8 @@
 ## Reference: https://github.com/helm/chart-releaser
-index-path: "./index.yaml" 
+index-path: "./index.yaml"
+
+# PGP signing
+sign: true
+key: Argo Helm maintainers
+# keyring:          # Set via env variable CR_KEYRING
+# passphrase-file:  # Set via env variable CR_PASSPHRASE_FILE
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@ -38,6 +38,22 @@ jobs:
        run: |
          git checkout origin/gh-pages index.yaml

+      # The GitHub repository secret `PGP_PRIVATE_KEY` contains the private key
+      # in ASCII-armored format. To export a (new) key, run this command:
+      # `gpg --armor --export-secret-key <my key>`
+      - name: Prepare PGP key
+        run: |
+          IFS=""
+          echo "$PGP_PRIVATE_KEY" | gpg --dearmor > $HOME/secring.gpg
+          echo "$PGP_PASSPHRASE" > $HOME/passphrase.txt
+
+          # Tell chart-releaser-action where to find the key and its passphrase
+          echo "CR_KEYRING=$HOME/secring.gpg" >> "$GITHUB_ENV"
+          echo "CR_PASSPHRASE_FILE=$HOME/passphrase.txt" >> "$GITHUB_ENV"
+        env:
+          PGP_PRIVATE_KEY: "${{ secrets.PGP_PRIVATE_KEY }}"
+          PGP_PASSPHRASE: "${{ secrets.PGP_PASSPHRASE }}"
+
      - name: Run chart-releaser
        uses: helm/chart-releaser-action@be16258da8010256c6e82849661221415f031968 # v1.5.0
        with: