From 07aa087a1942aac79dc04ec41a25a9c2b094ac4b Mon Sep 17 00:00:00 2001 From: Marco Kilchhofer Date: Wed, 10 May 2023 15:06:56 +0200 Subject: [PATCH] feat(github): Introduce chart signing (#2040) Signed-off-by: Marco Kilchhofer --- .github/configs/cr.yaml | 8 +++++++- .github/workflows/publish.yml | 16 ++++++++++++++++ 2 files changed, 23 insertions(+), 1 deletion(-) diff --git a/.github/configs/cr.yaml b/.github/configs/cr.yaml index 01fdbe0c..a0d425dc 100644 --- a/.github/configs/cr.yaml +++ b/.github/configs/cr.yaml @@ -1,2 +1,8 @@ ## Reference: https://github.com/helm/chart-releaser -index-path: "./index.yaml" \ No newline at end of file +index-path: "./index.yaml" + +# PGP signing +sign: true +key: Argo Helm maintainers +# keyring: # Set via env variable CR_KEYRING +# passphrase-file: # Set via env variable CR_PASSPHRASE_FILE diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index e104fde2..58d7d22d 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -38,6 +38,22 @@ jobs: run: | git checkout origin/gh-pages index.yaml + # The GitHub repository secret `PGP_PRIVATE_KEY` contains the private key + # in ASCII-armored format. To export a (new) key, run this command: + # `gpg --armor --export-secret-key ` + - name: Prepare PGP key + run: | + IFS="" + echo "$PGP_PRIVATE_KEY" | gpg --dearmor > $HOME/secring.gpg + echo "$PGP_PASSPHRASE" > $HOME/passphrase.txt + + # Tell chart-releaser-action where to find the key and its passphrase + echo "CR_KEYRING=$HOME/secring.gpg" >> "$GITHUB_ENV" + echo "CR_PASSPHRASE_FILE=$HOME/passphrase.txt" >> "$GITHUB_ENV" + env: + PGP_PRIVATE_KEY: "${{ secrets.PGP_PRIVATE_KEY }}" + PGP_PASSPHRASE: "${{ secrets.PGP_PASSPHRASE }}" + - name: Run chart-releaser uses: helm/chart-releaser-action@be16258da8010256c6e82849661221415f031968 # v1.5.0 with: