.github/workflows/release.yml

name: Release Charts

on:
  push:
    branches:
      - main
    paths:
      - "charts/**"

jobs:
  release:
    runs-on: ubuntu-latest

    permissions:
      contents: write
      packages: write
      id-token: write

    steps:
      - name: Checkout
        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
        with:
          fetch-depth: 0

      - name: Configure Git
        run: |
          git config user.name "$GITHUB_ACTOR"
          git config user.email "$GITHUB_ACTOR@users.noreply.github.com"

      - name: Set up Helm
        uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5
        with:
          version: v3.10.3

      - name: Add dependency chart repos
        run: |
          helm repo add sigstore https://sigstore.github.io/helm-charts

      - name: Install sigstore Helm plugin
        run: |
          helm plugin install https://github.com/sigstore/helm-sigstore

      - name: Install GPG Keys
        run: |
          cat <(echo -e "${{ secrets.GPG_PRIVATE_KEY }}") | gpg --import --batch
          gpg --export > /home/runner/.gnupg/pubring.gpg
          gpg --export-secret-keys > /home/runner/.gnupg/secring.gpg

      - name: Run chart-releaser
        uses: helm/chart-releaser-action@be16258da8010256c6e82849661221415f031968 # v1.5.0
        env:
          CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
          CR_SIGN: "true"
          CR_KEY: "${{ secrets.GPG_KEY_NAME }}"
          CR_KEYRING: "/home/runner/.gnupg/secring.gpg"

      - name: Upload Helm Charts to Rekor
        run: |
          for chart in `find .cr-release-packages -name '*.tgz' -print`; do
            helm sigstore upload --keyring=/home/runner/.gnupg/secring.gpg ${chart}
          done

      - name: Login to GitHub Container Registry
        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Install Cosign
        uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2

      - name: Publish and Sign OCI Charts
        run: |
          for chart in `find .cr-release-packages -name '*.tgz' -print`; do
            helm push ${chart} oci://ghcr.io/${GITHUB_REPOSITORY} |& tee helm-push-output.log
            file_name=${chart##*/}
            chart_name=${file_name%-*}
            digest=$(awk -F "[, ]+" '/Digest/{print $NF}' < helm-push-output.log)
            cosign sign "ghcr.io/${GITHUB_REPOSITORY}/${chart_name}@${digest}"
          done
        env:
          COSIGN_YES: true 