ci: added helm cosign verification and renovate app workflow to bump chart versions (#2064)

* ci: added helm cosign verification and renovate app workflow to bump chart versions * docs: add helm artifacts verification Signed-off-by: Ludovic Ortega <ludovic.ortega@adminafk.fr> * fix: update app id Signed-off-by: Ludovic Ortega <ludovic.ortega@adminafk.fr> * docs: add documentation link in helm chart and seerr docs Signed-off-by: Ludovic Ortega <ludovic.ortega@adminafk.fr> --------- Signed-off-by: Ludovic Ortega <ludovic.ortega@adminafk.fr> Co-authored-by: Ludovic Ortega <ludovic.ortega@adminafk.fr>
2025-10-19 04:22:28 +01:00
parent a975ab25c3
commit 082ba3d037
8 changed files with 376 additions and 34 deletions
--- a/.github/workflows/helm.yml
+++ b/.github/workflows/helm.yml
@@ -55,7 +55,7 @@ jobs:
              # get current version
              current_version=$(grep '^version:' "$chart_path/Chart.yaml" | awk '{print $2}')
              # try to get current release version
-              if oras manifest fetch "ghcr.io/${GITHUB_REPOSITORY@L}/${chart_name}:${current_version}" >/dev/null 2>&1; then
+              if oras manifest fetch "ghcr.io/${{ github.repository }}/${chart_name}:${current_version}" >/dev/null 2>&1; then
                echo "No version change for $chart_name. Skipping."
              else
                helm dependency build "$chart_path"
@@ -87,8 +87,8 @@ jobs:
    name: Publish to ghcr.io
    runs-on: ubuntu-24.04
    permissions:
-      packages: write # needed for pushing to github registry
-      id-token: write # needed for signing the images with GitHub OIDC Token
+      packages: write
+      id-token: write
    needs: [package-helm-chart]
    if: needs.package-helm-chart.outputs.has_artifacts == 'true'
    steps:
@@ -128,17 +128,59 @@ jobs:
            # push chart to OCI
            chart_release_file=$(basename "$chart_path")
            chart_name=${chart_release_file%-*}
-            helm push ${chart_path} oci://ghcr.io/${GITHUB_REPOSITORY@L} |& tee helm-push-output.log
+            helm push ${chart_path} oci://ghcr.io/${{ github.repository }} |& tee helm-push-output.log
            chart_digest=$(awk -F "[, ]+" '/Digest/{print $NF}' < helm-push-output.log)
            # sign chart
-            cosign sign "ghcr.io/${GITHUB_REPOSITORY@L}/${chart_name}@${chart_digest}"
+            cosign sign "ghcr.io/${{ github.repository }}/${chart_name}@${chart_digest}"
            # push artifacthub-repo.yml to OCI
            oras push \
-              ghcr.io/${GITHUB_REPOSITORY@L}/${chart_name}:artifacthub.io \
+              ghcr.io/${{ github.repository }}/${chart_name}:artifacthub.io \
              --config /dev/null:application/vnd.cncf.artifacthub.config.v1+yaml \
              charts/$chart_name/artifacthub-repo.yml:application/vnd.cncf.artifacthub.repository-metadata.layer.v1.yaml \
              |& tee oras-push-output.log
            artifacthub_digest=$(grep "Digest:" oras-push-output.log | awk '{print $2}')
            # sign artifacthub-repo.yml
-            cosign sign "ghcr.io/${GITHUB_REPOSITORY@L}/${chart_name}:artifacthub.io@${artifacthub_digest}"
+            cosign sign "ghcr.io/${{ github.repository }}/${chart_name}:artifacthub.io@${artifacthub_digest}"
+          done
+
+  verify:
+    name: Verify signatures for each chart tag
+    needs: [publish]
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3.10.0
+
+      - name: Downloads artifacts
+        uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
+        with:
+          name: artifacts
+          path: .cr-release-packages/
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Verify signatures for each chart tag
+        run: |
+          for chart_path in $(find .cr-release-packages -name '*.tgz' -print); do
+            chart_release_file=$(basename "$chart_path")
+            chart_name=${chart_release_file%-*}
+            version=${chart_release_file#$chart_name-}
+            version=${version%.tgz}
+
+            cosign verify "ghcr.io/${{ github.repository }}/${chart_name}:${version}" \
+              --certificate-identity "https://github.com/${{ github.workflow_ref }}" \
+              --certificate-oidc-issuer "https://token.actions.githubusercontent.com"
          done