@@ -11,51 +11,56 @@ jobs:
1111 runs-on : ubuntu-latest
1212
1313 steps :
14- # 1) Checkout code
14+ # 1. Checkout
1515 - name : Checkout
1616 uses : actions/checkout@v4
1717 with :
1818 fetch-depth : 0
1919
20- # 2) Git config
20+ # 2. Configure Git
2121 - name : Configure Git
2222 run : |
2323 git config user.name "$GITHUB_ACTOR"
2424 git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
2525
26- # 3) Install Helm
26+ # 3. Install Helm
2727 - name : Install Helm
2828 uses : azure/setup-helm@v4.3.0
2929
30- # 4) Import your private key ( ASCII-armored export contains both pub & sec )
30+ # 4. Import your ASCII-armored secret key ( contains both public & private )
3131 - name : Import GPG private key
3232 run : |
3333 echo "${{ secrets.GPG_PRIVATE_KEY }}" \
3434 | gpg --batch --yes --import
35- # gpg import reads both public & secret key material :contentReference[oaicite:2]{index=2}
35+ # Expects secrets.GPG_PRIVATE_KEY = output of:
36+ # gpg --armor --export-secret-keys <KEYID> :contentReference[oaicite:5]{index=5}
3637
37- # 5) Enable loopback pinentry so Helm’s passphrase-file is respected
38+ # 5. Enable loopback pinentry so -- passphrase-file works in batchmode
3839 - name : Enable GPG loopback pinentry
3940 run : |
41+ # Allow loopback in agent and gpg itself
42+ printf "%s\n" "allow-loopback-pinentry" \
43+ >> ~/.gnupg/gpg-agent.conf
4044 printf "%s\n" "pinentry-mode loopback" \
4145 >> ~/.gnupg/gpg.conf
46+ # Restart the agent to pick up changes
4247 gpgconf --kill gpg-agent
43- # Without this, GnuPG ignores --passphrase-file in non-TTY contexts
48+ # Without this, GPG in batchmode cannot read passphrases :contentReference[oaicite:6]{index=6}
4449
45- # 6) Export to legacy keyring files that Helm expects
50+ # 6. Export legacy keyring files that Helm expects
4651 - name : Export legacy .gpg keyrings
4752 run : |
4853 mkdir -p ~/.gnupg
49- # Public keyring
54+ # Export public keys into legacy pubring.gpg
5055 gpg --batch --yes --export "${{ secrets.CR_KEY }}" \
5156 > ~/.gnupg/pubring.gpg
52- # Secret keyring
57+ # Export secret keys into legacy secring.gpg
5358 gpg --batch --yes --export-secret-keys "${{ secrets.CR_KEY }}" \
5459 > ~/.gnupg/secring.gpg
5560 ls -l ~/.gnupg/pubring.gpg ~/.gnupg/secring.gpg
56- # Helm’s provenance tooling looks specifically for these files
61+ # Helm’s provenance tooling looks for these hard-coded paths :contentReference[oaicite:7]{index=7}
5762
58- # 7) Package & sign each chart (produces .tgz + .tgz.prov)
63+ # 7. Package & sign each chart
5964 - name : Package & sign charts
6065 shell : bash
6166 run : |
@@ -68,31 +73,28 @@ jobs:
6873 --passphrase-file <(echo "${{ secrets.GPG_PASSPHRASE }}") \
6974 --destination .cr-release-packages
7075 done
71- # The --keyring and --passphrase-file flags now work in CI :contentReference[oaicite:5 ]{index=5 }
76+ # Now GPG will read the passphrase and keyring non-interactively :contentReference[oaicite:8 ]{index=8 }
7277
73- # 8) Publish the signed charts (skip re-packaging)
78+ # 8. Publish the signed charts (no re-packaging)
7479 - name : Publish signed charts
7580 uses : helm/chart-releaser-action@v1.7.0
7681 with :
7782 skip_existing : true
7883 skip_packaging : true
7984 env :
8085 CR_TOKEN : ${{ secrets.GITHUB_TOKEN }}
81- CR_SIGN : false
86+ CR_SIGN : false # Already signed above :contentReference[oaicite:9]{index=9}
8287
83- # 9) Login to GHCR for OCI pushes
88+ # 9. Login to GHCR for OCI pushes
8489 - name : Login to GHCR
8590 uses : docker/login-action@v3
8691 with :
87- registry : ghcr.io
88- username : ${{ github.actor }}
89- password : ${{ secrets.GITHUB_TOKEN }}
92+ registry : ghcr.io
93+ username : ${{ github.actor }}
94+ password : ${{ secrets.GITHUB_TOKEN }}
9095
91- # 10) Push OCI charts to GHCR
96+ # 10. Push OCI charts to GHCR
9297 - name : Push Charts to GHCR
9398 shell : bash
9499 run : |
95- for pkg in .cr-release-packages/*; do
96- [ -e "$pkg" ] || continue
97- helm push "$pkg" oci://ghcr.io/${GITHUB_REPOSITORY_OWNER}/charts
98- done
100+ for
0 commit comments