1616 name : Generate a clean release name from the branch/tag
1717 runs-on : ubuntu-latest
1818 outputs :
19- name : ${{ steps.release_number.outputs.substring != "" && steps.release_number.outputs.substring || github.ref_name }}
19+ name : " ${{ steps.release_number.outputs.substring != '' && steps.release_number.outputs.substring || github.ref_name }}"
2020 steps :
2121 -
uses :
bhowell2/[email protected] 2222 id : release_number
@@ -152,19 +152,29 @@ jobs:
152152 - name : Setup Helm
153153 uses : azure/setup-helm@v4
154154
155- - name : Login to Quay.io
156- if : startsWith(github.ref, 'refs/tags/')
157- run : echo "${{ secrets.QUAY_ROBOT_TOKEN }}" | helm registry login quay.io -u ${{ secrets.QUAY_USERNAME }} --password-stdin
155+ # FIXME: We need a Repo Created in Quay ahead of time for this to work
156+ # - name: Login to Quay.io for OCI Push
157+ # if: startsWith(github.ref, 'refs/tags/')
158+ # run: echo "${{ secrets.QUAY_ROBOT_TOKEN }}" | helm registry login quay.io -u ${{ secrets.QUAY_USERNAME }} --password-stdin
158159
159160 - name : package helm chart
160161 run : |
161162 helm package version-checker/deploy/charts/version-checker -d jetstack-charts/charts/
162163
163164name : Sign Helm Chart
164165 run : |
165- cosign sign-blob -y jetstack-charts/charts/version-checker-${{ needs.release-name.outputs.name }}.tgz \
166+ cosign sign-blob -y \
167+ jetstack-charts/charts/version-checker-${{ needs.release-name.outputs.name }}.tgz \
166168 --bundle jetstack-charts/charts/version-checker-${{ needs.release-name.outputs.name }}.tgz.cosign.bundle
167169
170+ # FIXME: We need a Repo Created in Quay ahead of time for this to work
171+ # - name: Push to Quay
172+ # if: startsWith(github.ref, 'refs/tags/')
173+ # run: |-
174+ # helm push \
175+ # jetstack-charts/charts/version-checker-${{ needs.release-name.outputs.name }}.tgz \
176+ # oci://quay.io/jetstack/version-checker/chart
177+
168178 - name : Creating Publishing Chart's PR
169179 uses : peter-evans/create-pull-request@v7
170180 if : ${{ startsWith(github.ref, 'refs/tags/') }}
@@ -181,11 +191,6 @@ jobs:
181191 signoff : true
182192 base : main
183193
184- - name : Push to Quay
185- if : startsWith(github.ref, 'refs/tags/')
186- run : |-
187- helm push jetstack-charts/charts/version-checker-${{ needs.release-name.outputs.name }}.tgz oci://quay.io/quay.io/jetstack/version-checker/chart:${{needs.release-name.outputs.name}}
188-
189194 docker-release :
190195 runs-on : ubuntu-latest
191196 permissions :
@@ -233,20 +238,14 @@ jobs:
233238 type=sbom
234239 type=provenance,mode=max
235240
236- # Sign the resulting Docker image digest except on PRs.
237- # This will only write to the public Rekor transparency log when the Docker
238- # repository is public to avoid leaking data. If you would like to publish
239- # transparency data even for private images, pass --force to cosign below.
240- # https://github.com/sigstore/cosign
241- - name : Sign the published Docker image
241+ name : Sign the published Docker image (if tag)
242242 if : ${{ startsWith(github.ref, 'refs/tags/') }}
243243 env :
244244 # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
245- TAGS : ${{ steps.meta.outputs.tags }}
245+ TAGS : quay.io/jetstack/version-checker: ${{github.ref_name }}
246246 DIGEST : ${{ steps.build-and-push.outputs.digest }}
247- # This step uses the identity token to provision an ephemeral certificate
248- # against the sigstore community Fulcio instance.
249- run : echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}
247+ run : |-
248+ cosign sign --yes "quay.io/jetstack/version-checker:${{github.ref_name}}@${DIGEST}"
250249
251250github-release :
252251 name : Create/Update GitHub Release
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?v=4&size=40){kind=avatar}
0 commit comments