From 62acb64ac0bc6d2b96b8930c880cecedaaa4071c Mon Sep 17 00:00:00 2001
From: Marco Franssen <marco.franssen@gmail.com>
Date: Fri, 7 Nov 2025 14:01:06 +0100
Subject: [PATCH] helm-release: Publish the helm chart as OCI artifact

---
 .github/workflows/helm-chart-release.yaml | 39 +++++++++++++++++++++++
 1 file changed, 39 insertions(+)

diff --git a/.github/workflows/helm-chart-release.yaml b/.github/workflows/helm-chart-release.yaml
index bfa48726..92e7c7c9 100644
--- a/.github/workflows/helm-chart-release.yaml
+++ b/.github/workflows/helm-chart-release.yaml
@@ -10,18 +10,57 @@ on:
 jobs:
   release:
     runs-on: ubuntu-latest
+
+    permissions:
+      contents: write
+      packages: write
+      id-token: write
+
     steps:
       - name: Checkout
         uses: actions/checkout@v2
         with:
           fetch-depth: 0
+
       - name: Configure Git
         run: |
           git config user.name "$GITHUB_ACTOR"
           git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
+
       - name: Run chart-releaser
         uses: helm/chart-releaser-action@v1.2.1
         env:
           CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
         with:
           config: .github/cr.yaml
+
+      - name: Setup cosign
+        uses: sigstore/cosign-installer@v4.0.0
+        with:
+          cosign-release: v3.0.2
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3.1.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Push charts to GHCR and sign
+        # when filling gaps with previously released charts, cr would create
+        # nothing in .cr-release-packages/, and the original globbing character
+        # would be preserved, causing a non-zero exit. Set nullglob to fix this
+        run: |
+          shopt -s nullglob
+          for pkg in .cr-release-packages/*; do
+            if [ -z "${pkg:-}" ]; then
+              break
+            fi
+            helm push "${pkg}" oci://ghcr.io/"${GITHUB_REPOSITORY_OWNER}"/charts |& tee .digest
+            file="${pkg##*/}"       # extracts file name from full directory path
+            name="${file%-*}"       # extracts chart name from filename
+            digest="$(awk -F "[, ]+" '/Digest/{print $NF}' < .digest)"
+            cosign sign ghcr.io/"${GITHUB_REPOSITORY_OWNER}"/charts/"${name}"@"${digest}"
+          done
+        env:
+          COSIGN_YES: true
\ No newline at end of file