helm-release: Publish the helm chart as OCI artifact

.github/workflows/release-chart.yaml

@@ -18,8 +18,12 @@ jobs:
     defaults:
       run:
         shell: bash
+
     permissions:
       contents: write
+      packages: write
+      id-token: write
+
     steps:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
@@ -93,3 +97,34 @@ jobs:
           CR_RELEASE_NAME_TEMPLATE: "metrics-server-helm-chart-{{ .Version }}"
           CR_RELEASE_NOTES_FILE: RELEASE.md
           CR_MAKE_RELEASE_LATEST: false
+
+      - name: Setup cosign
+        uses: sigstore/[email protected]
+        with:
+          cosign-release: v3.0.2
+
+      - name: Login to GitHub Container Registry
+        uses: docker/[email protected]
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Push charts to GHCR and sign
+        # when filling gaps with previously released charts, cr would create
+        # nothing in .cr-release-packages/, and the original globbing character
+        # would be preserved, causing a non-zero exit. Set nullglob to fix this
+        run: |
+          shopt -s nullglob
+          for pkg in .cr-release-packages/*; do
+            if [ -z "${pkg:-}" ]; then
+              break
+            fi
+            helm push "${pkg}" oci://ghcr.io/"${GITHUB_REPOSITORY_OWNER}"/charts |& tee .digest
+            file="${pkg##*/}"       # extracts file name from full directory path
+            name="${file%-*}"       # extracts chart name from filename
+            digest="$(awk -F "[, ]+" '/Digest/{print $NF}' < .digest)"
+            cosign sign ghcr.io/"${GITHUB_REPOSITORY_OWNER}"/charts/"${name}"@"${digest}"
+          done
+        env:
+          COSIGN_YES: true