Sign chart with cosign

Signed-off-by: Matheus Pimenta <[email protected]>

Author: matheuscscp

.github/workflows/release.yaml

@@ -9,14 +9,18 @@ jobs:
   release:
     permissions:
       contents: write
-      packages: write
+      packages: write # for pushing to GHCR
+      id-token: write # for signing with cosign
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
         uses: actions/checkout@v5
         with:
           fetch-depth: 0
 
+      - name: Setup Cosign
+        uses: sigstore/[email protected]
+
       - name: Configure Git
         run: |
           git config user.name "$GITHUB_ACTOR"
@@ -42,12 +46,15 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Push Charts to GHCR
+      - name: Push Charts to GHCR and Sign
         run: |
           shopt -s nullglob
           for pkg in .cr-release-packages/*; do
             if [ -z "${pkg:-}" ]; then
               break
             fi
-            helm push "${pkg}" oci://ghcr.io/${GITHUB_REPOSITORY_OWNER}/charts
+            chart_name=$(echo "${pkg##*/}" | sed 's/-[0-9].*$//')
+            repo="oci://ghcr.io/${GITHUB_REPOSITORY_OWNER}/charts"
+            helm push "${pkg}" "${repo}" |& grep Digest: | awk '{print $NF}' > digest.txt
+            cosign sign --yes "${repo}/${chart_name}@$(cat digest.txt)"
           done