Sign chart with cosign

Signed-off-by: Matheus Pimenta <[email protected]>

Author: matheuscscp

.github/workflows/release.yaml

@@ -17,6 +17,9 @@ jobs:
         with:
           fetch-depth: 0
 
+      - name: Setup Cosign
+        uses: sigstore/[email protected]
+
       - name: Configure Git
         run: |
           git config user.name "$GITHUB_ACTOR"
@@ -42,12 +45,15 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Push Charts to GHCR
+      - name: Push Charts to GHCR and Sign
         run: |
           shopt -s nullglob
           for pkg in .cr-release-packages/*; do
             if [ -z "${pkg:-}" ]; then
               break
             fi
-            helm push "${pkg}" oci://ghcr.io/${GITHUB_REPOSITORY_OWNER}/charts
+            chart_name=$(echo "${pkg##*/}" | sed 's/\.tgz$//' | sed 's/-[0-9].*$//')
+            repo="oci://ghcr.io/${GITHUB_REPOSITORY_OWNER}/charts"
+            helm push "${pkg}" "${repo}" |& grep Digest: | awk '{print $NF}' > digest.txt
+            cosign sign --yes "${repo}/${chart_name}@$(cat digest.txt)"
           done