oauth2-proxy · tuunit · Sep 30, 2025 · Sep 28, 2025 · Sep 30, 2025 · Sep 30, 2025
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -8,15 +8,19 @@ on:
 jobs:
   release:
     permissions:
-      contents: write
-      packages: write
+      contents: write # for pushing to gh-pages (HTTPS Helm repository)
+      packages: write # for pushing to GHCR     (OCI Helm repository)
+      id-token: write # for signing with keyless cosign
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
         uses: actions/checkout@v5
         with:
           fetch-depth: 0
 
+      - name: Setup Cosign
+        uses: sigstore/[email protected]
+
       - name: Configure Git
         run: |
           git config user.name "$GITHUB_ACTOR"
@@ -42,12 +46,15 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Push Charts to GHCR
+      - name: Push Charts to GHCR and Sign
         run: |
           shopt -s nullglob
           for pkg in .cr-release-packages/*; do
             if [ -z "${pkg:-}" ]; then
               break
             fi
-            helm push "${pkg}" oci://ghcr.io/${GITHUB_REPOSITORY_OWNER}/charts
+            chart_name=$(echo "${pkg##*/}" | sed 's/-[0-9].*$//')
+            repo="oci://ghcr.io/${GITHUB_REPOSITORY_OWNER}/charts"
+            helm push "${pkg}" "${repo}" |& grep Digest: | awk '{print $NF}' > digest.txt
+            cosign sign --yes "${repo}/${chart_name}@$(cat digest.txt)"
           done
diff --git a/README.md b/README.md
@@ -18,3 +18,24 @@ Linting/validation uses the [helm/chart-testing tool](https://github.com/helm/ch
 ct lint --all --config ct.yaml
 ct install --all --config ct.yaml
 ```
+
+## Verify Signed Helm Charts
+
+With the introduction of cosign for signing artifacts you can verify the
+integrity of our artifacts using the following command:
+
+```
+VERSION=8.2.2
+cosign verify --certificate-oidc-issuer https://token.actions.githubusercontent.com \
+    --certificate-github-workflow-repository oauth2-proxy/manifests \
+    --certificate-github-workflow-name "Release Charts" \
+    --certificate-github-workflow-ref main \
+    --certificate-identity "https://github.com/oauth2-proxy/manifests/.github/workflows/release.yaml@main" \
+    "oci://ghcr.io/oauth2-proxy/manifests/charts/oauth2-proxy@${VERSION}" | jq
+```
+
+Note:
+
+We utilize cosign to sign and verify artifacts with the KEYLESS mode. To learn
+more about how keyless signing is done, visit the official documentation about 
+[Keyless Signatures](https://docs.sigstore.dev/cosign/signing/overview/#the-signing-witnessing-and-verifying-process).
diff --git a/helm/oauth2-proxy/Chart.yaml b/helm/oauth2-proxy/Chart.yaml
@@ -1,5 +1,5 @@
 name: oauth2-proxy
-version: 8.2.1
+version: 8.2.2
 apiVersion: v2
 appVersion: 7.12.0
 home: https://oauth2-proxy.github.io/oauth2-proxy/
@@ -31,8 +31,8 @@ maintainers:
 kubeVersion: ">=1.16.0-0"
 annotations:
   artifacthub.io/changes: |
-    - kind: added
-      description: Add support for new container resize policy feature
+    - kind: security
+      description: Adding cosign keyless signing for helm chart artifact
       links:
         - name: Github PR
-          url: https://github.com/oauth2-proxy/manifests/pull/346
+          url: https://github.com/oauth2-proxy/manifests/pull/356