feat: add chart signing

Dockerfile

@@ -1,6 +1,6 @@
 FROM stefanprodan/alpine-base:latest
 
-RUN apk --no-cache add git
+RUN apk --no-cache add git gnupg
 
 COPY src/entrypoint.sh /entrypoint.sh
 RUN chmod +x /entrypoint.sh

action.yml

@@ -55,6 +55,15 @@ inputs:
   dependencies:
     description: "A list of helm repositories required to verify dependencies in the format '<name>,<url>;<name>,<url>'"
     required: false
+  key:
+    description: "The GPG key to sign the chart with"
+    required: false
+  private_key:
+    description: "The private GPG key to sign the chart with"
+    required: false
+  passphrase:
+    description: "The passphrase for the private GPG key"
+    required: false
 runs:
   using: 'docker'
   image: 'Dockerfile'
@@ -75,3 +84,6 @@ runs:
     - ${{ inputs.index_dir }}
     - ${{ inputs.enterprise_url }}
     - ${{ inputs.dependencies }}
+    - ${{ inputs.key }}
+    - ${{ inputs.private_key }}
+    - ${{ inputs.passphrase }}

src/entrypoint.sh

@@ -33,6 +33,9 @@ CHART_VERSION=${13}
 INDEX_DIR=${14}
 ENTERPRISE_URL=${15}
 DEPENDENCIES=${16}
+KEY=${17}
+PRIVATE_KEY=${18}
+PASSPHRASE=${19}
 
 CHARTS=()
 CHARTS_TMP_DIR=$(mktemp -d)
@@ -163,7 +166,14 @@ package() {
       CHART_VERSION_CMD=" --version $CHART_VERSION"
   fi
 
-  helm package ${CHARTS[*]} --destination ${CHARTS_TMP_DIR} $APP_VERSION_CMD$CHART_VERSION_CMD
+  if [[ ! -z "$KEY" ]]; then
+      echo "$PRIVATE_KEY" | gpg --batch --import
+      gpg --batch --pinentry-mode loopback --yes --passphrase "$PASSPHRASE" --export-secret-key > $HOME/secring.gpg
+      echo "$PASSPHRASE" > $HOME/passphrase.txt
+      SIGN_CMD=" --sign --key '"$KEY"' --keyring $HOME/secring.gpg --passphrase-file $HOME/passphrase.txt"
+  fi
+
+  eval helm package ${CHARTS[*]} --destination ${CHARTS_TMP_DIR} $SIGN_CMD$APP_VERSION_CMD$CHART_VERSION_CMD
 }
 
 upload() {
@@ -186,11 +196,13 @@ upload() {
     echo "Found index, merging changes"
     helm repo index ${CHARTS_TMP_DIR} --url ${CHARTS_URL} --merge "${INDEX_DIR}/index.yaml"
     mv -f ${CHARTS_TMP_DIR}/*.tgz ${TARGET_DIR}
+    mv -f ${CHARTS_TMP_DIR}/*.prov ${TARGET_DIR} 2>/dev/null || true
     mv -f ${CHARTS_TMP_DIR}/index.yaml ${INDEX_DIR}/index.yaml
   else
     echo "No index found, generating a new one"
     helm repo index ${CHARTS_TMP_DIR} --url ${CHARTS_URL}
     mv -f ${CHARTS_TMP_DIR}/*.tgz ${TARGET_DIR}
+    mv -f ${CHARTS_TMP_DIR}/*.prov ${TARGET_DIR} 2>/dev/null || true
     mv -f ${CHARTS_TMP_DIR}/index.yaml ${INDEX_DIR}
   fi