WIP: Re-implement artifact signing #682

Draft
justusbunsi wants to merge 2 commits from justusbunsi/helm-chart:artifact-signing into main

@ -6,32 +6,24 @@ on:
- "*"
env:
# renovate: datasource=docker depName=alpine/helm
HELM_VERSION: "3.15.3"
# renovate: datasource=github-releases depName=sigstore/cosign
COSIGN_VERSION: "v2.2.4"
jobs:
generate-chart-publish:
runs-on: ubuntu-latest
container: alpine/helm:3.15.3
steps:
- uses: actions/checkout@v4
- name: install tools
run: |
apt update -y
apt install -y curl ca-certificates curl gnupg
# helm
curl -O https://get.helm.sh/helm-v${{ env.HELM_VERSION }}-linux-amd64.tar.gz
tar -xzf helm-v${{ env.HELM_VERSION }}-linux-amd64.tar.gz
mv linux-amd64/helm /usr/local/bin/
rm -rf linux-amd64 helm-v${{ env.HELM_VERSION }}-linux-amd64.tar.gz
helm version
# docker
install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
chmod a+r /etc/apt/keyrings/docker.gpg
echo "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
apt update -y
apt install -y python3 python3-pip apt-transport-https docker-ce-cli
pip install awscli
apk add --no-cache --update nodejs git curl ca-certificates gnupg aws-cli
aws --version
# cosign - the -L is important. Otherwise, the file would be empty.
curl -O -L "https://github.com/sigstore/cosign/releases/download/${{ env.COSIGN_VERSION }}/cosign-linux-amd64"
mv cosign-linux-amd64 /usr/local/bin/cosign
chmod +x /usr/local/bin/cosign
cosign version
- uses: actions/checkout@v4
- name: Import GPG key
id: import_gpg
@ -41,22 +33,19 @@ jobs:
passphrase: ${{ secrets.GPGSIGN_PASSPHRASE }}
fingerprint: CC64B1DB67ABBEECAB24B6455FC346329753F4B0
# Using helm gpg plugin as 'helm package --sign' has issues with gpg2: https://github.com/helm/helm/issues/2843
- name: package chart
env:
GPGSIGN_KEY_NAME: "Teabot"
run: |
echo ${{ secrets.DOCKER_CHARTS_PASSWORD }} | docker login -u ${{ secrets.DOCKER_CHARTS_USERNAME }} --password-stdin
# FIXME: use upstream after https://github.com/technosophos/helm-gpg/issues/1 is solved
helm plugin install https://github.com/pat-s/helm-gpg
# https://github.com/helm/helm/issues/2843#issuecomment-1462927026
gpg --export-secret-keys > ~/.gnupg/secring.gpg
helm dependency build
helm package --version "${GITHUB_REF#refs/tags/v}" ./
helm package --sign --key "${GPGSIGN_KEY_NAME}" --keyring ~/.gnupg/secring.gpg --version "${GITHUB_REF#refs/tags/v}" ./
mkdir gitea
mv gitea*.tgz gitea/
mv gitea-${GITHUB_REF#refs/tags/v}.tgz* gitea/
curl -s -L -o gitea/index.yaml https://dl.gitea.com/charts/index.yaml
helm repo index gitea/ --url https://dl.gitea.com/charts --merge gitea/index.yaml
# push to dockerhub
echo ${{ secrets.DOCKER_CHARTS_PASSWORD }} | helm registry login -u ${{ secrets.DOCKER_CHARTS_USERNAME }} registry-1.docker.io --password-stdin
helm push gitea/gitea-${GITHUB_REF#refs/tags/v}.tgz oci://registry-1.docker.io/giteacharts
helm registry logout registry-1.docker.io
- name: aws credential configure
uses: https://github.com/aws-actions/configure-aws-credentials@v4
@ -68,3 +57,33 @@ jobs:
- name: Copy files to S3 and clear cache
run: |
aws s3 sync gitea/ s3://${{ secrets.AWS_S3_BUCKET}}/charts/
- name: Push to DockerHub
env:
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSPHRASE }}
shell: bash
run: |
set -o pipefail
echo "${{ secrets.COSIGN_KEY }}" > /tmp/cosign.key
# We have to login to two different endpoints:
# - index.docker.io: Used by "helm push"
# - registry-1.docker.io: Used by "cosign sign"
echo ${{ secrets.DOCKER_CHARTS_PASSWORD }} | helm registry login https://index.docker.io/v1/ -u ${{ secrets.DOCKER_CHARTS_USERNAME }} --password-stdin
echo ${{ secrets.DOCKER_CHARTS_PASSWORD }} | helm registry login https://registry-1.docker.io/v2/ -u ${{ secrets.DOCKER_CHARTS_USERNAME }} --password-stdin
helm push gitea/gitea-${GITHUB_REF#refs/tags/v}.tgz "oci://registry-1.docker.io/${{ secrets.DOCKER_CHARTS_USERNAME }}" 2>&1 | tee /tmp/oci-metadata.txt
# Cosign relies on the native Docker config.json location. As we don't want to install Docker solely for `docker login`, we simply copy the authentication file to the right location :)
mkdir -p ~/.docker/
cp $(helm env HELM_REGISTRY_CONFIG) ~/.docker/
# Build full artifact url including tag and digest, using /tmp/oci-metadata.txt that contains something like:
# Pushed: registry-1.docker.io/<username>/gitea:<tag>
# Digest: <digest>
cosign sign --key /tmp/cosign.key --yes "$(grep -F 'Pushed' /tmp/oci-metadata.txt | cut -d ' ' -f2)@$(grep -F 'Digest' /tmp/oci-metadata.txt | cut -d ' ' -f2)"
# Cleanup authentication files
rm $(helm env HELM_REGISTRY_CONFIG)
rm -rf ~/.docker/
rm /tmp/cosign.key /tmp/oci-metadata.txt