From cf8fcd0539e020917e3501e2751ef0eb2054ff50 Mon Sep 17 00:00:00 2001
From: Stefan Prodan <stefan.prodan@gmail.com>
Date: Sat, 22 Oct 2022 14:37:32 +0300
Subject: [PATCH] ci: Publish signed Helm charts and manifests to GHCR - Push
 Flagger Helm chart to `ghcr.io/fluxcd/charts/flagger` - Sign Flagger Helm
 chart with Cosign and GitHub OIDC - Push install manifests and overlays from
 `./kustomize` with Flux CLI to `ghcr.io/fluxcd/flagger-manifests` - Sign
 Flagger manifests with Cosign and GitHub OIDC

Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
---
 .github/workflows/release.yml | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 1914fcb5..563ed10b 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -19,6 +19,8 @@ jobs:
       packages: write # needed for ghcr access
     steps:
       - uses: actions/checkout@v3
+      - uses: azure/setup-helm@main
+      - uses: fluxcd/flux2/action@main
       - uses: sigstore/cosign-installer@main
       - name: Prepare
         id: prep
@@ -70,6 +72,23 @@ jobs:
           token: ${{ secrets.GITHUB_TOKEN }}
           charts_url: https://flagger.app
           linting: off
+      - name: Publish signed Helm chart to GHCR
+        env:
+          COSIGN_EXPERIMENTAL: 1
+        run: |
+          helm package charts/flagger
+          helm push flagger-${{ steps.prep.outputs.VERSION }}.tgz oci://ghcr.io/fluxcd/charts
+          cosign sign ghcr.io/fluxcd/charts/flagger:${{ steps.prep.outputs.VERSION }}
+          rm flagger-${{ steps.prep.outputs.VERSION }}.tgz
+      - name: Publish signed manifests to GHCR
+        env:
+          COSIGN_EXPERIMENTAL: 1
+        run: |
+          flux push artifact oci://ghcr.io/fluxcd/flagger-manifests:${{ steps.prep.outputs.VERSION }} \
+          --path="./kustomize" \
+          --source="$(git config --get remote.origin.url)" \
+          --revision="${{ steps.prep.outputs.VERSION }}/$(git rev-parse HEAD)"
+          cosign sign ghcr.io/fluxcd/flagger-manifests:${{ steps.prep.outputs.VERSION }}
       - uses: anchore/sbom-action/download-syft@v0
       - name: Create release and SBOM
         uses: goreleaser/goreleaser-action@v2