feat: add helm chart release signing (#137) #144

	name: Release Charts
	on:
	push:
	branches:
	- main
	jobs:
	publish-gh-pages:
	name: Publish to Github pages
	runs-on: ubuntu-latest
	permissions:
	contents: write
	packages: write
	steps:
	- name: Checkout
	uses: actions/checkout@v4
	with:
	fetch-depth: 0
	- name: Configure Git
	run: \|
	git config user.name "$GITHUB_ACTOR"
	git config user.email "[email protected]"
	- name: Run chart-releaser
	uses: helm/[email protected]
	with:
	config: "./cr.yaml"
	env:
	CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
	- name: Upload artifacts
	uses: actions/upload-artifact@v4
	with:
	name: artifacts
	path: .cr-release-packages/

	publish-oci:
	name: Publish to ghcr.io
	runs-on: ubuntu-latest
	permissions:
	packages: write # needed for pushing to github registry
	id-token: write # needed for signing the images with GitHub OIDC Token
	needs: [publish-gh-pages]
	steps:
	- name: Install Cosign
	uses: sigstore/cosign-installer@v3
	- name: Downloads artifacts
	uses: actions/download-artifact@v4
	with:
	name: artifacts
	path: .cr-release-packages/
	- name: Login to GitHub Container Registry
	uses: docker/login-action@v3
	with:
	registry: ghcr.io
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}
	- name: Push charts to GHCR
	env:
	COSIGN_YES: true
	run: \|
	for chart in `find .cr-release-packages -name '*.tgz' -print`; do
	helm push ${chart} oci://ghcr.io/${GITHUB_REPOSITORY} \|& tee helm-push-output.log
	file_name=${chart##*/}
	chart_name=${file_name%-*}
	digest=$(awk -F "[, ]+" '/Digest/{print $NF}' < helm-push-output.log)
	cosign sign "ghcr.io/${GITHUB_REPOSITORY}/${chart_name}@${digest}"
	done

Provide feedback