From 7711a258baf46b6243e636ab994377f128748a80 Mon Sep 17 00:00:00 2001 From: xiangyisss Date: Fri, 25 Jul 2025 13:52:37 +0200 Subject: [PATCH 1/5] feat: Enhance chart release workflow with packaging and attestation steps --- .github/workflows/chart-release.yml | 44 ++++++++++++++++++++++++++++- 1 file changed, 43 insertions(+), 1 deletion(-) diff --git a/.github/workflows/chart-release.yml b/.github/workflows/chart-release.yml index 60a4a6a0..c5a4f916 100644 --- a/.github/workflows/chart-release.yml +++ b/.github/workflows/chart-release.yml @@ -2,10 +2,21 @@ name: Release Charts on: workflow_dispatch: + push: + branches: + - main + - feat/github-artifact-attestations + tags: + - "exivity-*" jobs: helm-release: runs-on: ubuntu-latest + permissions: + contents: write + id-token: write + attestations: write + steps: - name: Checkout uses: actions/checkout@v4 @@ -18,7 +29,38 @@ jobs: git config user.email "$GITHUB_ACTOR@users.noreply.github.com" helm repo add bitnami https://charts.bitnami.com/bitnami + - name: Package Charts + run: | + mkdir -p .cr-release-packages + + # Package the chart + helm package charts/exivity -d .cr-release-packages + + echo "✅ Created chart packages:" + ls -la .cr-release-packages/ + + - name: Create GitHub Attestations + uses: actions/attest-build-provenance@v1 + with: + subject-path: ".cr-release-packages/*.tgz" + + - name: Display Verification Instructions + run: | + echo "🎉 Charts signed with GitHub Attestations!" + echo "" + echo "📋 To verify a chart, users can run:" + echo " gh attestation verify --repo ${{ github.repository }}" + echo "" + echo "📝 Example:" + echo " gh release download --pattern '*.tgz'" + echo " gh attestation verify exivity-*.tgz --repo ${{ github.repository }}" + echo "" + echo "🔒 This provides cryptographic proof that the chart was built by this official workflow" + - name: Run chart-releaser - uses: exivity/chart-releaser-action@v1.1.0 + if: startsWith(github.ref, 'refs/tags/') + uses: exivity/chart-releaser-action@v1.7.0 + with: + skip_packaging: true env: CR_TOKEN: "${{ secrets.GH_BOT_TOKEN }}" From 32f56b894076dace3d1e97ef9815f352da496800 Mon Sep 17 00:00:00 2001 From: xiangyisss Date: Fri, 25 Jul 2025 14:22:41 +0200 Subject: [PATCH 2/5] feat: Improve attestation verification process in chart release workflow --- .github/workflows/chart-release.yml | 35 ++++++++++++++++++----------- 1 file changed, 22 insertions(+), 13 deletions(-) diff --git a/.github/workflows/chart-release.yml b/.github/workflows/chart-release.yml index c5a4f916..b459d769 100644 --- a/.github/workflows/chart-release.yml +++ b/.github/workflows/chart-release.yml @@ -32,8 +32,6 @@ jobs: - name: Package Charts run: | mkdir -p .cr-release-packages - - # Package the chart helm package charts/exivity -d .cr-release-packages echo "✅ Created chart packages:" @@ -44,18 +42,29 @@ jobs: with: subject-path: ".cr-release-packages/*.tgz" - - name: Display Verification Instructions + - name: Verify Attestations run: | - echo "🎉 Charts signed with GitHub Attestations!" - echo "" - echo "📋 To verify a chart, users can run:" - echo " gh attestation verify --repo ${{ github.repository }}" - echo "" - echo "📝 Example:" - echo " gh release download --pattern '*.tgz'" - echo " gh attestation verify exivity-*.tgz --repo ${{ github.repository }}" - echo "" - echo "🔒 This provides cryptographic proof that the chart was built by this official workflow" + echo "🔍 Testing attestation verification..." + + # Install GitHub CLI if not available + if ! command -v gh &> /dev/null; then + echo "Installing GitHub CLI..." + curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg | sudo dd of=/usr/share/keyrings/githubcli-archive-keyring.gpg + echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" | sudo tee /etc/apt/sources.list.d/github-cli.list > /dev/null + sudo apt update + sudo apt install gh -y + fi + + # Verify each chart package + for chart in .cr-release-packages/*.tgz; do + echo "Verifying: $chart" + gh attestation verify "$chart" --owner ${{ github.repository_owner }} || echo "❌ Verification failed for $chart" + echo "✅ Verification completed for $chart" + done + + echo "🎉 All attestations verified successfully!" + env: + GH_TOKEN: ${{ github.token }} - name: Run chart-releaser if: startsWith(github.ref, 'refs/tags/') From 798f41bb0d5ee4fcabe47ef6f2a8efc6d5b8dcaf Mon Sep 17 00:00:00 2001 From: xiangyisss Date: Fri, 25 Jul 2025 14:25:42 +0200 Subject: [PATCH 3/5] feat: Simplify attestation verification process --- .github/workflows/chart-release.yml | 22 +++++----------------- 1 file changed, 5 insertions(+), 17 deletions(-) diff --git a/.github/workflows/chart-release.yml b/.github/workflows/chart-release.yml index b459d769..993ae3c7 100644 --- a/.github/workflows/chart-release.yml +++ b/.github/workflows/chart-release.yml @@ -46,23 +46,11 @@ jobs: run: | echo "🔍 Testing attestation verification..." - # Install GitHub CLI if not available - if ! command -v gh &> /dev/null; then - echo "Installing GitHub CLI..." - curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg | sudo dd of=/usr/share/keyrings/githubcli-archive-keyring.gpg - echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" | sudo tee /etc/apt/sources.list.d/github-cli.list > /dev/null - sudo apt update - sudo apt install gh -y - fi - - # Verify each chart package - for chart in .cr-release-packages/*.tgz; do - echo "Verifying: $chart" - gh attestation verify "$chart" --owner ${{ github.repository_owner }} || echo "❌ Verification failed for $chart" - echo "✅ Verification completed for $chart" - done - - echo "🎉 All attestations verified successfully!" + # Verify the chart package + chart_file=$(ls .cr-release-packages/*.tgz) + echo "Verifying: $chart_file" + gh attestation verify "$chart_file" --owner ${{ github.repository_owner }} + echo "✅ Attestation verified successfully!" env: GH_TOKEN: ${{ github.token }} From 6344e8bd798b936c426d13032a81e8685e8c7263 Mon Sep 17 00:00:00 2001 From: xiangyisss Date: Fri, 25 Jul 2025 15:14:05 +0200 Subject: [PATCH 4/5] feat: Comment out unnecessary permissions and environment variables in chart release workflow --- .github/workflows/chart-release.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/chart-release.yml b/.github/workflows/chart-release.yml index 993ae3c7..6d73fbb4 100644 --- a/.github/workflows/chart-release.yml +++ b/.github/workflows/chart-release.yml @@ -13,7 +13,7 @@ jobs: helm-release: runs-on: ubuntu-latest permissions: - contents: write + # contents: write id-token: write attestations: write @@ -51,8 +51,8 @@ jobs: echo "Verifying: $chart_file" gh attestation verify "$chart_file" --owner ${{ github.repository_owner }} echo "✅ Attestation verified successfully!" - env: - GH_TOKEN: ${{ github.token }} + # env: + # GH_TOKEN: ${{ github.token }} - name: Run chart-releaser if: startsWith(github.ref, 'refs/tags/') From 4ed1ad894a65ebfea635b1db0a42bc670e51900e Mon Sep 17 00:00:00 2001 From: xiangyisss Date: Fri, 25 Jul 2025 15:15:46 +0200 Subject: [PATCH 5/5] feat: Restore GH_TOKEN environment variable for attestation verification step --- .github/workflows/chart-release.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/chart-release.yml b/.github/workflows/chart-release.yml index 6d73fbb4..94b8949d 100644 --- a/.github/workflows/chart-release.yml +++ b/.github/workflows/chart-release.yml @@ -13,7 +13,7 @@ jobs: helm-release: runs-on: ubuntu-latest permissions: - # contents: write + contents: read id-token: write attestations: write @@ -51,8 +51,8 @@ jobs: echo "Verifying: $chart_file" gh attestation verify "$chart_file" --owner ${{ github.repository_owner }} echo "✅ Attestation verified successfully!" - # env: - # GH_TOKEN: ${{ github.token }} + env: + GH_TOKEN: ${{ github.token }} - name: Run chart-releaser if: startsWith(github.ref, 'refs/tags/')