Merge pull request #425 from garethahealy/main

added cosign and provenance generation
redhat-cop · Jan 10, 2024 · 45407d9 · 45407d9
2 parents c2d3575 + ca1587c
commit 45407d9
Show file tree

Hide file tree

Showing 2 changed files with 42 additions and 0 deletions.
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -20,6 +20,7 @@ jobs:
       HELM_VERSION: v3.13.3
     permissions:
       contents: write
+      id-token: write
     steps:
       - name: Checkout
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
@@ -45,3 +46,30 @@ jobs:
         uses: helm/chart-releaser-action@a917fd15b20e8b64b94d9158ad54cd6345335584 # v1.6.0
         env:
           CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+
+      - name: Setup cosign
+        uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149 # v3
+
+      - name: Cosign sign packaged chart and generate hashs
+        shell: bash
+        id: hash
+        run: |
+          packaged_charts=$(ls .cr-release-packages/*.tgz | xargs)
+          for chart in ${packaged_charts}; do
+            cosign sign-blob --yes ${chart}
+          done
+          
+          echo "hashes=$(sha256sum ${packaged_charts} | base64 -w0)" >> "$GITHUB_OUTPUT"
+
+    outputs:
+      hashes: ${{ steps.hash.outputs.hashes }}
+
+  provenance:
+    needs: [release]
+    permissions:
+      actions: read
+      id-token: write
+      contents: write
+    uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
+    with:
+      base64-subjects: "${{ needs.release.outputs.hashes }}"
diff --git a/renovate.json b/renovate.json
@@ -15,5 +15,19 @@
         "password": "wcFMA/xDdHCJBTolAQ//Sh19U5r/uu5MCxAjI+KZTwDVuTmQ2bS8Qj7t8z5oQuR51GI0QLcSxqtN6eWCeYPfdz+pxtsKE2CBExGl7mRbnpERJ9SVE/Pi8kUWeju9OERIVl105HZgYoN/0APBMVIP+LVSH7YqfLagyTc0HBW4qbUUTV/7frL9mXGF7XYCWapuqvbNgIcliiTL47SbDr3319vkiCJ0kHeShZpFh4oMhF5N8BI87jIiPATzh1vFBQyf7TQYhrT9eAayN89ZGtst+2lEf1cdg/BHskRCkuqSd1Lko7it/QJoE2RVVg5s+eDrzdDTloRsQyN0bH+gxvEqOonuxUnpmgRtc6ZZTYzZfW3DRlBQiTm8oGUerYiav0BASjmP/g8s9UHpQhZzTkfrju7ylgDw5orN28BeRWFnGP/RFfWA/YVlXoMa7VtTpSWzYknz/qjH2fCTqevy9C2aeISM8vOuoQGN/ZZ55oSozKA3FKREhIX2E88DZ1iEELq+bNUGlWCXhTIRzDTp6vbzBrv2vgNal7VrkIkE/iKwl8dUQyoCD3oaIsPocti+ykuTo3owhmqSVvPY7FWpfMhCSEeImFMEZMvLDIAevSqnmaxgc2BT60Bof4EnXVN1Z0tItvvXk+5K5NfOAzy14Kt5LR8xdk8Ssc4jgH1EAEgmzScLFEolG0dKPTVkQAMJapPSwpYBKpshI4XLTurNCMT0HsXBjhyKqcF0EUJZrOCmXBtqz5JdZpC/C1Tn1nc7Wq1gwwB/W3XrJGM8dHP0KAyJP/CzSJ5K9W7IvGxIcrdsx9Q4BPHQ00F+OWrG51+IL4ygD1rjVSg4lFIh3riOZHkiHUgmVhlDkoGP9gl5Nd/isuVgNRWgwLwC27y3ZzMjn7MIV8G12yvxhAdMFAEzOTKuCWyC4P3n5x8PY0FfjDBZk/tLfaDUo2quaCZrYrbWsN0pUcDzDpADJ7KC2297/RvtLTiXxjr4uyt1wxopf5NSZ/OcNz+G8XKSi40W/wdxUXQdv+7Q5ExdtdGdrra7IFKdjWRrSTq9UJYsgkZgaJ7W/u2pwOeSO3K9gNS99LpUEK9n00dEiuYRJ/VFjx3DyLqZzScCdhfmzIVvfGvSmKWkaGpC+0d3Z8j0lin4jy3TRghV7ejbGE2fIHfP8lypfP5E6frQoIOXM75l3RlOj1Wp7X3SpbT0vsMAUr9lffSBhw4Cjm26HxP8/wA8wesk6D87QDI/rkslQVtW74661V/tp3cw8H4xbranhR+OiE/O9dKaYsiFycYilnhTyDoibBPJgIYhxpJFOXe/FSR6D4hH9R6j8bQCBP2YrAFU6XJ8rMffeDtHGWOPFgfDYh6/JANcwaU7j+R9Qo4HltSdEgHSowUt5n2+XrX74WP5fUBWZUgNUNaIa99SRbZ4VdPSHYYYocJ2u/wPlXgDppybPKfpUWINd0unqiG4B4Z9JK7z1rOX0XejrMSya/am9SJA8/66al3U5U0CPCNaUDqXYesHfcW056RnfV9XDE0PDnhWCd70gzCtNS0JE3ChcHNNUTm+IU3vnRydzzS99LXrJ9uks6/PGNH5/q7AdAepv214yiEcAFxUQPs5yJaY0jeSYbVuJR2e2t1FXmU77+3pJxNWXYZcHtEAMjU48UdPBj9u2IKXJ9BFXRGGUBQtH1IcqJzyZ6QyAV8dtfo8v87CewuLx6u1iMNf6t0v/+Nz3223N8nBbRUlDHOr/M+3TyqmZfFOKvvJqdbtOeCnuOuog8f6DbUQSO8Kq3HD3a52TeC2L0wkyLOtw1XM5TFq8SKGEUDXXIQ2cDG2CofkJta3vLzOSrsd4bnf0/l6vA"
       }
     }
+  ],
+  "packageRules": [
+    {
+      "matchDepTypes": [
+        "action"
+      ],
+      "matchPackageNames": [
+        "slsa-framework/slsa-github-generator"
+      ],
+      "matchUpdateTypes": [
+        "pinDigest"
+      ],
+      "enabled": false
+    }
   ]
 }