diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 1c0e3b21..e2eee63c 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -20,6 +20,7 @@ jobs: HELM_VERSION: v3.13.3 permissions: contents: write + id-token: write steps: - name: Checkout uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 @@ -45,3 +46,30 @@ jobs: uses: helm/chart-releaser-action@a917fd15b20e8b64b94d9158ad54cd6345335584 # v1.6.0 env: CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + + - name: Setup cosign + uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149 # v3 + + - name: Cosign sign packaged chart and generate hashs + shell: bash + id: hash + run: | + packaged_charts=$(ls .cr-release-packages/*.tgz | xargs) + for chart in ${packaged_charts}; do + cosign sign-blob --yes ${chart} + done + + echo "hashes=$(sha256sum ${packaged_charts} | base64 -w0)" >> "$GITHUB_OUTPUT" + + outputs: + hashes: ${{ steps.hash.outputs.hashes }} + + provenance: + needs: [release] + permissions: + actions: read + id-token: write + contents: write + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0 + with: + base64-subjects: "${{ needs.release.outputs.hashes }}" \ No newline at end of file diff --git a/renovate.json b/renovate.json index aba14f2d..82dc5a3f 100644 --- a/renovate.json +++ b/renovate.json @@ -15,5 +15,19 @@ "password": "wcFMA/xDdHCJBTolAQ//Sh19U5r/uu5MCxAjI+KZTwDVuTmQ2bS8Qj7t8z5oQuR51GI0QLcSxqtN6eWCeYPfdz+pxtsKE2CBExGl7mRbnpERJ9SVE/Pi8kUWeju9OERIVl105HZgYoN/0APBMVIP+LVSH7YqfLagyTc0HBW4qbUUTV/7frL9mXGF7XYCWapuqvbNgIcliiTL47SbDr3319vkiCJ0kHeShZpFh4oMhF5N8BI87jIiPATzh1vFBQyf7TQYhrT9eAayN89ZGtst+2lEf1cdg/BHskRCkuqSd1Lko7it/QJoE2RVVg5s+eDrzdDTloRsQyN0bH+gxvEqOonuxUnpmgRtc6ZZTYzZfW3DRlBQiTm8oGUerYiav0BASjmP/g8s9UHpQhZzTkfrju7ylgDw5orN28BeRWFnGP/RFfWA/YVlXoMa7VtTpSWzYknz/qjH2fCTqevy9C2aeISM8vOuoQGN/ZZ55oSozKA3FKREhIX2E88DZ1iEELq+bNUGlWCXhTIRzDTp6vbzBrv2vgNal7VrkIkE/iKwl8dUQyoCD3oaIsPocti+ykuTo3owhmqSVvPY7FWpfMhCSEeImFMEZMvLDIAevSqnmaxgc2BT60Bof4EnXVN1Z0tItvvXk+5K5NfOAzy14Kt5LR8xdk8Ssc4jgH1EAEgmzScLFEolG0dKPTVkQAMJapPSwpYBKpshI4XLTurNCMT0HsXBjhyKqcF0EUJZrOCmXBtqz5JdZpC/C1Tn1nc7Wq1gwwB/W3XrJGM8dHP0KAyJP/CzSJ5K9W7IvGxIcrdsx9Q4BPHQ00F+OWrG51+IL4ygD1rjVSg4lFIh3riOZHkiHUgmVhlDkoGP9gl5Nd/isuVgNRWgwLwC27y3ZzMjn7MIV8G12yvxhAdMFAEzOTKuCWyC4P3n5x8PY0FfjDBZk/tLfaDUo2quaCZrYrbWsN0pUcDzDpADJ7KC2297/RvtLTiXxjr4uyt1wxopf5NSZ/OcNz+G8XKSi40W/wdxUXQdv+7Q5ExdtdGdrra7IFKdjWRrSTq9UJYsgkZgaJ7W/u2pwOeSO3K9gNS99LpUEK9n00dEiuYRJ/VFjx3DyLqZzScCdhfmzIVvfGvSmKWkaGpC+0d3Z8j0lin4jy3TRghV7ejbGE2fIHfP8lypfP5E6frQoIOXM75l3RlOj1Wp7X3SpbT0vsMAUr9lffSBhw4Cjm26HxP8/wA8wesk6D87QDI/rkslQVtW74661V/tp3cw8H4xbranhR+OiE/O9dKaYsiFycYilnhTyDoibBPJgIYhxpJFOXe/FSR6D4hH9R6j8bQCBP2YrAFU6XJ8rMffeDtHGWOPFgfDYh6/JANcwaU7j+R9Qo4HltSdEgHSowUt5n2+XrX74WP5fUBWZUgNUNaIa99SRbZ4VdPSHYYYocJ2u/wPlXgDppybPKfpUWINd0unqiG4B4Z9JK7z1rOX0XejrMSya/am9SJA8/66al3U5U0CPCNaUDqXYesHfcW056RnfV9XDE0PDnhWCd70gzCtNS0JE3ChcHNNUTm+IU3vnRydzzS99LXrJ9uks6/PGNH5/q7AdAepv214yiEcAFxUQPs5yJaY0jeSYbVuJR2e2t1FXmU77+3pJxNWXYZcHtEAMjU48UdPBj9u2IKXJ9BFXRGGUBQtH1IcqJzyZ6QyAV8dtfo8v87CewuLx6u1iMNf6t0v/+Nz3223N8nBbRUlDHOr/M+3TyqmZfFOKvvJqdbtOeCnuOuog8f6DbUQSO8Kq3HD3a52TeC2L0wkyLOtw1XM5TFq8SKGEUDXXIQ2cDG2CofkJta3vLzOSrsd4bnf0/l6vA" } } + ], + "packageRules": [ + { + "matchDepTypes": [ + "action" + ], + "matchPackageNames": [ + "slsa-framework/slsa-github-generator" + ], + "matchUpdateTypes": [ + "pinDigest" + ], + "enabled": false + } ] }