f.weber/bookstack-chart
1
0
Fork 0
Code Issues Pull Requests Actions Releases 1 Activity

Update Helm chart workflow to include signing process and add PGP public key

Browse Source
This commit is contained in:
Florian Weber 2025-05-08 14:49:54 +02:00
parent a55853f4ab
commit c01965b45f
Signed by: f.weber
GPG Key ID: A1C85EB19014A2D3
2 changed files with 68 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

71
.gitea/workflows/package-and-deploy.yaml
View File

@ -1,4 +1,4 @@
name: Packaging Chart name: Package & Sign Helm Chart
on: on:
release: release:
@ -7,29 +7,74 @@ on:
jobs: jobs:
build: build:
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
env:
CHART_DIR: bookstack/
CHART_VERSION: ${{ github.event.release.tag_name }}
GPG_KEY_ID: ${{ secrets.GPG_KEY_ID }}
PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
steps: steps:
- name: Checkout
uses: actions/checkout@v4 # 1) Code auschecken
- name: Setup latest Helm - uses: actions/checkout@v4
uses: azure/setup-helm@v4.3.0
# 2) Helm installieren
- uses: azure/setup-helm@v4.3.0
with: with:
version: latest version: latest
id: install id: install
- name: Import GPG key - name: Import GPG key
uses: crazy-max/ghaction-import-gpg@v6 uses: crazy-max/ghaction-import-gpg@v6
with: with:
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
passphrase: ${{ secrets.GPG_PASSPHRASE }} passphrase: ${{ secrets.GPG_PASSPHRASE }}
trust_level: 5 trust_level: 5
- name: Export GPG key in legacy format
# 4) “Generation1”SecretRing für Helm erzeugen (TMP, 600Rechte)
- name: Build legacy secret-keyring
run: | run: |
gpg --export-secret-keys --output /tmp/keyring.gpg ${{ secrets.GPG_KEY_ID }} install -m 700 -d /tmp/gpgring
- name: Package Chart gpg --batch --pinentry-mode loopback \
--export-secret-keys "$GPG_KEY_ID" \
--output /tmp/gpgring/secring.gpg
chmod 600 /tmp/gpgring/secring.gpg
echo "$PASSPHRASE" > /tmp/gpgring/passphrase.txt
chmod 600 /tmp/gpgring/passphrase.txt
# 5) Chart bauen & signieren
- name: Package & sign chart
run: | run: |
cp README.md ./charts/bookstack/. cp README.md "$CHART_DIR"/
helm dependency build ./charts/bookstack helm dependency build "$CHART_DIR"
helm package --version $CHART_VERSION --sign --keyring /tmp/keyring.gpg ./bookstack --dependency-update helm package "$CHART_DIR" \
curl -H "Authorization: Basic $REPO_CREDENTIALS" -F "chart=@bookstack-$CHART_VERSION.tgz" -F "prov=@bookstack-$CHART_VERSION.tgz.prov" https://charts.morlana.net/api/charts --version "$CHART_VERSION" \
--sign \
--key "$GPG_KEY_ID" \
--keyring /tmp/gpgring/secring.gpg \
--passphrase-file /tmp/gpgring/passphrase.txt
# 6) In dein internes ChartRepo hochladen
- name: Upload to ChartMuseum
env: env:
REPO_CREDENTIALS: ${{ secrets.REPO_CREDENTIALS }} REPO_CREDENTIALS: ${{ secrets.REPO_CREDENTIALS }}
CHART_VERSION: ${{ github.event.release.tag_name }} run: |
curl -H "Authorization: Basic $REPO_CREDENTIALS" \
-F "chart=@bookstack-$CHART_VERSION.tgz" \
-F "prov=@bookstack-$CHART_VERSION.tgz.prov" \
https://charts.morlana.net/api/charts
# 7) PublicKey aus Repo beilegen und als ReleaseAsset anhängen
- name: Attach release assets
uses: softprops/action-gh-release@v2
with:
tag_name: ${{ github.event.release.tag_name }}
files: |
bookstack-${{ env.CHART_VERSION }}.tgz
bookstack-${{ env.CHART_VERSION }}.tgz.prov
pubkeys/morlana.asc
# 8) Aufräumen (optional, Runner ist ohnehin kurzlebig)
- name: Cleanup sensitive files
if: ${{ always() }}
run: rm -rf /tmp/gpgring

10
pubkeys/morlana.asc Normal file
View File

@ -0,0 +1,10 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mDMEaBxO9xYJKwYBBAHaRw8BAQdA/7OLLFRkqsTzyufHwHVgB7M6XoX9+df8qCvi
u5xQM7i0OE1vcmxhbmEgQ0kgU2lnbmluZyBLZXkgPGNvbnRhY3QrZGV2ZWxvcG1l
bnRAbW9ybGFuYS5uZXQ+iJYEExYIAD4WIQS84h7qJd4UtBgZbaH/b3JG+qmcMAUC
aBxO9wIbAwUJAeEzgAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRD/b3JG+qmc
MLuMAQDM/CPa1DO31dmcI5Xtt9uK3svdv3mZl5GGqqTylcYTXgD+LL4/OPp7XHx+
WTf9NitfTlwpRKJJWec7vp2NG0NQ8wg=
=ACKv
-----END PGP PUBLIC KEY BLOCK-----