Created
November 15, 2022 00:55
-
-
Save scottrigby/fa3d4d294a45351bd0b6808167fc5137 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#! /bin/bash | |
set -u | |
# example: r6by/testoci | |
: GITHUB_REPOSITORY | |
yesno() { | |
read -p "${1} (y/n)?" choice | |
case "$choice" in | |
y|Y ) return 0;; | |
n|N ) return 1;; | |
* ) echo "invalid" && exit 1;; | |
esac | |
} | |
# shopt -s nullglob | |
# for pkg in .cr-release-packages/*; do | |
# if [ -z "${pkg:-}" ]; then | |
# break | |
# fi | |
# helm push "${pkg}" oci://ghcr.io/"${GITHUB_REPOSITORY_OWNER}"/charts | |
# file=${pkg##*/} # extracts file name from full directory path | |
# name=${file%-*} # extracts chart name from filename | |
# noext=${file%.tgz} # extracts string (NAME-1.2.3) without extension to get version below | |
# version=${noext##*-} # extracts version | |
# cosign sign ghcr.io/"${GITHUB_REPOSITORY_OWNER}"/charts/"${name}":"${version}" | |
# done | |
# helm repo add prometheus-community https://prometheus-community.github.io/helm-charts | |
# helm repo update prometheus-community | |
GITHUB_REPO_NAME="${GITHUB_REPOSITORY#*/}" | |
GITHUB_REPOSITORY_OWNER=$(echo $GITHUB_REPOSITORY |awk -F/ '{print $1}') | |
HELM_REPO="${GITHUB_REPO_NAME}" | |
helm repo add "${HELM_REPO}" https://"${GITHUB_REPOSITORY_OWNER}".github.io/"${GITHUB_REPO_NAME}" | |
helm repo update "${HELM_REPO}" | |
mkdir -p .cr-release-packages | |
# list charts in local git repo so we know what to pull from helm repo | |
charts=$(ls -l charts/ | awk '{print $9}' | awk 'NR>1') | |
for c in $charts; do | |
# pull each chart's current version as listed in helm repo index | |
if helm pull "${HELM_REPO}"/"${c}" --destination .cr-release-packages/; then | |
echo pulled "${HELM_REPO}"/"${c}" | |
else | |
# build local package that is not yet pushed to Helm repo | |
echo packaging local charts/"${c}" | |
helm package charts/"${c}" --destination .cr-release-packages/ | |
fi | |
done | |
echo $GHCR_PAT | helm registry login ghcr.io -u scottrigby --password-stdin | |
export COSIGN_EXPERIMENTAL=1 | |
shopt -s nullglob | |
for pkg in .cr-release-packages/*; do | |
if [ -z "${pkg:-}" ]; then | |
break | |
fi | |
file=${pkg##*/} # extracts file name from full directory path | |
name=${file%-*} # extracts chart name from filename | |
noext=${file%.tgz} # extracts string (NAME-1.2.3) without extension to get version below | |
version=${noext##*-} # extracts version | |
# before pushing see if this version already exists in the OCI registry | |
unset digest | |
rm .digest 2>/dev/null || true | |
if helm pull oci://ghcr.io/"${GITHUB_REPOSITORY_OWNER}"/charts/"${name}" --version "${version}" > .digest; then | |
echo charts/"${name}":"${version}" already in OCI registry | |
else | |
if yesno "Do you want to push ${pkg} to oci://ghcr.io/${GITHUB_REPOSITORY_OWNER}/charts"; then | |
helm push "${pkg}" oci://ghcr.io/"${GITHUB_REPOSITORY_OWNER}"/charts > .digest | |
else | |
echo ok, did not push | |
fi | |
fi | |
# before signing, see if OCI package is already signed | |
if COSIGN_EXPERIMENTAL=1 cosign verify ghcr.io/"${GITHUB_REPOSITORY_OWNER}"/charts/"${name}":"${version}"; then | |
echo charts/"${name}":"${version}" already signed and verified | |
else | |
digest=$(awk -F "[, ]+" '/Digest/{print $NF}' < .digest) | |
if yesno "Do you want to sign ghcr.io/${GITHUB_REPOSITORY_OWNER}/charts/${name}@${digest}"; then | |
cosign sign ghcr.io/"${GITHUB_REPOSITORY_OWNER}"/charts/"${name}"@"${digest}" | |
else | |
echo ok, did not sign | |
fi | |
fi | |
done |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment