From 2134436074670e16d36503bb7714430fb9d6248e Mon Sep 17 00:00:00 2001
From: pascalholthaus <94793111+pascalholthaus@users.noreply.github.com>
Date: Tue, 4 Jul 2023 12:12:56 +0200
Subject: [PATCH] Add: gpg-secret-key support to helm build and push (#683)

---
 helm-build-push/README.md   | 22 ++++++++--
 helm-build-push/action.yaml | 85 ++++++++++++++++++++++++++++++++-----
 2 files changed, 93 insertions(+), 14 deletions(-)

diff --git a/helm-build-push/README.md b/helm-build-push/README.md
index 0b1301d5..66052f4c 100644
--- a/helm-build-push/README.md
+++ b/helm-build-push/README.md
@@ -15,10 +15,26 @@ jobs:
         uses: greenbone/actions/helm-build-push@v2
         with:
           chart-name: Chart folder name
-          charts-path: Charts base folder || default ./charts
-          registry: Registry to use e.g ghcr.io
-          registry_url: Registry url to push to e.g oci://ghcr.io/greenbone/helm-charts/
           registry_user: Registry username
           registry_token: Registry user password/token
 ```
 
+## Action Configuration
+
+|Input Variable|Description| |
+|--------------|-----------|-|
+| charts-path | Path to charts base folder | Optional(default ./charts) |
+| chart-name | Chart to build and push | Required |
+| registry | registry to push | Optional(default ghcr.io) |
+| registry-subpath| Registry subpath to place the helm chart in | Optional |
+| registry-user | Registry login user | Required |
+| registry-token | Registry login password/token | Required |
+| gpg-secret-key | Base64 encoded gpg secret key for chart sign | Optional |
+| gpg-secret-name | Gpg secret key name from gpg secret key | Optional |
+
+## Action Outout
+
+|Output Variable|Description|
+|--------------|-----------|
+| tag | Helm chart url's with tag |
+| digest | The helm chart digest |
diff --git a/helm-build-push/action.yaml b/helm-build-push/action.yaml
index 528fec21..4083902e 100644
--- a/helm-build-push/action.yaml
+++ b/helm-build-push/action.yaml
@@ -12,13 +12,27 @@ inputs:
     default: "ghcr.io"
   registry-subpath:
     description: Registry subpath to place the helm chart in
-    required: true
   registry-user:
     description: Registry login user
     required: true
   registry-token:
     description: Registry login password/token
     required: true
+  gpg-secret-key:
+    description: Base64 encoded gpg secret key for chart sign
+    required: false
+  gpg-secret-name:
+    description: Gpg secret key name from gpg secret key
+    required: false
+
+outputs:
+  tag:
+    description: Helm chart url's with tag.
+    value: ${{ steps.push.outputs.tag }}
+  digest:
+    description: The helm chart digest.
+    value: ${{ steps.push.outputs.digest }}
+
 branding:
   icon: "package"
   color: "green"
@@ -33,19 +47,68 @@ runs:
           -u '${{ inputs.registry-user }}' \
           -p '${{ inputs.registry-token }}' \
           '${{ inputs.registry }}'
-    - name: Helm build and upload package
+    - name: Set gpg secret key
+      if: ${{ inputs.gpg-secret-name }}
       shell: bash
       run: |
-        helm dependency update '${{ inputs.charts-path }}/${{ inputs.chart-name }}'
-        helm package '${{ inputs.charts-path }}/${{ inputs.chart-name }}'
-    - name: Push with subpath
+        echo "${{ inputs.gpg-secret-key }}" | base64 -d > /tmp/secret-key.gpg
+        chmod 0600 /tmp/secret-key.gpg
+    - name: Build and signing
+      id: build
       shell: bash
-      if: ${{ inputs.registry-subpath }}
-      run: helm push ${{ inputs.chart-name }}-*.tgz 'oci://${{ inputs.registry }}/${{ github.repository_owner }}/${{ inputs.registry-subpath }}'
-    - name: Push without subpath
+      run: |
+        chart="${{ inputs.charts-path }}/${{ inputs.chart-name }}"
+        # Load helm chart dependency's
+        helm dependency update "$chart"
+        # Build helm chart
+        if [ "${{ inputs.gpg-secret-name }}" ]; then
+          echo "Sign used"
+          output="$(helm package \
+            --sign \
+            --key "${{ inputs.gpg-secret-name }}" \
+            --keyring /tmp/secret-key.gpg \
+            "$chart" \
+            2>&1)"
+        else
+          echo "No sign used"
+          output="$(helm package "$chart" 2>&1)"
+        fi
+        # Get helm chart tgz file name
+        chart_file="${output##*/}"
+        # Check if output is correct
+        if ! [ -f "$chart_file" ]; then
+          echo "$output"
+          echo "Chart filename: $chart_file"
+          exit 1
+        fi
+        # Echo outputs
+        echo "$chart_file"
+        # Set outputs
+        echo "chart-file=$chart_file" >> "$GITHUB_OUTPUT"
+    - name: Push
+      id: push
       shell: bash
-      if: ${{ !inputs.registry-subpath }}
-      run: helm push ${{ inputs.chart-name }}-*.tgz 'oci://${{ inputs.registry }}/${{ github.repository_owner }}/'
+      run: |
+        cmd="push ${{ steps.build.outputs.chart-file }} oci://${{ inputs.registry }}/${{ github.repository_owner }}/"
+        # Add subpath if exist
+        if [ "${{ inputs.registry-subpath }}" ]; then
+          echo "Add subpath ${{ inputs.registry-subpath }}"
+          cmd+="${{ inputs.registry-subpath }}/"
+        fi
+        # Run helm push
+        output="$(helm $cmd 2>&1)"
+        # Get helm path and helm digest
+        pushed="$(echo "$output" | awk '/Pushed:/{print $2}')"
+        digest="$(echo "$output" | awk '/Digest:/{print $2}')"
+        # Echo outputs
+        echo "tag: $pushed"
+        echo "digest: $digest"
+        # Set outputs
+        echo "tag=$pushed" >> "$GITHUB_OUTPUT"
+        echo "digest=$digest" >> "$GITHUB_OUTPUT"
     - name: Cleanup
       shell: bash
-      run: rm -f "${{ inputs.chart-name }}-*.tgz"
+      run: |
+        rm -f "${{ steps.build.outputs.chart-file }}"
+        rm -f "${{ steps.build.outputs.chart-file }}.prov"
+        rm -f /tmp/secret-key.gpg