From dd1f7a80b0acfa4072cbd00dc65d75f6b786c190 Mon Sep 17 00:00:00 2001
From: Tomas Coufal <tcoufal@redhat.com>
Date: Thu, 11 May 2023 12:30:27 +0200
Subject: [PATCH] chore: verify ArtifactHub ownership as OCI artifact

Signed-off-by: Tomas Coufal <tcoufal@redhat.com>
---
 .github/workflows/release.yml         |  5 +++++
 charts/backstage/artifacthub-repo.yml | 12 ++++++++++++
 2 files changed, 17 insertions(+)
 create mode 100644 charts/backstage/artifacthub-repo.yml

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 960b3a95..38a3732d 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -49,6 +49,9 @@ jobs:
       - name: Install Cosign
         uses: sigstore/cosign-installer@204a51a57a74d190b284a0ce69b44bc37201f343 # v3.0.3
 
+      - name: Install Oras
+        uses: oras-project/setup-oras@c90396b2ddabd5a364e6551a79984c86cc036996 # v1.0.0
+
       - name: Publish and Sign OCI Charts
         run: |
           for chart in `find .cr-release-packages -name '*.tgz' -print`; do
@@ -57,6 +60,8 @@ jobs:
             chart_name=${file_name%-*}
             digest=$(awk -F "[, ]+" '/Digest/{print $NF}' < helm-push-output.log)
             cosign sign -y "ghcr.io/${GITHUB_REPOSITORY}/${chart_name}@${digest}"
+
+            oras push "ghcr.io/${GITHUB_REPOSITORY}/${chart_name}:artifacthub.io" "./charts/${chart_name}/artifacthub-repo.yml:application/vnd.cncf.artifacthub.repository-metadata.layer.v1.yaml"
           done
         env:
           COSIGN_EXPERIMENTAL: 1
diff --git a/charts/backstage/artifacthub-repo.yml b/charts/backstage/artifacthub-repo.yml
new file mode 100644
index 00000000..ab167980
--- /dev/null
+++ b/charts/backstage/artifacthub-repo.yml
@@ -0,0 +1,12 @@
+# Artifact Hub repository metadata file
+#
+# Some settings like the verified publisher flag or the ignored packages won't
+# be applied until the next time the repository is processed. Please keep in
+# mind that the repository won't be processed if it has not changed since the
+# last time it was processed. Depending on the repository kind, this is checked
+# in a different way. For Helm http based repositories, we consider it has
+# changed if the `index.yaml` file changes. For git based repositories, it does
+# when the hash of the last commit in the branch you set up changes. This does
+# NOT apply to ownership claim operations, which are processed immediately.
+#
+repositoryID: 23c796cc-343d-4b00-9cae-43b00dc5caa4