feat(ci): push chart to ghcr and sign

[aclerici38]

Adds steps to push the new chart to ghcr as an oci artifact and sign it with cosign keyless.

OCI charts are more efficient and portable than traditional http repos, in addition the chart "living" next to the image in ghcr is nice ux for users. Cosign signing allows verifying the chart has been pushed by the ci here and not by a bad actor.

Use:
helm pull oci://ghcr.io/squat/charts/generic-device-plugin

cosign verify ghcr.io/squat/charts/generic-device-plugin  \
      --certificate-identity-regexp 'https://github.com/squat/generic-device-plugin/' \
      --certificate-oidc-issuer https://token.actions.githubusercontent.com

thanks!

[aclerici38]

I bumped the chart version so the new steps would run, I'm not sure if you'd rather do that outside the PR or wait for an actual change to the chart

[squat]

Thanks @aclerici38! Question for you: if the chart repo is in OCR, should we remove the GitHub pages http repo to avoid confusion? Is it common for projects to have both? I didn't use helm myself so I'm not sure what's more common in the community.

[aclerici38]

should we remove the GitHub pages http repo to avoid confusion? Is it common for projects to have both?

It's definitely common for a chart to have both, though that's usually because the chart existed before OCI repos (adopted in 2022); I've seen a couple new charts just distribute through OCI.

IMO there's no reason to keep the http repo around, I'd just use OCI to distribute the chart. But I'm also not an expert, I only really use helm in my homelab so.. maybe someone else more experienced can chime in on it?