From 948a1cd20008a88769e08d2f4a4979d2d32d13a7 Mon Sep 17 00:00:00 2001
From: Ahmed AbouZaid <6760103+aabouzaid@users.noreply.github.com>
Date: Fri, 11 Oct 2024 21:19:32 +0200
Subject: [PATCH] ci: update rc workflow

- update job name
- enable cosign verification

Signed-off-by: Ahmed AbouZaid <6760103+aabouzaid@users.noreply.github.com>
---
 .../workflows/chart-release-candidate.yaml    | 64 +++++++++++--------
 .github/workflows/chart-release-snapshot.yaml |  1 +
 .github/workflows/chart-release-template.yaml | 18 ++++--
 3 files changed, 50 insertions(+), 33 deletions(-)

diff --git a/.github/workflows/chart-release-candidate.yaml b/.github/workflows/chart-release-candidate.yaml
index 5779ff387c..c41d3529f7 100644
--- a/.github/workflows/chart-release-candidate.yaml
+++ b/.github/workflows/chart-release-candidate.yaml
@@ -4,6 +4,7 @@ on:
   push:
     branches:
       - release-candidate*
+      - 2404-aa-update-rc-workflow
 
 jobs:
   release:
@@ -11,36 +12,47 @@ jobs:
     uses: ./.github/workflows/chart-release-template.yaml
     with:
       branch: ${{ github.ref_name }}
+      workflow-ref: chart-release-template.yaml
+      # chart-matrix: |
+      #   [
+      #     {
+      #       "name": "Helm Chart RC - 8.2",
+      #       "directory": "charts/camunda-platform-8.2",
+      #       "versionSuffix": "rc-8.2",
+      #       "override": true
+      #     },
+      #     {
+      #       "name": "Helm Chart RC - 8.3",
+      #       "directory": "charts/camunda-platform-8.3",
+      #       "versionSuffix": "rc-8.3",
+      #       "override": true
+      #     },
+      #     {
+      #       "name": "Helm Chart RC - 8.4",
+      #       "directory": "charts/camunda-platform-8.4",
+      #       "versionSuffix": "rc-8.4",
+      #       "override": true
+      #     },
+      #     {
+      #       "name": "Helm Chart RC - 8.5",
+      #       "directory": "charts/camunda-platform-8.5",
+      #       "versionSuffix": "rc-8.5",
+      #       "override": true
+      #     },
+      #     {
+      #       "name": "Helm Chart RC - 8.6",
+      #       "directory": "charts/camunda-platform-8.6",
+      #       "versionSuffix": "rc-8.6",
+      #       "override": true
+      #     }
+      #   ]
+
       chart-matrix: |
         [
           {
-            "name": "Helm Chart rolling - 8.2",
+            "name": "Helm Chart RC - 8.2",
             "directory": "charts/camunda-platform-8.2",
-            "versionSuffix": "rc-8.2",
-            "override": true
-          },
-          {
-            "name": "Helm Chart rolling - 8.3",
-            "directory": "charts/camunda-platform-8.3",
-            "versionSuffix": "rc-8.3",
-            "override": true
-          },
-          {
-            "name": "Helm Chart rolling - 8.4",
-            "directory": "charts/camunda-platform-8.4",
-            "versionSuffix": "rc-8.4",
-            "override": true
-          },
-          {
-            "name": "Helm Chart rolling - 8.5",
-            "directory": "charts/camunda-platform-8.5",
-            "versionSuffix": "rc-8.5",
-            "override": true
-          },
-          {
-            "name": "Helm Chart rolling - 8.6",
-            "directory": "charts/camunda-platform-8.6",
-            "versionSuffix": "rc-8.6",
+            "versionSuffix": "test-8.2",
             "override": true
           }
         ]
diff --git a/.github/workflows/chart-release-snapshot.yaml b/.github/workflows/chart-release-snapshot.yaml
index d600470866..f89e398755 100644
--- a/.github/workflows/chart-release-snapshot.yaml
+++ b/.github/workflows/chart-release-snapshot.yaml
@@ -15,6 +15,7 @@ jobs:
     uses: ./.github/workflows/chart-release-template.yaml
     with:
       branch: ${{ github.ref_name }}
+      workflow-ref: chart-release-template.yaml
       chart-matrix: |
         [
           {
diff --git a/.github/workflows/chart-release-template.yaml b/.github/workflows/chart-release-template.yaml
index c600603d5d..a6431f3e7c 100644
--- a/.github/workflows/chart-release-template.yaml
+++ b/.github/workflows/chart-release-template.yaml
@@ -11,6 +11,10 @@ on:
         description: List of charts to release.
         required: true
         type: string
+      workflow-ref:
+        description: The reference of the workflow which will be used sign the chart OCI artifact in keyless mode.
+        required: true
+        type: string
 
 jobs:
   clean:
@@ -134,13 +138,13 @@ jobs:
         run: |
           cosign sign-blob -y ${{ env.CHART_NAME }}-${{ env.CHART_VERSION }}.tgz \
             --bundle ${{ env.CHART_NAME }}-${{ env.CHART_VERSION }}.cosign.bundle
-      # - name: Verify signed Helm chart with Cosign
-      #   if: env.PUBLISH_ARTIFACT == 'true'
-      #   run: |
-      #     cosign verify-blob ${{ env.CHART_NAME }}-${{ env.CHART_VERSION }}.tgz \
-      #       --bundle ${{ env.CHART_NAME }}-${{ env.CHART_VERSION }}.cosign.bundle \
-      #       --certificate-identity "https://github.com/${GITHUB_WORKFLOW_REF}" \
-      #       --certificate-oidc-issuer "https://token.actions.githubusercontent.com"
+      - name: Verify signed Helm chart with Cosign
+        if: env.PUBLISH_ARTIFACT == 'true'
+        run: |
+          cosign verify-blob ${{ env.CHART_NAME }}-${{ env.CHART_VERSION }}.tgz \
+            --bundle ${{ env.CHART_NAME }}-${{ env.CHART_VERSION }}.cosign.bundle \
+            --certificate-identity "https://github.com/${{ github.repository }}/.github/workflows/${{ inputs.workflow-ref }}@refs/heads/${{ inputs.branch }}" \
+            --certificate-oidc-issuer "https://token.actions.githubusercontent.com"
       - name: Login to GitHub Container Registry
         if: env.PUBLISH_ARTIFACT == 'true'
         uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3