Skip to content

ci(release): consolidate release workflow with comprehensive signing #25

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
aRustyDev merged 1 commit into from
Jan 6, 2026
Merged

ci(release): consolidate release workflow with comprehensive signing #25

aRustyDev merged 1 commit into from
Jan 6, 2026

Conversation

@aRustyDev
Copy link
Owner

@aRustyDev aRustyDev commented Jan 6, 2026

Summary

  • Consolidates all release logic into release-please.yaml workflow
  • Removes redundant release.yaml that was causing race conditions
  • Adds comprehensive signing for all release targets

Release Targets (All Signed)

Target Signing Method
GitHub Releases Cosign blob signature (.tgz.sig) uploaded to release
GHCR / GitHub Packages Cosign keyless signing for OCI artifacts
Charts branch Published via chart-releaser (signatures in releases)

Publishing Pipeline

  1. chart-releaser - Creates GitHub Releases + updates charts branch
  2. Sign Release assets - Cosign signs .tgz files, uploads .sig to releases
  3. Push to GHCR - Helm push to OCI registry
  4. Sign GHCR artifacts - Cosign keyless signing
  5. Build attestations - SLSA provenance for all packages

Verification Commands

# Verify GHCR OCI artifact
cosign verify ghcr.io/arustydev/charts/<chart>:<version> \
  --certificate-identity-regexp="https://github.com/aRustyDev/helm-charts/.github/workflows/.*" \
  --certificate-oidc-issuer="https://token.actions.githubusercontent.com"

# Verify GitHub Release asset
gh release download <chart>-<version> --repo aRustyDev/helm-charts
cosign verify-blob --signature <chart>-<version>.tgz.sig \
  --certificate-identity-regexp="https://github.com/aRustyDev/helm-charts/.github/workflows/.*" \
  --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
  <chart>-<version>.tgz

Test plan

  • Merge PR chore(main): release mdbook-htmx 0.2.1 #23 (release-please PR for mdbook-htmx 0.2.1) to trigger release
  • Verify all 5 release steps complete successfully
  • Confirm signatures present on GitHub Release and GHCR
  • Test verification commands work

🤖 Generated with Claude Code

@aRustyDev @claude
ci(release): consolidate release workflow with comprehensive signing
d6d7332 
### Added
- Sign GitHub Release assets with Cosign blob signatures (.tgz.sig)
- Upload signatures to GitHub Releases for verification
- Detailed verification commands in release documentation

### Changed
- Consolidated all release logic into release-please.yaml
- Enhanced release-charts job with 5-step publishing pipeline
- Updated docs/src/ci/release.md with all publishing targets

### Removed
- Deleted redundant release.yaml workflow (caused race condition)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@cloudflare-workers-and-pages
Copy link

cloudflare-workers-and-pages bot commented Jan 6, 2026

Deploying helm-charts with  Cloudflare Pages  Cloudflare Pages

Latest commit: d6d7332
Status: ✅  Deploy successful!
Preview URL: https://f9086250.helm-charts-76l.pages.dev
Branch Preview URL: https://fix-consolidate-release-work.helm-charts-76l.pages.dev

View logs

@aRustyDev aRustyDev merged commit a89df01 into main Jan 6, 2026
15 checks passed
@aRustyDev aRustyDev deleted the fix/consolidate-release-workflow branch January 6, 2026 08:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@aRustyDev aRustyDev

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@aRustyDev