From db956fb4771cd0e182a847a1d7942e4356ee297e Mon Sep 17 00:00:00 2001
From: Anthony Clerici <anthony@clerici.me>
Date: Fri, 6 Mar 2026 02:55:23 -0800
Subject: [PATCH] feat: add cosign signing to chart OCI artifact

---
 .github/workflows/helm-chart.yml | 20 +++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/helm-chart.yml b/.github/workflows/helm-chart.yml
index ecac0fe..fd67925 100644
--- a/.github/workflows/helm-chart.yml
+++ b/.github/workflows/helm-chart.yml
@@ -11,6 +11,7 @@ jobs:
     permissions:
       contents: write
       packages: write
+      id-token: write
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -24,10 +25,19 @@ jobs:
 
       # https://github.com/marketplace/actions/helm-oci-charts-releaser
       - name: Run chart-releaser
+        id: releaser
         uses: bitdeps/helm-oci-charts-releaser@v0.1.5
         with:
-            oci_registry: ghcr.io/versity/versitygw/charts
-            oci_username: versity
-            oci_password: ${{ secrets.GITHUB_TOKEN }}
-            github_token: ${{ secrets.GITHUB_TOKEN }}
-            charts_dir: "."
+          oci_registry: ghcr.io/versity/versitygw/charts
+          oci_username: versity
+          oci_password: ${{ secrets.GITHUB_TOKEN }}
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          charts_dir: "."
+
+      - name: Install cosign
+        if: steps.releaser.outputs.changed_charts != ''
+        uses: sigstore/cosign-installer@v4.0.0
+
+      - name: Sign chart with cosign
+        if: steps.releaser.outputs.changed_charts != ''
+        run: cosign sign --yes ghcr.io/versity/versitygw/charts/versitygw:${{ steps.releaser.outputs.chart_version }}