Merge branch 'develop' into main

clemlesne · Apr 3, 2023 · 5dfca58 · 5dfca58
2 parents 5d8bcaf + 9b13706
commit 5dfca58
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 2 deletions.
diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml
@@ -42,16 +42,24 @@ jobs:
         with:
           version: v3.11.2
 
+      - name: Prepare GPG key for Helm chart
+        run: |
+          echo "${{ secrets.GPG_KEYRING }}" | gpg --dearmor > keyring.gpg
+
       - name: Package Helm chart
         run: |
           cp README.md src/helm/azure-pipelines-agent/
+
           helm package \
-            --version ${{ steps.version.outputs.version }} \
             --app-version ${{ steps.version.outputs.version }} \
             --destination .cr-release-packages \
+            --key 'Clémence Lesné' \
+            --keyring keyring.gpg \
+            --sign \
+            --version ${{ steps.version.outputs.version }} \
             src/helm/azure-pipelines-agent
 
-      - name: Upload Helm chart
+      - name: Cache Helm chart
         uses: actions/upload-artifact@v3
         with:
           name: helm-chart

diff --git a/SECURITY.md b/SECURITY.md
@@ -1,5 +1,9 @@
 # Security Policy
 
+## Chain of trust
+
+The Helm chart is signed with a GPG key. [The public key is available on Keybase at the following address.](https://keybase.io/clemlesne/pgp_keys.asc)
+
 ## Reliability notes
 
 Systems are built every days. Each image is accompanied by a SBOM (Software Bill of Materials) which allows to verify that the installed packages are those expected. This speed has the advantage of minimizing exposure to security flaws, which will then be corrected on the build environments in 24 hours. To do this, by default, Kubernetes downloads the image at each pod deployment.