From 742ee349805be370944a2ac2a77946b36907e38f Mon Sep 17 00:00:00 2001
From: Matthew Rogers <matt.rogers@snyk.io>
Date: Mon, 18 Nov 2024 15:30:32 +0000
Subject: [PATCH] fix: sign helm chart (#45)

---
 .circleci/config.yml           |  1 +
 .github/workflows/sigstore.yml | 33 +++++++++++++++++++++++++++++++++
 README.md                      | 11 +++++++++++
 3 files changed, 45 insertions(+)
 create mode 100644 .github/workflows/sigstore.yml

diff --git a/.circleci/config.yml b/.circleci/config.yml
index 83aaa91..9d4a3b1 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -162,6 +162,7 @@ jobs:
       - run:
           name: Run semantic-release
           command: npx semantic-release
+## Note - signing happens via GitHub Action to leverage OIDC. CircleCI doesn't support this directly, yet.
 
   security_scans:
     docker:
diff --git a/.github/workflows/sigstore.yml b/.github/workflows/sigstore.yml
new file mode 100644
index 0000000..ba39884
--- /dev/null
+++ b/.github/workflows/sigstore.yml
@@ -0,0 +1,33 @@
+on:
+  ## This workflow only runs on the default branch
+  check_suite:
+    types: [completed]
+
+jobs:
+  sign:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+    name: Sign Chart
+    steps:
+      - name: Checkout
+        uses: actions/checkout@main
+        with:
+          fetch-depth: 0
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@v3.7.0
+      - name: Check Cosign
+        run: cosign version
+      - name: Cosign with OIDC
+        run: |
+          # Get the latest tag
+          LATEST_TAG=$(git describe --tags 'git rev-list --tags --max-count=1')
+          # Obtain the digest from this tag
+          DIGEST=$(curl "https://hub.docker.com/v2/repositories/snyk/snyk-universal-broker/tags/${LATEST_TAG}" | jq '.digest' -r)
+          # Sign the image, using GitHub as an OIDC provider
+          cosign sign --yes oci://registry-1.docker.io/snyk/snyk-universal-broker-helm@${DIGEST}
+      - name: Verify signature
+        run: |
+          cosign verify oci://registry-1.docker.io/snyk/snyk-universal-broker-helm@${DIGEST}
+          cosign verify oci://registry-1.docker.io/snyk/snyk-universal-broker-helm@${LATEST_TAG}
diff --git a/README.md b/README.md
index c825659..b9ec2a2 100644
--- a/README.md
+++ b/README.md
@@ -6,6 +6,9 @@ This is a Helm Chart to deploy the [Snyk Universal Broker](https://docs.snyk.io/
 
 ## Requirements
 
+- Helm `3.8.0` or newer
+- (Optionally) the `helm-sigstore` Helm plugin, or `cosign`
+
 ### Networking
 
 #### Outbound
@@ -21,6 +24,14 @@ If a proxy, firewall, or other network appliance sits between Broker and the pub
 - the above domains are whitelisted, _and_
 - the proxy, firewall or other network appliance supports the websockets protocol
 
+## Installing the Helm Chart for Universal Broker
+
+Pull the Helm Chart, and provide any configuration necessary:
+
+```
+helm pull oci://registry-1.docker.io/snyk/snyk-universal-broker
+```
+
 ## Basic Configuration
 
 ### Selecting your Snyk Region