From ee6910736e08c9b7717f3914cbae41e198b5b3ee Mon Sep 17 00:00:00 2001
From: Giuseppe Scuglia <peppescg@gmail.com>
Date: Mon, 22 Dec 2025 16:37:25 +0100
Subject: [PATCH 1/5] ci: publish helm chart

---
 .github/workflows/releaser-helm-chart.yml | 99 +++++++++++++++++++++++
 1 file changed, 99 insertions(+)
 create mode 100644 .github/workflows/releaser-helm-chart.yml

diff --git a/.github/workflows/releaser-helm-chart.yml b/.github/workflows/releaser-helm-chart.yml
new file mode 100644
index 00000000..389573e5
--- /dev/null
+++ b/.github/workflows/releaser-helm-chart.yml
@@ -0,0 +1,99 @@
+#
+# Copyright 2025 Stacklok, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# Workflow to publish Helm chart to OCI registry (ghcr.io)
+# with Cosign signing for supply chain security.
+#
+# Triggered on version tags (v*) - same as Docker image publish.
+#
+# Usage:
+#   helm install toolhive-cloud-ui oci://ghcr.io/stacklok/toolhive-cloud-ui/toolhive-cloud-ui --version 0.0.7
+#
+# Verify signature:
+#   cosign verify ghcr.io/stacklok/toolhive-cloud-ui/toolhive-cloud-ui:0.0.7
+
+name: Publish Helm Chart to OCI
+
+on:
+    push:
+        tags: ["v*"]
+
+permissions:
+    contents: read
+    packages: write
+    id-token: write
+
+env:
+    CHART_PATH: helm
+    REGISTRY: ghcr.io
+    REGISTRY_PATH: ghcr.io/${{ github.repository }}
+
+jobs:
+    release-helm-chart:
+        name: Package and Publish Helm Chart
+        runs-on: ubuntu-latest
+
+        steps:
+            - name: Checkout
+              uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
+
+            - name: Set up Helm
+              uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4.3.1
+              with:
+                  version: "latest"
+
+            - name: Get Version from Tag
+              id: version
+              run: |
+                  # Remove 'v' prefix from tag (v0.0.7 -> 0.0.7)
+                  VERSION="${GITHUB_REF_NAME#v}"
+                  echo "version=${VERSION}" >> $GITHUB_OUTPUT
+                  echo "Chart version: ${VERSION}"
+
+            - name: Update Chart.yaml with Tag Version
+              run: |
+                  sed -i "s/^version:.*/version: ${{ steps.version.outputs.version }}/" ${{ env.CHART_PATH }}/Chart.yaml
+                  sed -i "s/^appVersion:.*/appVersion: \"${{ steps.version.outputs.version }}\"/" ${{ env.CHART_PATH }}/Chart.yaml
+                  echo "Updated Chart.yaml:"
+                  cat ${{ env.CHART_PATH }}/Chart.yaml
+
+            - name: Login to GitHub Container Registry
+              uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+              with:
+                  registry: ${{ env.REGISTRY }}
+                  username: ${{ github.actor }}
+                  password: ${{ secrets.GITHUB_TOKEN }}
+
+            - name: Install Cosign
+              uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
+
+            - name: Package Helm Chart
+              run: |
+                  helm package ${{ env.CHART_PATH }} --destination .helm-packages
+
+            - name: Push and Sign Helm Chart to OCI
+              run: |
+                  for chart in .helm-packages/*.tgz; do
+                    echo "Pushing ${chart} to OCI registry..."
+                    helm push "${chart}" oci://${{ env.REGISTRY_PATH }} |& tee helm-push-output.log
+                    
+                    # Extract chart name and digest for signing
+                    file_name="${chart##*/}"
+                    chart_name="${file_name%-*}"
+                    digest=$(awk -F "[, ]+" '/Digest/{print $NF}' < helm-push-output.log)
+                    
+                    echo "Signing chart: ${{ env.REGISTRY_PATH }}/${chart_name}@${digest}"
+                    cosign sign -y "${{ env.REGISTRY_PATH }}/${chart_name}@${digest}"
+                  done

From 1cabc318171344b1f3f9c8b92d0d9425e4230226 Mon Sep 17 00:00:00 2001
From: Giuseppe Scuglia <peppescg@gmail.com>
Date: Thu, 22 Jan 2026 13:01:58 +0100
Subject: [PATCH 2/5] fix(ci): update checkout action and improve cosign error
 handling

- Update checkout action to v5.0.1 SHA matching repo standard
- Add strict error handling with set -euo pipefail
- Fix stderr/stdout redirection for better portability
- Add digest extraction validation with helpful error output

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 .github/workflows/releaser-helm-chart.yml | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/releaser-helm-chart.yml b/.github/workflows/releaser-helm-chart.yml
index 389573e5..a7d7246f 100644
--- a/.github/workflows/releaser-helm-chart.yml
+++ b/.github/workflows/releaser-helm-chart.yml
@@ -47,7 +47,7 @@ jobs:
 
         steps:
             - name: Checkout
-              uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
+              uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
 
             - name: Set up Helm
               uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4.3.1
@@ -85,15 +85,22 @@ jobs:
 
             - name: Push and Sign Helm Chart to OCI
               run: |
+                  set -euo pipefail
                   for chart in .helm-packages/*.tgz; do
                     echo "Pushing ${chart} to OCI registry..."
-                    helm push "${chart}" oci://${{ env.REGISTRY_PATH }} |& tee helm-push-output.log
-                    
+                    helm push "${chart}" oci://${{ env.REGISTRY_PATH }} 2>&1 | tee helm-push-output.log
+
                     # Extract chart name and digest for signing
                     file_name="${chart##*/}"
                     chart_name="${file_name%-*}"
-                    digest=$(awk -F "[, ]+" '/Digest/{print $NF}' < helm-push-output.log)
-                    
+                    digest=$(grep -oP 'Digest: \K\S+' helm-push-output.log)
+
+                    if [[ -z "$digest" ]]; then
+                      echo "ERROR: Failed to extract digest from helm push output"
+                      cat helm-push-output.log
+                      exit 1
+                    fi
+
                     echo "Signing chart: ${{ env.REGISTRY_PATH }}/${chart_name}@${digest}"
                     cosign sign -y "${{ env.REGISTRY_PATH }}/${chart_name}@${digest}"
                   done

From 1a84ed9729de605e94dd48b64432467a915ca4cd Mon Sep 17 00:00:00 2001
From: Giuseppe Scuglia <peppescg@gmail.com>
Date: Thu, 22 Jan 2026 13:08:19 +0100
Subject: [PATCH 3/5] fix(ci): fix chart name extraction for cosign signing

Use helm show chart to extract the actual chart name instead of
parsing the filename, which fails when version contains dashes.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 .github/workflows/releaser-helm-chart.yml | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/releaser-helm-chart.yml b/.github/workflows/releaser-helm-chart.yml
index a7d7246f..cd141e62 100644
--- a/.github/workflows/releaser-helm-chart.yml
+++ b/.github/workflows/releaser-helm-chart.yml
@@ -90,9 +90,8 @@ jobs:
                     echo "Pushing ${chart} to OCI registry..."
                     helm push "${chart}" oci://${{ env.REGISTRY_PATH }} 2>&1 | tee helm-push-output.log
 
-                    # Extract chart name and digest for signing
-                    file_name="${chart##*/}"
-                    chart_name="${file_name%-*}"
+                    # Extract chart name from the packaged chart and digest for signing
+                    chart_name=$(helm show chart "${chart}" | grep '^name:' | awk '{print $2}')
                     digest=$(grep -oP 'Digest: \K\S+' helm-push-output.log)
 
                     if [[ -z "$digest" ]]; then

From 76c0cf58e06d0408d86340577e39c5b4ac7a5e90 Mon Sep 17 00:00:00 2001
From: Giuseppe Scuglia <peppescg@gmail.com>
Date: Thu, 22 Jan 2026 13:21:47 +0100
Subject: [PATCH 4/5] docs(ci): fix cosign verify command with keyless
 verification flags

Add --certificate-identity-regexp and --certificate-oidc-issuer flags
required for verifying artifacts signed with Sigstore keyless signing.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 .github/workflows/releaser-helm-chart.yml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/releaser-helm-chart.yml b/.github/workflows/releaser-helm-chart.yml
index cd141e62..a9cc52ed 100644
--- a/.github/workflows/releaser-helm-chart.yml
+++ b/.github/workflows/releaser-helm-chart.yml
@@ -22,7 +22,10 @@
 #   helm install toolhive-cloud-ui oci://ghcr.io/stacklok/toolhive-cloud-ui/toolhive-cloud-ui --version 0.0.7
 #
 # Verify signature:
-#   cosign verify ghcr.io/stacklok/toolhive-cloud-ui/toolhive-cloud-ui:0.0.7
+#   cosign verify \
+#     --certificate-identity-regexp='https://github.com/stacklok/toolhive-cloud-ui/.*' \
+#     --certificate-oidc-issuer='https://token.actions.githubusercontent.com' \
+#     ghcr.io/stacklok/toolhive-cloud-ui/toolhive-cloud-ui:0.0.7
 
 name: Publish Helm Chart to OCI
 

From 0ec9f2efc9ce02cc76e5d55f342a6663d0122510 Mon Sep 17 00:00:00 2001
From: Giuseppe Scuglia <peppescg@gmail.com>
Date: Mon, 2 Feb 2026 19:02:01 +0100
Subject: [PATCH 5/5] add VERSION

---
 VERSION | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 VERSION

diff --git a/VERSION b/VERSION
new file mode 100644
index 00000000..6c6aa7cb
--- /dev/null
+++ b/VERSION
@@ -0,0 +1 @@
+0.1.0
\ No newline at end of file