From 062ecd75a6f6ecb5af570f145e4a3c382df6b9b0 Mon Sep 17 00:00:00 2001
From: Ahmed AbouZaid <6760103+aabouzaid@users.noreply.github.com>
Date: Fri, 11 Oct 2024 21:19:32 +0200
Subject: [PATCH] wip

Signed-off-by: Ahmed AbouZaid <6760103+aabouzaid@users.noreply.github.com>
---
 .../workflows/chart-release-candidate.yaml    | 65 +++++++++++--------
 .github/workflows/chart-release-template.yaml | 19 ++++--
 2 files changed, 50 insertions(+), 34 deletions(-)

diff --git a/.github/workflows/chart-release-candidate.yaml b/.github/workflows/chart-release-candidate.yaml
index 5779ff387c..1623001cbe 100644
--- a/.github/workflows/chart-release-candidate.yaml
+++ b/.github/workflows/chart-release-candidate.yaml
@@ -4,6 +4,7 @@ on:
   push:
     branches:
       - release-candidate*
+      - 2404-aa-update-rc-workflow
 
 jobs:
   release:
@@ -11,36 +12,46 @@ jobs:
     uses: ./.github/workflows/chart-release-template.yaml
     with:
       branch: ${{ github.ref_name }}
+      workflow-ref: "camunda/camunda-platform-helm/.github/workflows/chart-release-template.yaml@refs/heads/2404-aa-update-rc-workflow"
+      # chart-matrix: |
+      #   [
+      #     {
+      #       "name": "Helm Chart RC - 8.2",
+      #       "directory": "charts/camunda-platform-8.2",
+      #       "versionSuffix": "rc-8.2",
+      #       "override": true
+      #     },
+      #     {
+      #       "name": "Helm Chart RC - 8.3",
+      #       "directory": "charts/camunda-platform-8.3",
+      #       "versionSuffix": "rc-8.3",
+      #       "override": true
+      #     },
+      #     {
+      #       "name": "Helm Chart RC - 8.4",
+      #       "directory": "charts/camunda-platform-8.4",
+      #       "versionSuffix": "rc-8.4",
+      #       "override": true
+      #     },
+      #     {
+      #       "name": "Helm Chart RC - 8.5",
+      #       "directory": "charts/camunda-platform-8.5",
+      #       "versionSuffix": "rc-8.5",
+      #       "override": true
+      #     },
+      #     {
+      #       "name": "Helm Chart RC - 8.6",
+      #       "directory": "charts/camunda-platform-8.6",
+      #       "versionSuffix": "rc-8.6",
+      #       "override": true
+      #     }
+      #   ]
       chart-matrix: |
         [
           {
-            "name": "Helm Chart rolling - 8.2",
+            "name": "Helm Chart RC - 8.2",
             "directory": "charts/camunda-platform-8.2",
-            "versionSuffix": "rc-8.2",
-            "override": true
-          },
-          {
-            "name": "Helm Chart rolling - 8.3",
-            "directory": "charts/camunda-platform-8.3",
-            "versionSuffix": "rc-8.3",
-            "override": true
-          },
-          {
-            "name": "Helm Chart rolling - 8.4",
-            "directory": "charts/camunda-platform-8.4",
-            "versionSuffix": "rc-8.4",
-            "override": true
-          },
-          {
-            "name": "Helm Chart rolling - 8.5",
-            "directory": "charts/camunda-platform-8.5",
-            "versionSuffix": "rc-8.5",
-            "override": true
-          },
-          {
-            "name": "Helm Chart rolling - 8.6",
-            "directory": "charts/camunda-platform-8.6",
-            "versionSuffix": "rc-8.6",
+            "versionSuffix": "test-8.2",
             "override": true
           }
-        ]
+        ]
\ No newline at end of file
diff --git a/.github/workflows/chart-release-template.yaml b/.github/workflows/chart-release-template.yaml
index c600603d5d..c4f26b66df 100644
--- a/.github/workflows/chart-release-template.yaml
+++ b/.github/workflows/chart-release-template.yaml
@@ -7,6 +7,10 @@ on:
         description: List of charts to release.
         required: true
         type: string
+      workflow-ref:
+        description: The reference of the workflow which will be used sign the chart OCI artifact in keyless mode.
+        required: true
+        type: string
       chart-matrix:
         description: List of charts to release.
         required: true
@@ -134,13 +138,14 @@ jobs:
         run: |
           cosign sign-blob -y ${{ env.CHART_NAME }}-${{ env.CHART_VERSION }}.tgz \
             --bundle ${{ env.CHART_NAME }}-${{ env.CHART_VERSION }}.cosign.bundle
-      # - name: Verify signed Helm chart with Cosign
-      #   if: env.PUBLISH_ARTIFACT == 'true'
-      #   run: |
-      #     cosign verify-blob ${{ env.CHART_NAME }}-${{ env.CHART_VERSION }}.tgz \
-      #       --bundle ${{ env.CHART_NAME }}-${{ env.CHART_VERSION }}.cosign.bundle \
-      #       --certificate-identity "https://github.com/${GITHUB_WORKFLOW_REF}" \
-      #       --certificate-oidc-issuer "https://token.actions.githubusercontent.com"
+      - name: Verify signed Helm chart with Cosign
+        if: env.PUBLISH_ARTIFACT == 'true'
+        run: |
+          cosign verify-blob -d ${{ env.CHART_NAME }}-${{ env.CHART_VERSION }}.tgz \
+            --bundle ${{ env.CHART_NAME }}-${{ env.CHART_VERSION }}.cosign.bundle \
+            --certificate-identity "https://github.com/${{ inputs.workflow-ref }}" \
+            --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
+            --certificate-github-workflow-ref="${{ inputs.workflow-ref }}"
       - name: Login to GitHub Container Registry
         if: env.PUBLISH_ARTIFACT == 'true'
         uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3