A Simple Helm Charts Repository on GitHub
I just released webmentiond-0.2.0 on GitHub, i.e. version 0.2.0 of my webmentiond Helm chart. I didn’t need to tag it or create a release myself. Instead, I used the chart-releaser action to automate it as I planned. All I have to do now is maintain a directory for each chart and bump the version in the appropriate Chart.yaml when I want to publish it. Then anyone can install it from the https://shivjm.github.io/helm-charts/ repository. Simple indeed.
What wasn’t simple was trying to set up GPG signing by following these steps:
- Create a GPG key (without a passphrase, to keep things simple).
- Export the secret key in binary format with gpg --export-secret-keys keyid.
- Encode the exported key as Base64.
- Put the key in a repository secret named
- Add the key creation script from the charts-repo-actions-demo release workflow to prepare the required key files.
sign: truein cr.yaml.
It failed when signing the charts, saying it expected a public/private key. I tried again with the ASCII version of the key, just to be sure, but it failed with a different error about the MSB of some tag. When I tried putting both the public and the private key (encoded as required) in the variable, I got the first error again. I decided to drop the idea.
I’m consoling myself with the reflection that chart integrity and provenance seems to be of little importance, given that verification is disabled by default.