feat(gha): provide crds subchart as oci artifact

Signed-off-by: Bence Csati <bence.csati@axoflow.com>

Author: csatib02

.github/workflows/artifacts.yaml

@@ -35,6 +35,15 @@ on:
       helm-chart-package:
         description: Helm chart package name
         value: ${{ jobs.helm-chart.outputs.package }}
+      subchart-name:
+        description: CRD subchart OCI name
+        value: ${{ jobs.crd-subchart.outputs.name }}
+      subchart-tag:
+        description: CRD subchart tag
+        value: ${{ jobs.crd-subchart.outputs.tag }}
+      subchart-package:
+        description: CRD subchart package name
+        value: ${{ jobs.crd-subchart.outputs.package }}
 
 permissions:
   contents: read
@@ -373,3 +382,126 @@ jobs:
         uses: github/codeql-action/upload-sarif@407ffafae6a767df3e0230c3df91b6443ae8df75 # v2.22.8
         with:
           sarif_file: trivy-results.sarif
+
+  crd-subchart:
+    if: github.repository == 'kube-logging/logging-operator'
+    name: CRD subchart
+    runs-on: ubuntu-latest
+  
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+      security-events: write
+  
+    outputs:
+      name: ${{ steps.oci-chart-name.outputs.value }}
+      tag: ${{ steps.version.outputs.value }}
+      package: ${{ steps.build.outputs.package }}
+  
+    env:
+      subchartPath: logging-operator/charts/crds
+      subchartName: crds
+  
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+  
+      - name: Set up Helm
+        uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5
+        with:
+          version: v3.12.0
+  
+      - name: Set up Cosign
+        uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
+  
+      - name: Set chart name
+        id: chart-name
+        run: echo "value=${{ github.event.repository.name }}/$subchartName" >> "$GITHUB_OUTPUT"
+  
+      - name: Set OCI registry name
+        id: oci-registry-name
+        run: echo "value=ghcr.io/${{ github.repository_owner }}/helm-charts" >> "$GITHUB_OUTPUT"
+  
+      - name: Set OCI chart name
+        id: oci-chart-name
+        run: echo "value=${{ steps.oci-registry-name.outputs.value }}/${{ steps.chart-name.outputs.value }}" >> "$GITHUB_OUTPUT"
+  
+      - name: Helm lint
+        run: helm lint charts/$subchartPath
+  
+      - name: Determine raw version
+        uses: haya14busa/action-cond@94f77f7a80cd666cb3155084e428254fea4281fd # v1.2.1
+        id: version
+        with:
+          cond: ${{ inputs.release }}
+          if_true: ${{ github.ref_name }}
+          if_false: 0.0.0
+  
+      - name: Helm package
+        id: build
+        run: |
+          helm package charts/$subchartPath --version ${{ steps.version.outputs.value }} --app-version ${{ steps.version.outputs.value }}
+          echo "package=${{ github.workspace }}/$subchartName-${{ steps.version.outputs.value }}.tgz" >> "$GITHUB_OUTPUT"
+  
+      - name: Upload chart as artifact
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        with:
+          name: "[${{ github.job }}] Helm chart"
+          path: ${{ steps.build.outputs.package }}
+  
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ github.token }}
+        if: inputs.publish && inputs.release
+
+      - name: Helm push
+        id: push
+        run: |
+          helm push ${{ steps.build.outputs.package }} oci://${{ steps.oci-registry-name.outputs.value }}/${{ github.event.repository.name }} &> push-metadata.txt
+          echo "digest=$(awk '/Digest: /{print $2}' push-metadata.txt)" >> "$GITHUB_OUTPUT"
+        env:
+          HELM_REGISTRY_CONFIG: ~/.docker/config.json
+        if: inputs.publish && inputs.release
+  
+      - name: Sign chart with GitHub OIDC Token
+        if: ${{ inputs.publish && inputs.release && github.repository_owner == 'kube-logging' }} # Check if the workflow is called by the same GitHub organization
+        env:
+          DIGEST: ${{ steps.push.outputs.digest }}
+        run: cosign sign --yes --rekor-url "https://rekor.sigstore.dev/" "${{ steps.oci-chart-name.outputs.value }}@${DIGEST}"
+  
+      - name: Verify signed chart with cosign
+        if: ${{ inputs.publish && inputs.release && github.repository_owner == 'kube-logging' }} # Check if the workflow is called by the same GitHub organization
+        env:
+          DIGEST: ${{ steps.push.outputs.digest }}
+        run: |
+          cosign verify "${{ steps.oci-chart-name.outputs.value }}@${DIGEST}" \
+            --rekor-url "https://rekor.sigstore.dev/" \
+            --certificate-identity "https://github.com/${{ github.repository }}/.github/workflows/artifacts.yaml@${{ github.ref }}" \
+            --certificate-oidc-issuer "https://token.actions.githubusercontent.com" | jq
+  
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # 0.28.0
+        env:
+          TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
+          TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:1
+        with:
+          scan-type: config
+          scan-ref: charts/${{ steps.chart-name.outputs.value }}
+          format: sarif
+          output: trivy-results.sarif
+  
+      - name: Upload Trivy scan results as artifact
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        with:
+          name: "[${{ github.job }}] Trivy scan results"
+          path: trivy-results.sarif
+          retention-days: 5
+  
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@407ffafae6a767df3e0230c3df91b6443ae8df75 # v2.22.8
+        with:
+          sarif_file: trivy-results.sarif