diff --git a/.github/scripts/fetch_helm_deps.sh b/.github/scripts/fetch_helm_deps.sh index 517debf0bc5..9450a651acd 100755 --- a/.github/scripts/fetch_helm_deps.sh +++ b/.github/scripts/fetch_helm_deps.sh @@ -85,17 +85,20 @@ for idx in $(eval echo "{0..$length}"); do echo "⏬ Downloading dependency $name-$version from $dep_url..." mkdir -p "$cache_path/$repo_dir" wget --quiet "$dep_url" -P "$cache_path/$repo_dir" + wget --quiet "$dep_url.prov" -P "$cache_path/$repo_dir" if [ ! $? ]; then echo "❌ wget encountered an error..." - helm dependency build "$charts_path/$train_chart/Chart.yaml" || helm dependency update "$charts_path/$train_chart/Chart.yaml" || exit 1 + helm dependency build "$charts_path/$train_chart/Chart.yaml" --verify --keyring $gpg_dir/secring.gpg || helm dependency update "$charts_path/$train_chart/Chart.yaml" --verify --keyring $gpg_dir/secring.gpg || exit 1 fi if [ -f "$cache_path/$repo_dir/$name-$version.tgz" ]; then echo "✅ Dependency Downloaded!" + echo "Validating dependency signature..." + helm validate $cache_path/$repo_dir/$name-$version.tgz --keyring $gpg_dir/secring.gpg || echo "❌ Failed to verify dependency chart signature" && exit 1 else echo "❌ Failed to download dependency" # Try helm dependency build/update or otherwise fail fast if a dep fails to download... - helm dependency build "$charts_path/$train_chart/Chart.yaml" || helm dependency update "$charts_path/$train_chart/Chart.yaml" || exit 1 + helm dependency build "$charts_path/$train_chart/Chart.yaml" --verify --keyring $gpg_dir/secring.gpg || helm dependency update "$charts_path/$train_chart/Chart.yaml" --verify --keyring $gpg_dir/secring.gpg || exit 1 fi fi echo ""