Skip to content

Commit

Permalink
chore(release): sign GitHub release artifacts with gpg (#68)
Browse files Browse the repository at this point in the history
---------

Signed-off-by: Jericho Tolentino <68654047+jericht@users.noreply.github.com>
  • Loading branch information
jericht authored Feb 12, 2024
1 parent d554bfd commit eef0f3f
Showing 1 changed file with 23 additions and 0 deletions.
23 changes: 23 additions & 0 deletions .github/workflows/release_publish.yml
Original file line number Diff line number Diff line change
Expand Up @@ -104,6 +104,29 @@ jobs:
pip install --upgrade hatch
hatch build
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ secrets.AWS_PGP_KEY_SECRET_ROLE }}
aws-region: us-west-2
mask-aws-account-id: true

- name: Import PGP Key
run: |
export SECRET_STRING="$(aws secretsmanager get-secret-value --secret-id ${{ secrets.AWS_PGP_KEY_SECRET }} --query 'SecretString')"
printenv SECRET_STRING | jq -r '. | fromjson | .PrivateKey' | gpg --batch --pinentry-mode loopback --import --armor
PGP_KEY_PASSPHRASE=$(printenv SECRET_STRING | jq -r '. | fromjson | .Passphrase')
echo "::add-mask::$PGP_KEY_PASSPHRASE"
echo "PGP_KEY_PASSPHRASE=$PGP_KEY_PASSPHRASE" >> $GITHUB_ENV
- name: Sign
run: |
for file in dist/*; do
printenv PGP_KEY_PASSPHRASE | gpg --batch --pinentry-mode loopback --local-user "Open Job Description" --passphrase-fd 0 --output $file.sig --detach-sign $file
echo "Created signature file for $file"
done
- name: PushRelease
env:
GH_TOKEN: ${{ secrets.CI_TOKEN }}
Expand Down

0 comments on commit eef0f3f

Please sign in to comment.