git-artifacts: if GPG secrets are available, use them

This expects the `GPGKEY` and `PRIVGPGKEY` secrets to be set in the respective GitHub repository. The `GPGKEY` value should be of the form <short-key> --passphrase <pass> --yes --batch --no-tty --pinentry-mode loopback --digest-algo SHA256 and the `PRIVGPGKEY` should be generated via gpg --export-secret-keys | base64 | tr '\n' % Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2026-03-28 05:46:45 -05:00 · 2020-04-12 00:24:49 +02:00
parent 9eba813a1d
commit 14ee5f181f
1 changed files with 43 additions and 1 deletions
--- a/.github/workflows/git-artifacts.yml
+++ b/.github/workflows/git-artifacts.yml
@@ -6,6 +6,7 @@ on:
  - workflow_dispatch

 env:
+  GPG_OPTIONS: "--batch --yes --no-tty --list-options no-show-photos --verify-options no-show-photos --pinentry-mode loopback"
  HOME: "${{github.workspace}}\\home"
  MSYSTEM: MINGW64
  USERPROFILE: "${{github.workspace}}\\home"
@@ -44,7 +45,21 @@ jobs:
        run: |
          d=git-sdk-64-build-installers/usr/src/build-extra &&
          git clone --single-branch -b main https://github.com/git-for-windows/build-extra $d
+      - name: Prepare home directory for GPG signing
+        if: env.GPGKEY != ''
+        shell: bash
+        run: |
+          echo '${{secrets.PRIVGPGKEY}}' | tr % '\n' | gpg $GPG_OPTIONS --import &&
+          mkdir -p home &&
+          git config --global gpg.program "$PWD/git-sdk-64-build-installers/usr/src/build-extra/gnupg-with-gpgkey.sh" &&
+          info="$(gpg --list-keys --with-colons "${GPGKEY%% *}" | cut -d : -f 1,10 | sed -n '/^uid/{s|uid:||p;q}')" &&
+          git config --global user.name "${info% <*}" &&
+          git config --global user.email "<${info#*<}"
+        env:
+          GPGKEY: ${{secrets.GPGKEY}}
      - name: Generate bundle artifacts
+        env:
+          GPGKEY: ${{secrets.GPGKEY}}
        shell: powershell
        run: |
          & .\git-sdk-64-build-installers\git-cmd.exe --command=usr\bin\bash.exe -lc @"
@@ -59,12 +74,16 @@ jobs:
            echo \"prerelease-`${tag_name#v}\" >bundle-artifacts/ver &&
            echo \"`${tag_name#v}\" >bundle-artifacts/display_version &&
            echo \"`$tag_name\" >bundle-artifacts/next_version &&
-            git tag -m \"Snapshot build\" \"`$tag_name\" FETCH_HEAD &&
+            git tag `$(test -z \"`$GPGKEY\" || echo \" -s\") -m \"Snapshot build\" \"`$tag_name\" FETCH_HEAD &&
            git bundle create bundle-artifacts/git.bundle origin/main..\"`$tag_name\" &&

            sh -x /usr/src/build-extra/please.sh mention feature \"Snapshot of `$(git show -s  --pretty='tformat:%h (%s, %ad)' --date=short FETCH_HEAD)\" &&
            git -C /usr/src/build-extra bundle create \"`$PWD/bundle-artifacts/build-extra.bundle\" origin/main..main
          "@
+      - name: Clean up temporary files
+        if: always()
+        shell: bash
+        run: rm -rf home
      - name: 'Publish Pipeline Artifact: bundle-artifacts'
        uses: actions/upload-artifact@v1
        with:
@@ -116,7 +135,19 @@ jobs:
          git remote add -f origin https://github.com/git-for-windows/git &&
          git fetch --tags bundle-artifacts/git.bundle $(cat bundle-artifacts/next_version) &&
          git reset --hard $(cat bundle-artifacts/next_version)
+      - name: Prepare home directory for GPG signing
+        if: env.GPGKEY != ''
+        shell: bash
+        run: |
+          echo '${{secrets.PRIVGPGKEY}}' | tr % '\n' | gpg $GPG_OPTIONS --import &&
+          info="$(gpg --list-keys --with-colons "${GPGKEY%% *}" | cut -d : -f 1,10 | sed -n '/^uid/{s|uid:||p;q}')" &&
+          git config --global user.name "${info% <*}" &&
+          git config --global user.email "<${info#*<}"
+        env:
+          GPGKEY: ${{secrets.GPGKEY}}
      - name: Build mingw-w64-x86_64-git
+        env:
+          GPGKEY: "${{secrets.GPGKEY}}"
        shell: powershell
        run: |
          & git-sdk-64-makepkg-git\usr\bin\sh.exe -lc @"
@@ -126,6 +157,13 @@ jobs:
            type -p mspdb140.dll || exit 1
            sh -x /usr/src/build-extra/please.sh build-mingw-w64-git --only-64-bit --build-src-pkg -o artifacts HEAD &&
            cp bundle-artifacts/ver artifacts/ &&
+            if test -n \"`$GPGKEY\"
+            then
+              for tar in artifacts/*.tar*
+              do
+                /usr/src/build-extra/gnupg-with-gpgkey.sh --detach-sign --no-armor `$tar
+              done
+            fi &&

            b=`$PWD/artifacts &&
            version=`$(cat bundle-artifacts/next_version) &&
@@ -134,6 +172,10 @@ jobs:
            git commit -s -m \"mingw-w64-git: new version (`$version)\" PKGBUILD &&
            git bundle create \"`$b\"/MINGW-packages.bundle origin/main..main)
          "@
+      - name: Clean up temporary files
+        if: always()
+        shell: bash
+        run: rm -rf home
      - name: Publish mingw-w64-x86_64-git
        uses: actions/upload-artifact@v1
        with: