From e0167fb27fa56563b214b9eca45f2883d479cc90 Mon Sep 17 00:00:00 2001 From: matte22 Date: Wed, 28 Feb 2024 13:13:55 -0500 Subject: [PATCH] testing gpg signing --- .github/workflows/build-binary-artifacts.yml | 66 +++++++++++++------- build.sh | 2 +- 2 files changed, 44 insertions(+), 24 deletions(-) diff --git a/.github/workflows/build-binary-artifacts.yml b/.github/workflows/build-binary-artifacts.yml index bbf65ba..041d086 100644 --- a/.github/workflows/build-binary-artifacts.yml +++ b/.github/workflows/build-binary-artifacts.yml @@ -1,7 +1,7 @@ # Modify build script # attempt to sign the artifacts after they are built in the workflow -# if the signings fails then emit a warning and still upload only the binaries but exit with a non-zero status code +# if the signings fails then emit a warning and exit with a non-zero status code # if the signing is successful then import the public key and verify the signatures # if the verification fails then emit a warning and exit with a non-zero status code # if the verification is successful then emit a success message and upload the singing file and the signed artifacts @@ -10,7 +10,7 @@ #[[ $1 == "--sign" ]] && gpg --default-key $signing_key --armor --detach-sig $windows_archive #[[ $1 == "--sign" ]] && gpg --default-key $signing_key --armor --detach-sig $linux_archive -name: Build Binary Artifacts +name: Build and Sign Binary Artifacts on: workflow_dispatch: push: @@ -47,29 +47,49 @@ jobs: id: run_build_script run: ./build.sh - - name: Upload Artifacts - uses: actions/upload-artifact@v3 - with: - name: binary-artifacts - path: | - ./dist/ - if-no-files-found: error - - - name: Import GPG Public Key - id: import_gpg_public - run: gpg --import ./nuwcdivnpt-bot.gpg.asc - - name: Get version from package.json id: package_version run: echo "PACKAGE_VERSION=$(jq -r '.version' package.json)" >> $GITHUB_ENV - - name: Verify Signatures - id: verify_signatures - working-directory: ./dist + - name: Signt Artifacts + id: sign_tartifacts + run: | + gpg --default-key nuwcdivnpt-bot@users.noreply.github.com --armor --detach-sig ./dist/stigman-watcher-linux-${{ env.PACKAGE_VERSION }}.tar.gz + gpg --default-key nuwcdivnpt-bot@users.noreply.github.com --armor --detach-sig ./dist/stigman-watcher-win-${{ env.PACKAGE_VERSION }}.zip; + + + - name: Sign Artifacts + id: sign_artifacts run: | - if ! gpg --verify stigman-watcher-linux-${{ env.PACKAGE_VERSION }}.tar.gz.asc stigman-watcher-linux-${{ env.PACKAGE_VERSION }}.tar.gz; then - echo "::warning ::Signature verification for Linux failed" - fi - if ! gpg --verify stigman-watcher-win-${{ env.PACKAGE_VERSION }}.zip.asc stigman-watcher-win-${{ env.PACKAGE_VERSION }}.zip; then - echo "::warning ::Signature verification for Windows failed" - fi + if ! gpg --default-key nuwcdivnpt-bot@users.noreply.github.com --armor --detach-sig ./dist/stigman-watcher-linux-${{ env.PACKAGE_VERSION }}.tar.gz + gpg --default-key nuwcdivnpt-bot@users.noreply.github.com --armor --detach-sig ./dist/stigman-watcher-win-${{ env.PACKAGE_VERSION }}.zip; + then + echo "::warning ::Signing failed" + exit 1 + fi + + + + # - name: Import GPG Public Key + # id: import_gpg_public + # run: gpg --import ./nuwcdivnpt-bot.gpg.asc + + + + # - name: Verify Signatures + # id: verify_signatures + # working-directory: ./dist + # run: | + # if ! gpg --verify stigman-watcher-linux-${{ env.PACKAGE_VERSION }}.tar.gz.asc stigman-watcher-linux-${{ env.PACKAGE_VERSION }}.tar.gz; then + # echo "::warning ::Signature verification for Linux failed" + # fi + # if ! gpg --verify stigman-watcher-win-${{ env.PACKAGE_VERSION }}.zip.asc stigman-watcher-win-${{ env.PACKAGE_VERSION }}.zip; then + # echo "::warning ::Signature verification for Windows failed" + # fi + # - name: Upload Artifacts + # uses: actions/upload-artifact@v3 + # with: + # name: binary-artifacts + # path: | + # ./dist/ + # if-no-files-found: error \ No newline at end of file diff --git a/build.sh b/build.sh index 6e773de..93997cd 100755 --- a/build.sh +++ b/build.sh @@ -37,7 +37,7 @@ npm ci # Bundle printf "[BUILD_TASK] Bundling\n" -npx esbuild indeawdwdx.js --bundle --platform=node --outfile=bundle.js +npx esbuild index.js --bundle --platform=node --outfile=bundle.js check_exit_status "Bundling" 1 # version=$(git describe --tags | sed 's/\(.*\)-.*/\1/')