ci: sign releases with gpg (#422)

lindell · Nov 4, 2023 · 84d4145 · 84d4145
1 parent 9b5774a
commit 84d4145
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 0 deletions.
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -34,6 +34,14 @@ jobs:
           go-version-file: "go.mod"
         if: ${{ steps.release.outputs.release_created }}
 
+      - name: Import GPG key for signing
+        id: gpg
+        run: |
+          echo "${GPG_PRIVATE_KEY}" | gpg --import
+          fingerprint=$(echo "${GPG_PRIVATE_KEY}" | gpg --show-keys --with-colons | awk -F ":" '$1=="fpr" {print $10}')
+          echo "fingerprint=$fingerprint" >> $GITHUB_OUTPUT
+        env:
+          GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0
         with:
@@ -42,6 +50,7 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GENERAL_GITHUB_SECRET }} # The tokens needs access to another repo, so the secret.GITHUB_SECRET won't suffice
           FURY_TOKEN: ${{ secrets.FURY_TOKEN }} # Gemfury token
+          GPG_FINGERPRINT: ${{ steps.gpg.outputs.fingerprint }} # Fingerprint of GPG signing key
         if: ${{ steps.release.outputs.release_created }}
 
       - name: Comment on prs and issues

diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -86,3 +86,6 @@ publishers:
       - packages
     dir: "{{ dir .ArtifactPath }}"
     cmd: curl -F package=@{{ .ArtifactName }} https://{{ .Env.FURY_TOKEN }}@push.fury.io/multi-gitter/
+signs:
+  - artifacts: checksum
+    args: ["--batch", "-u", "{{ .Env.GPG_FINGERPRINT }}", "--output", "${signature}", "--detach-sign", "${artifact}"]