build: Sign aggregate release artifact from Github.

s373nZ · Nov 11, 2024 · 02e97b0 · 02e97b0
1 parent 9c81d70
commit 02e97b0
Showing 1 changed file with 48 additions and 0 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -111,3 +111,51 @@ jobs:
           name: c-lightning-${{ env.version }}
           pattern: bin-*
           delete-merged: true
+
+  release:
+    name: Sign release
+    needs:
+      - check
+      - artifact
+    env:
+      version: ${{ needs.check.outputs.version }}
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Git checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-tags: true
+
+      - name: Download artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: c-lightning-${{ env.version }}
+          path: release/
+
+      - name: Import GPG keys
+        id: gpg
+        uses: crazy-max/ghaction-import-gpg@v6
+        with:
+          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
+          passphrase: ${{ secrets.GPG_PASSPHRASE }}
+
+      - name: Set default GPG key
+        run: |
+          gpg -K
+          mkdir -p ~/.gnupg
+          echo "default-key ${{ steps.gpg.outputs.fingerprint }}" >> ~/.gnupg/gpg.conf
+          cat ~/.gnupg/gpg.conf
+
+      - name: Sign release
+        run: |
+          sudo apt-get install -y lowdown
+          ./configure
+          # TODO: configure GPG key
+          tools/build-release.sh --without-zip sign
+
+      - name: Upload signed artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: c-lightning-${{ env.version }}
+          overwrite: true
+          path: release/