From 02e97b0bc82ca465545280c6ae21c5e370ff9311 Mon Sep 17 00:00:00 2001
From: Se7enZ <se7enZ@protonmail.com>
Date: Mon, 11 Nov 2024 12:44:13 +0100
Subject: [PATCH] build: Sign aggregate release artifact from Github.

---
 .github/workflows/release.yml | 48 +++++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 1bf567168509..153fdeba84e6 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -111,3 +111,51 @@ jobs:
           name: c-lightning-${{ env.version }}
           pattern: bin-*
           delete-merged: true
+
+  release:
+    name: Sign release
+    needs:
+      - check
+      - artifact
+    env:
+      version: ${{ needs.check.outputs.version }}
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Git checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-tags: true
+
+      - name: Download artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: c-lightning-${{ env.version }}
+          path: release/
+
+      - name: Import GPG keys
+        id: gpg
+        uses: crazy-max/ghaction-import-gpg@v6
+        with:
+          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
+          passphrase: ${{ secrets.GPG_PASSPHRASE }}
+
+      - name: Set default GPG key
+        run: |
+          gpg -K
+          mkdir -p ~/.gnupg
+          echo "default-key ${{ steps.gpg.outputs.fingerprint }}" >> ~/.gnupg/gpg.conf
+          cat ~/.gnupg/gpg.conf
+
+      - name: Sign release
+        run: |
+          sudo apt-get install -y lowdown
+          ./configure
+          # TODO: configure GPG key
+          tools/build-release.sh --without-zip sign
+
+      - name: Upload signed artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: c-lightning-${{ env.version }}
+          overwrite: true
+          path: release/