Update workflow to sign our Debian packages #22
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: 'Build Packages' | |
| on: push | |
| permissions: | |
| contents: read | |
| jobs: | |
| Package: | |
| name: Create Package for Branch | |
| runs-on: ubuntu-latest | |
| steps: | |
| - id: sysprep | |
| name: Prep system for dev work | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y build-essential debhelper devscripts python3 | |
| - id: checkout | |
| name: Checkout Repo | |
| uses: actions/checkout@v4 | |
| with: | |
| path: "source" | |
| fetch-depth: 0 | |
| continue-on-error: false | |
| - id: get_tag | |
| name: Get most recent tag | |
| run: | | |
| cd source; | |
| echo "tag=$(git describe --tags --abbrev=0)" >> "$GITHUB_OUTPUT" | |
| continue-on-error: false | |
| - id: make_changelogs | |
| name: Make changelog entries | |
| env: | |
| start: ${{ steps.get_tag.outputs.tag }} | |
| run: | | |
| cd source; | |
| echo "Listing commits starting from ${start}"; | |
| for commit in $(git log --reverse --format="%h" ${start}..); do | |
| echo "Adding changelog entry for commit ${commit}: $(git log -1 --pretty=%s ${commit})"; | |
| EMAIL=$(git log -1 --pretty=%ae ${commit}) \ | |
| NAME=$(git log -1 --pretty=%an ${commit}) \ | |
| dch --force-bad-version --newversion \ | |
| "$(git log -1 --date=format:%Y%m%d%H%M%S --pretty=99~git%cd.%h ${commit})" \ | |
| "$(git log -1 --pretty=%s ${commit})"; | |
| done | |
| continue-on-error: false | |
| - name: Build package (without signing) | |
| run: | | |
| cd source && \ | |
| debuild -us -uc | |
| continue-on-error: false | |
| - name: Upload Build Result as artifact | |
| uses: actions/[email protected] | |
| with: | |
| name: package-deb | |
| path: docker-image-cleanup* | |
| if-no-files-found: error | |
| continue-on-error: false | |
| Sign-Debian: | |
| name: Sign Debian packages | |
| if: github.event_name == 'push' && ( contains(github.ref, 'refs/tags/') || github.ref == 'refs/heads/main' ) | |
| needs: | |
| - Package | |
| runs-on: ubuntu-latest | |
| defaults: | |
| run: | |
| shell: bash | |
| environment: sign | |
| steps: | |
| - id: sysprep | |
| name: Prep system for debsign work | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y build-essential devscripts gnupg | |
| continue-on-error: false | |
| - id: set-key | |
| name: Install signing key | |
| env: | |
| PRIVATE_KEY: ${{ secrets.PRIVATE_KEY }} | |
| run: | | |
| gpg --import <<<"${PRIVATE_KEY}" | |
| echo "Keys:" | |
| gpg --list-secret-keys --keyid-format long | |
| echo "keyid=$(gpg --list-secret-keys --keyid-format long | grep '^sec' | cut -d/ -f2 | cut -d\ -f1)" >> $GITHUB_OUTPUT | |
| echo "fingerprint=$(gpg --list-secret-keys | grep '^ ' | tr -d ' ')" >> $GITHUB_OUTPUT | |
| continue-on-error: false | |
| - id: fetch | |
| name: Fetch Debian artifact from this workflow | |
| uses: actions/[email protected] | |
| with: | |
| name: package-deb | |
| continue-on-error: false | |
| - id: sign | |
| name: Run debsign | |
| run: | | |
| echo "Signing with key ${{ steps.set-key.outputs.keyid }}" | |
| debsign -k "${{ steps.set-key.outputs.fingerprint }}" "$(find . -name *.changes)" | |
| continue-on-error: false | |
| - id: upload | |
| name: Upload Signed Result as artifact | |
| uses: actions/[email protected] | |
| with: | |
| name: signed-deb | |
| path: docker-image-cleanup* | |
| if-no-files-found: error | |
| continue-on-error: false |