Make a workflow for signing our Debian packages

The `package-deb` artifact from our existing workflow contains not just the Debian package (the `.deb` file), but also all of the files needed to upload the package into a repository. But, the files aren't signed, and most repositories only want uploads that are signed by a trusted key. So, this workflow does that! It takes the `package-deb` artifact, uses `debsign` to sign the appropriate files, and uploads everything to a new artifact, named `signed-deb`. This new artifact contains the `.deb` package files, so you should probably be using this artifact, when it is available. The workflow has a few requirements: * The variable `DEBSIGN_KEYID`, which contains the ID (short or long) of the PGP key used for signing. * The secret `KEY`, which is the armored PGP private key. * The environment `sign`, containing the secret and variable above.
stanford-rc · Apr 30, 2024 · 50c18e2 · 50c18e2
1 parent fffb2e1
commit 50c18e2
Showing 1 changed file with 65 additions and 0 deletions.
diff --git a/.github/workflows/sign.yml b/.github/workflows/sign.yml
@@ -0,0 +1,65 @@
+name: 'Sign Packages'
+
+on:
+  push:
+    branches:
+      - main
+    tags:
+      - v*
+
+permissions:
+  contents: read
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  Sign-Debian:
+    name: Sign Debian packages
+    runs-on: ubuntu-latest
+    environment: sign
+    steps:
+      - id: sysprep
+        name: Prep system for debsign work
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y build-essential devscripts gnupg
+        continue-on-error: false
+
+      - id: set-key
+        name: Install signing key
+        env:
+          PRIVATE_KEY: ${{ secrets.KEY }}
+        run: |
+          gpg --import <<<"${PRIVATE_KEY}"
+          echo "Keys:"
+          gpg --list-secret-keys --keyid-format long
+        continue-on-error: false
+
+      - id: fetch
+        name: Fetch Debian artifact from this workflow
+        uses: actions/[email protected]
+        with:
+          name: package-deb
+          path: deb
+        continue-on-error: false
+
+      - id: sign
+        name: Run debsign
+        env:
+          DEBSIGN_KEYID: ${{ vars.DEBSIGN_KEYID }}
+        working-directory: deb
+        run: |
+          echo "Signing with key ${{DEBSIGN_KEYID}}"
+          debsign --debs-dir "${PWD}"
+        continue-on-error: false
+
+      - id: upload
+        name: Upload Signed Result as artifact
+        uses: actions/[email protected]
+        working-directory: deb
+        with:
+          name: signed-deb
+          if-no-files-found: error
+        continue-on-error: false