actions/gpg
1
0
Fork 0
mirror of https://github.com/crazy-max/ghaction-import-gpg.git synced 2024-11-06 05:35:51 -05:00
Code Issues Projects Releases Packages Wiki Activity

Move GPG_PRIVATE_KEY env var to gpg-private-key input

Browse source 
Move PASSPHRASE env var to passphrase input
Rename git_user_signingkey input to git-user-signingkey
Rename git_commit_gpgsign input to git-commit-gpgsign
Rename git_tag_gpgsign input to git-tag-gpgsign
Rename git_push_gpgsign input to git-push-gpgsign
Rename git_committer_name input to git-committer-name
Rename git_committer_email input to git-committer-email
This commit is contained in:
CrazyMax 2020-09-06 22:03:16 +02:00
parent 9fd6a9a68f
commit 106dc525b1
No known key found for this signature in database
GPG key ID: 3248E46B6BB8C7F7
7 changed files with 2264 additions and 2211 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

26
.github/workflows/ci.yml vendored
View file

@ -40,13 +40,12 @@ jobs:
id: import_gpg id: import_gpg
uses: ./ uses: ./
with: with:
git_user_signingkey: true gpg-private-key: ${{ steps.test.outputs.pgp }}
git_commit_gpgsign: true passphrase: ${{ steps.test.outputs.passphrase }}
git_tag_gpgsign: true git-user-signingkey: true
git_push_gpgsign: true git-commit-gpgsign: true
env: git-tag-gpgsign: true
GPG_PRIVATE_KEY: ${{ steps.test.outputs.pgp }} git-push-gpgsign: true
PASSPHRASE: ${{ steps.test.outputs.passphrase }}
- -
name: GPG user IDs name: GPG user IDs
run: | run: |
@ -82,13 +81,12 @@ jobs:
id: import_gpg id: import_gpg
uses: ./ uses: ./
with: with:
git_user_signingkey: true gpg-private-key: ${{ steps.test.outputs.pgp-base64 }}
git_commit_gpgsign: true passphrase: ${{ steps.test.outputs.passphrase }}
git_tag_gpgsign: true git-user-signingkey: true
git_push_gpgsign: true git-commit-gpgsign: true
env: git-tag-gpgsign: true
GPG_PRIVATE_KEY: ${{ steps.test.outputs.pgp-base64 }} git-push-gpgsign: true
PASSPHRASE: ${{ steps.test.outputs.passphrase }}
- -
name: GPG user IDs name: GPG user IDs
run: | run: |

47
README.md
View file

@ -23,7 +23,6 @@ ___
* [Customizing](#customizing) * [Customizing](#customizing)
* [inputs](#inputs) * [inputs](#inputs)
* [outputs](#outputs) * [outputs](#outputs)
* [environment variables](#environment-variables)
* [Keep up-to-date with GitHub Dependabot](#keep-up-to-date-with-github-dependabot) * [Keep up-to-date with GitHub Dependabot](#keep-up-to-date-with-github-dependabot)
* [How can I help?](#how-can-i-help) * [How can I help?](#how-can-i-help)
* [License](#license) * [License](#license)
@ -78,10 +77,10 @@ jobs:
- -
name: Import GPG key name: Import GPG key
id: import_gpg id: import_gpg
uses: crazy-max/ghaction-import-gpg@v2 uses: crazy-max/ghaction-import-gpg@v3
env: with:
GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }} gpg-private-key: ${{ secrets.GPG_PRIVATE_KEY }}
PASSPHRASE: ${{ secrets.PASSPHRASE }} passphrase: ${{ secrets.PASSPHRASE }}
- -
name: GPG user IDs name: GPG user IDs
run: | run: |
@ -109,13 +108,12 @@ jobs:
uses: actions/checkout@v2 uses: actions/checkout@v2
- -
name: Import GPG key name: Import GPG key
uses: crazy-max/ghaction-import-gpg@v2 uses: crazy-max/ghaction-import-gpg@v3
with: with:
git_user_signingkey: true gpg-private-key: ${{ secrets.GPG_PRIVATE_KEY }}
git_commit_gpgsign: true passphrase: ${{ secrets.PASSPHRASE }}
env: git-user-signingkey: true
GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }} git-commit-gpgsign: true
PASSPHRASE: ${{ secrets.PASSPHRASE }}
- -
name: Sign commit and push changes name: Sign commit and push changes
run: | run: |
@ -131,17 +129,19 @@ jobs:
Following inputs can be used as `step.with` keys Following inputs can be used as `step.with` keys
| Name | Type | Description | | Name | Type | Description |
|---------------------------------------|---------|------------------------------------------------| |---------------------------------------|---------|------------------------------------------------|
| `git_user_signingkey` | Bool | Set GPG signing keyID for this Git repository (default `false`) | | `gpg-private-key` | String | GPG private key exported as an ASCII armored version or its base64 encoding (**required**) |
| `git_commit_gpgsign`**¹** | Bool | Sign all commits automatically. (default `false`) | | `passphrase` | String | Passphrase of the GPG private key |
| `git_tag_gpgsign`**¹** | Bool | Sign all tags automatically. (default `false`) | | `git-user-signingkey` | Bool | Set GPG signing keyID for this Git repository (default `false`) |
| `git_push_gpgsign`**¹** | Bool | Sign all pushes automatically. (default `false`) | | `git-commit-gpgsign`**¹** | Bool | Sign all commits automatically. (default `false`) |
| `git_committer_name`**¹** | String | Set commit author's name (defaults to the name associated with the GPG key) | | `git-tag-gpgsign`**¹** | Bool | Sign all tags automatically. (default `false`) |
| `git_committer_email`**¹** | String | Set commit author's email (defaults to the email address associated with the GPG key) | | `git-push-gpgsign`**¹** | Bool | Sign all pushes automatically. (default `false`) |
| `git-committer-name`**¹** | String | Set commit author's name (defaults to the name associated with the GPG key) |
| `git-committer-email`**¹** | String | Set commit author's email (defaults to the email address associated with the GPG key) |
| `workdir` | String | Working directory (below repository root) (default `.`) | | `workdir` | String | Working directory (below repository root) (default `.`) |
> **¹** `git_user_signingkey` needs to be enabled for these inputs to be used. > **¹** `git-user-signingkey` needs to be enabled for these inputs to be used.
### outputs ### outputs
@ -154,15 +154,6 @@ Following outputs are available
| `name` | String | Name associated with the GPG key | | `name` | String | Name associated with the GPG key |
| `email` | String | Email address associated with the GPG key | | `email` | String | Email address associated with the GPG key |
### environment variables
Following environment variables must be used as `step.env` keys
| Name | Description |
|--------------------|---------------------------------------|
| `GPG_PRIVATE_KEY` | GPG private key exported as an ASCII armored version or its base64 encoding (**required**) |
| `PASSPHRASE` | Passphrase of the `GPG_PRIVATE_KEY` key if setted |
## Keep up-to-date with GitHub Dependabot ## Keep up-to-date with GitHub Dependabot
Since [Dependabot](https://docs.github.com/en/github/administering-a-repository/keeping-your-actions-up-to-date-with-github-dependabot) Since [Dependabot](https://docs.github.com/en/github/administering-a-repository/keeping-your-actions-up-to-date-with-github-dependabot)

24
action.yml
View file

@ -7,26 +7,32 @@ branding:
icon: 'lock' icon: 'lock'
inputs: inputs:
git_user_signingkey: gpg-private-key:
description: 'GPG private key exported as an ASCII armored version or its base64 encoding'
required: true
passphrase:
description: 'Passphrase of the GPG private key'
required: false
git-user-signingkey:
description: 'Set GPG signing keyID for this Git repository' description: 'Set GPG signing keyID for this Git repository'
default: 'false' default: 'false'
required: false required: false
git_commit_gpgsign: git-commit-gpgsign:
description: 'Sign all commits automatically. git_user_signingkey needs to be enabled' description: 'Sign all commits automatically. git-user-signingkey needs to be enabled'
default: 'false' default: 'false'
required: false required: false
git_tag_gpgsign: git-tag-gpgsign:
description: 'Sign all tags automatically. git_user_signingkey needs to be enabled' description: 'Sign all tags automatically. git-user-signingkey needs to be enabled'
default: 'false' default: 'false'
required: false required: false
git_push_gpgsign: git-push-gpgsign:
description: 'Sign all pushes automatically. git_user_signingkey needs to be enabled' description: 'Sign all pushes automatically. git-user-signingkey needs to be enabled'
default: 'false' default: 'false'
required: false required: false
git_committer_name: git-committer-name:
description: 'Commit author''s name' description: 'Commit author''s name'
required: false required: false
git_committer_email: git-committer-email:
description: 'Commit author''s email' description: 'Commit author''s email'
required: false required: false
workdir: workdir:

4275
dist/index.js generated vendored
View file

File diff suppressed because it is too large Load diff

27
src/context.ts Normal file
View file

@ -0,0 +1,27 @@
import * as core from '@actions/core';
export interface Inputs {
gpgPrivateKey: string;
passphrase: string;
gitUserSigningkey: boolean;
gitCommitGpgsign: boolean;
gitTagGpgsign: boolean;
gitPushGpgsign: boolean;
gitCommitterName: string;
gitCommitterEmail: string;
workdir: string;
}
export async function getInputs(): Promise<Inputs> {
return {
gpgPrivateKey: core.getInput('gpg-private-key', {required: true}),
passphrase: core.getInput('passphrase'),
gitUserSigningkey: /true/i.test(core.getInput('git-user-signingkey')),
gitCommitGpgsign: /true/i.test(core.getInput('git-commit-gpgsign')),
gitTagGpgsign: /true/i.test(core.getInput('git-tag-gpgsign')),
gitPushGpgsign: /true/i.test(core.getInput('git-push-gpgsign')),
gitCommitterName: core.getInput('git-committer-name'),
gitCommitterEmail: core.getInput('git-committer-name'),
workdir: core.getInput('workdir') || '.'
};
}

58
src/main.ts
View file

@ -1,4 +1,5 @@
import * as core from '@actions/core'; import * as core from '@actions/core';
import * as context from './context';
import * as git from './git'; import * as git from './git';
import * as gpg from './gpg'; import * as gpg from './gpg';
import * as openpgp from './openpgp'; import * as openpgp from './openpgp';
@ -6,22 +7,12 @@ import * as stateHelper from './state-helper';
async function run(): Promise<void> { async function run(): Promise<void> {
try { try {
if (!process.env.GPG_PRIVATE_KEY) { let inputs: context.Inputs = await context.getInputs();
core.setFailed('GPG private key required'); stateHelper.setGpgPrivateKey(inputs.gpgPrivateKey);
return;
}
const git_user_signingkey = /true/i.test(core.getInput('git_user_signingkey')); if (inputs.workdir && inputs.workdir !== '.') {
const git_commit_gpgsign = /true/i.test(core.getInput('git_commit_gpgsign')); core.info(`📂 Using ${inputs.workdir} as working directory...`);
const git_tag_gpgsign = /true/i.test(core.getInput('git_tag_gpgsign')); process.chdir(inputs.workdir);
const git_push_gpgsign = /true/i.test(core.getInput('git_push_gpgsign'));
const git_committer_name: string = core.getInput('git_committer_name');
const git_committer_email: string = core.getInput('git_committer_email');
const workdir: string = core.getInput('workdir') || '.';
if (workdir && workdir !== '.') {
core.info(`📂 Using ${workdir} as working directory...`);
process.chdir(workdir);
} }
core.info('📣 GnuPG info'); core.info('📣 GnuPG info');
@ -34,7 +25,7 @@ async function run(): Promise<void> {
core.info(`Homedir : ${dirs.homedir}`); core.info(`Homedir : ${dirs.homedir}`);
core.info('🔮 Checking GPG private key'); core.info('🔮 Checking GPG private key');
const privateKey = await openpgp.readPrivateKey(process.env.GPG_PRIVATE_KEY); const privateKey = await openpgp.readPrivateKey(inputs.gpgPrivateKey);
core.debug(`Fingerprint : ${privateKey.fingerprint}`); core.debug(`Fingerprint : ${privateKey.fingerprint}`);
core.debug(`KeyID : ${privateKey.keyID}`); core.debug(`KeyID : ${privateKey.keyID}`);
core.debug(`Name : ${privateKey.name}`); core.debug(`Name : ${privateKey.name}`);
@ -42,18 +33,18 @@ async function run(): Promise<void> {
core.debug(`CreationTime : ${privateKey.creationTime}`); core.debug(`CreationTime : ${privateKey.creationTime}`);
core.info('🔑 Importing GPG private key'); core.info('🔑 Importing GPG private key');
await gpg.importKey(process.env.GPG_PRIVATE_KEY).then(stdout => { await gpg.importKey(inputs.gpgPrivateKey).then(stdout => {
core.debug(stdout); core.debug(stdout);
}); });
if (process.env.PASSPHRASE) { if (inputs.passphrase) {
core.info('⚙️ Configuring GnuPG agent'); core.info('⚙️ Configuring GnuPG agent');
await gpg.configureAgent(gpg.agentConfig); await gpg.configureAgent(gpg.agentConfig);
core.info('📌 Getting keygrips'); core.info('📌 Getting keygrips');
for (let keygrip of await gpg.getKeygrips(privateKey.fingerprint)) { for (let keygrip of await gpg.getKeygrips(privateKey.fingerprint)) {
core.info(`🔓 Presetting passphrase for ${keygrip}`); core.info(`🔓 Presetting passphrase for ${keygrip}`);
await gpg.presetPassphrase(keygrip, process.env.PASSPHRASE).then(stdout => { await gpg.presetPassphrase(keygrip, inputs.passphrase).then(stdout => {
core.debug(stdout); core.debug(stdout);
}); });
} }
@ -65,31 +56,31 @@ async function run(): Promise<void> {
core.setOutput('name', privateKey.name); core.setOutput('name', privateKey.name);
core.setOutput('email', privateKey.email); core.setOutput('email', privateKey.email);
if (git_user_signingkey) { if (inputs.gitUserSigningkey) {
core.info('🔐 Setting GPG signing keyID for this Git repository'); core.info('🔐 Setting GPG signing keyID for this Git repository');
await git.setConfig('user.signingkey', privateKey.keyID); await git.setConfig('user.signingkey', privateKey.keyID);
const user_email = git_committer_email || privateKey.email; const userEmail = inputs.gitCommitterEmail || privateKey.email;
const user_name = git_committer_name || privateKey.name; const userName = inputs.gitCommitterName || privateKey.name;
if (user_email != privateKey.email) { if (userEmail != privateKey.email) {
core.setFailed('Committer email does not match GPG key user address'); core.setFailed('Committer email does not match GPG key user address');
return; return;
} }
core.info(`🔨 Configuring Git committer (${user_name} <${user_email}>)`); core.info(`🔨 Configuring Git committer (${userName} <${userEmail}>)`);
await git.setConfig('user.name', user_name); await git.setConfig('user.name', userName);
await git.setConfig('user.email', user_email); await git.setConfig('user.email', userEmail);
if (git_commit_gpgsign) { if (inputs.gitCommitGpgsign) {
core.info('💎 Sign all commits automatically'); core.info('💎 Sign all commits automatically');
await git.setConfig('commit.gpgsign', 'true'); await git.setConfig('commit.gpgsign', 'true');
} }
if (git_tag_gpgsign) { if (inputs.gitTagGpgsign) {
core.info('💎 Sign all tags automatically'); core.info('💎 Sign all tags automatically');
await git.setConfig('tag.gpgsign', 'true'); await git.setConfig('tag.gpgsign', 'true');
} }
if (git_push_gpgsign) { if (inputs.gitPushGpgsign) {
core.info('💎 Sign all pushes automatically'); core.info('💎 Sign all pushes automatically');
await git.setConfig('push.gpgsign', 'true'); await git.setConfig('push.gpgsign', 'true');
} }
@ -100,13 +91,13 @@ async function run(): Promise<void> {
} }
async function cleanup(): Promise<void> { async function cleanup(): Promise<void> {
if (!process.env.GPG_PRIVATE_KEY) { if (stateHelper.gpgPrivateKey.length <= 0) {
core.debug('GPG private key is not defined. Skipping cleanup.'); core.debug('GPG private key is not defined. Skipping cleanup.');
return; return;
} }
try { try {
core.info('🚿 Removing keys'); core.info('🚿 Removing keys');
const privateKey = await openpgp.readPrivateKey(process.env.GPG_PRIVATE_KEY); const privateKey = await openpgp.readPrivateKey(stateHelper.gpgPrivateKey);
await gpg.deleteKey(privateKey.fingerprint); await gpg.deleteKey(privateKey.fingerprint);
core.info('💀 Killing GnuPG agent'); core.info('💀 Killing GnuPG agent');
@ -116,11 +107,8 @@ async function cleanup(): Promise<void> {
} }
} }
// Main
if (!stateHelper.IsPost) { if (!stateHelper.IsPost) {
run(); run();
} } else {
// Post
else {
cleanup(); cleanup();
} }

18
src/state-helper.ts
View file

@ -1,14 +1,12 @@
// From https://github.com/actions/checkout/blob/master/src/state-helper.ts import * as core from '@actions/core';
import * as coreCommand from '@actions/core/lib/command';
/**
* Indicates whether the POST action is running
*/
export const IsPost = !!process.env['STATE_isPost']; export const IsPost = !!process.env['STATE_isPost'];
export const gpgPrivateKey = process.env['STATE_gpgPrivateKey'] || '';
// Publish a variable so that when the POST action runs, it can determine it should run the cleanup logic. export function setGpgPrivateKey(gpgPrivateKey: string) {
// This is necessary since we don't have a separate entry point. core.saveState('gpgPrivateKey', gpgPrivateKey);
if (!IsPost) { }
coreCommand.issueCommand('save-state', {name: 'isPost'}, 'true');
if (!IsPost) {
core.saveState('isPost', 'true');
} }