mirror of
https://github.com/crazy-max/ghaction-import-gpg.git
synced 2024-11-29 00:11:02 -05:00
Move GPG_PRIVATE_KEY env var to gpg-private-key input
Move PASSPHRASE env var to passphrase input Rename git_user_signingkey input to git-user-signingkey Rename git_commit_gpgsign input to git-commit-gpgsign Rename git_tag_gpgsign input to git-tag-gpgsign Rename git_push_gpgsign input to git-push-gpgsign Rename git_committer_name input to git-committer-name Rename git_committer_email input to git-committer-email
This commit is contained in:
parent
9fd6a9a68f
commit
106dc525b1
7 changed files with 2264 additions and 2211 deletions
26
.github/workflows/ci.yml
vendored
26
.github/workflows/ci.yml
vendored
|
@ -40,13 +40,12 @@ jobs:
|
|||
id: import_gpg
|
||||
uses: ./
|
||||
with:
|
||||
git_user_signingkey: true
|
||||
git_commit_gpgsign: true
|
||||
git_tag_gpgsign: true
|
||||
git_push_gpgsign: true
|
||||
env:
|
||||
GPG_PRIVATE_KEY: ${{ steps.test.outputs.pgp }}
|
||||
PASSPHRASE: ${{ steps.test.outputs.passphrase }}
|
||||
gpg-private-key: ${{ steps.test.outputs.pgp }}
|
||||
passphrase: ${{ steps.test.outputs.passphrase }}
|
||||
git-user-signingkey: true
|
||||
git-commit-gpgsign: true
|
||||
git-tag-gpgsign: true
|
||||
git-push-gpgsign: true
|
||||
-
|
||||
name: GPG user IDs
|
||||
run: |
|
||||
|
@ -82,13 +81,12 @@ jobs:
|
|||
id: import_gpg
|
||||
uses: ./
|
||||
with:
|
||||
git_user_signingkey: true
|
||||
git_commit_gpgsign: true
|
||||
git_tag_gpgsign: true
|
||||
git_push_gpgsign: true
|
||||
env:
|
||||
GPG_PRIVATE_KEY: ${{ steps.test.outputs.pgp-base64 }}
|
||||
PASSPHRASE: ${{ steps.test.outputs.passphrase }}
|
||||
gpg-private-key: ${{ steps.test.outputs.pgp-base64 }}
|
||||
passphrase: ${{ steps.test.outputs.passphrase }}
|
||||
git-user-signingkey: true
|
||||
git-commit-gpgsign: true
|
||||
git-tag-gpgsign: true
|
||||
git-push-gpgsign: true
|
||||
-
|
||||
name: GPG user IDs
|
||||
run: |
|
||||
|
|
45
README.md
45
README.md
|
@ -23,7 +23,6 @@ ___
|
|||
* [Customizing](#customizing)
|
||||
* [inputs](#inputs)
|
||||
* [outputs](#outputs)
|
||||
* [environment variables](#environment-variables)
|
||||
* [Keep up-to-date with GitHub Dependabot](#keep-up-to-date-with-github-dependabot)
|
||||
* [How can I help?](#how-can-i-help)
|
||||
* [License](#license)
|
||||
|
@ -78,10 +77,10 @@ jobs:
|
|||
-
|
||||
name: Import GPG key
|
||||
id: import_gpg
|
||||
uses: crazy-max/ghaction-import-gpg@v2
|
||||
env:
|
||||
GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
|
||||
PASSPHRASE: ${{ secrets.PASSPHRASE }}
|
||||
uses: crazy-max/ghaction-import-gpg@v3
|
||||
with:
|
||||
gpg-private-key: ${{ secrets.GPG_PRIVATE_KEY }}
|
||||
passphrase: ${{ secrets.PASSPHRASE }}
|
||||
-
|
||||
name: GPG user IDs
|
||||
run: |
|
||||
|
@ -109,13 +108,12 @@ jobs:
|
|||
uses: actions/checkout@v2
|
||||
-
|
||||
name: Import GPG key
|
||||
uses: crazy-max/ghaction-import-gpg@v2
|
||||
uses: crazy-max/ghaction-import-gpg@v3
|
||||
with:
|
||||
git_user_signingkey: true
|
||||
git_commit_gpgsign: true
|
||||
env:
|
||||
GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
|
||||
PASSPHRASE: ${{ secrets.PASSPHRASE }}
|
||||
gpg-private-key: ${{ secrets.GPG_PRIVATE_KEY }}
|
||||
passphrase: ${{ secrets.PASSPHRASE }}
|
||||
git-user-signingkey: true
|
||||
git-commit-gpgsign: true
|
||||
-
|
||||
name: Sign commit and push changes
|
||||
run: |
|
||||
|
@ -133,15 +131,17 @@ Following inputs can be used as `step.with` keys
|
|||
|
||||
| Name | Type | Description |
|
||||
|---------------------------------------|---------|------------------------------------------------|
|
||||
| `git_user_signingkey` | Bool | Set GPG signing keyID for this Git repository (default `false`) |
|
||||
| `git_commit_gpgsign`**¹** | Bool | Sign all commits automatically. (default `false`) |
|
||||
| `git_tag_gpgsign`**¹** | Bool | Sign all tags automatically. (default `false`) |
|
||||
| `git_push_gpgsign`**¹** | Bool | Sign all pushes automatically. (default `false`) |
|
||||
| `git_committer_name`**¹** | String | Set commit author's name (defaults to the name associated with the GPG key) |
|
||||
| `git_committer_email`**¹** | String | Set commit author's email (defaults to the email address associated with the GPG key) |
|
||||
| `gpg-private-key` | String | GPG private key exported as an ASCII armored version or its base64 encoding (**required**) |
|
||||
| `passphrase` | String | Passphrase of the GPG private key |
|
||||
| `git-user-signingkey` | Bool | Set GPG signing keyID for this Git repository (default `false`) |
|
||||
| `git-commit-gpgsign`**¹** | Bool | Sign all commits automatically. (default `false`) |
|
||||
| `git-tag-gpgsign`**¹** | Bool | Sign all tags automatically. (default `false`) |
|
||||
| `git-push-gpgsign`**¹** | Bool | Sign all pushes automatically. (default `false`) |
|
||||
| `git-committer-name`**¹** | String | Set commit author's name (defaults to the name associated with the GPG key) |
|
||||
| `git-committer-email`**¹** | String | Set commit author's email (defaults to the email address associated with the GPG key) |
|
||||
| `workdir` | String | Working directory (below repository root) (default `.`) |
|
||||
|
||||
> **¹** `git_user_signingkey` needs to be enabled for these inputs to be used.
|
||||
> **¹** `git-user-signingkey` needs to be enabled for these inputs to be used.
|
||||
|
||||
### outputs
|
||||
|
||||
|
@ -154,15 +154,6 @@ Following outputs are available
|
|||
| `name` | String | Name associated with the GPG key |
|
||||
| `email` | String | Email address associated with the GPG key |
|
||||
|
||||
### environment variables
|
||||
|
||||
Following environment variables must be used as `step.env` keys
|
||||
|
||||
| Name | Description |
|
||||
|--------------------|---------------------------------------|
|
||||
| `GPG_PRIVATE_KEY` | GPG private key exported as an ASCII armored version or its base64 encoding (**required**) |
|
||||
| `PASSPHRASE` | Passphrase of the `GPG_PRIVATE_KEY` key if setted |
|
||||
|
||||
## Keep up-to-date with GitHub Dependabot
|
||||
|
||||
Since [Dependabot](https://docs.github.com/en/github/administering-a-repository/keeping-your-actions-up-to-date-with-github-dependabot)
|
||||
|
|
24
action.yml
24
action.yml
|
@ -7,26 +7,32 @@ branding:
|
|||
icon: 'lock'
|
||||
|
||||
inputs:
|
||||
git_user_signingkey:
|
||||
gpg-private-key:
|
||||
description: 'GPG private key exported as an ASCII armored version or its base64 encoding'
|
||||
required: true
|
||||
passphrase:
|
||||
description: 'Passphrase of the GPG private key'
|
||||
required: false
|
||||
git-user-signingkey:
|
||||
description: 'Set GPG signing keyID for this Git repository'
|
||||
default: 'false'
|
||||
required: false
|
||||
git_commit_gpgsign:
|
||||
description: 'Sign all commits automatically. git_user_signingkey needs to be enabled'
|
||||
git-commit-gpgsign:
|
||||
description: 'Sign all commits automatically. git-user-signingkey needs to be enabled'
|
||||
default: 'false'
|
||||
required: false
|
||||
git_tag_gpgsign:
|
||||
description: 'Sign all tags automatically. git_user_signingkey needs to be enabled'
|
||||
git-tag-gpgsign:
|
||||
description: 'Sign all tags automatically. git-user-signingkey needs to be enabled'
|
||||
default: 'false'
|
||||
required: false
|
||||
git_push_gpgsign:
|
||||
description: 'Sign all pushes automatically. git_user_signingkey needs to be enabled'
|
||||
git-push-gpgsign:
|
||||
description: 'Sign all pushes automatically. git-user-signingkey needs to be enabled'
|
||||
default: 'false'
|
||||
required: false
|
||||
git_committer_name:
|
||||
git-committer-name:
|
||||
description: 'Commit author''s name'
|
||||
required: false
|
||||
git_committer_email:
|
||||
git-committer-email:
|
||||
description: 'Commit author''s email'
|
||||
required: false
|
||||
workdir:
|
||||
|
|
4273
dist/index.js
generated
vendored
4273
dist/index.js
generated
vendored
File diff suppressed because it is too large
Load diff
27
src/context.ts
Normal file
27
src/context.ts
Normal file
|
@ -0,0 +1,27 @@
|
|||
import * as core from '@actions/core';
|
||||
|
||||
export interface Inputs {
|
||||
gpgPrivateKey: string;
|
||||
passphrase: string;
|
||||
gitUserSigningkey: boolean;
|
||||
gitCommitGpgsign: boolean;
|
||||
gitTagGpgsign: boolean;
|
||||
gitPushGpgsign: boolean;
|
||||
gitCommitterName: string;
|
||||
gitCommitterEmail: string;
|
||||
workdir: string;
|
||||
}
|
||||
|
||||
export async function getInputs(): Promise<Inputs> {
|
||||
return {
|
||||
gpgPrivateKey: core.getInput('gpg-private-key', {required: true}),
|
||||
passphrase: core.getInput('passphrase'),
|
||||
gitUserSigningkey: /true/i.test(core.getInput('git-user-signingkey')),
|
||||
gitCommitGpgsign: /true/i.test(core.getInput('git-commit-gpgsign')),
|
||||
gitTagGpgsign: /true/i.test(core.getInput('git-tag-gpgsign')),
|
||||
gitPushGpgsign: /true/i.test(core.getInput('git-push-gpgsign')),
|
||||
gitCommitterName: core.getInput('git-committer-name'),
|
||||
gitCommitterEmail: core.getInput('git-committer-name'),
|
||||
workdir: core.getInput('workdir') || '.'
|
||||
};
|
||||
}
|
58
src/main.ts
58
src/main.ts
|
@ -1,4 +1,5 @@
|
|||
import * as core from '@actions/core';
|
||||
import * as context from './context';
|
||||
import * as git from './git';
|
||||
import * as gpg from './gpg';
|
||||
import * as openpgp from './openpgp';
|
||||
|
@ -6,22 +7,12 @@ import * as stateHelper from './state-helper';
|
|||
|
||||
async function run(): Promise<void> {
|
||||
try {
|
||||
if (!process.env.GPG_PRIVATE_KEY) {
|
||||
core.setFailed('GPG private key required');
|
||||
return;
|
||||
}
|
||||
let inputs: context.Inputs = await context.getInputs();
|
||||
stateHelper.setGpgPrivateKey(inputs.gpgPrivateKey);
|
||||
|
||||
const git_user_signingkey = /true/i.test(core.getInput('git_user_signingkey'));
|
||||
const git_commit_gpgsign = /true/i.test(core.getInput('git_commit_gpgsign'));
|
||||
const git_tag_gpgsign = /true/i.test(core.getInput('git_tag_gpgsign'));
|
||||
const git_push_gpgsign = /true/i.test(core.getInput('git_push_gpgsign'));
|
||||
const git_committer_name: string = core.getInput('git_committer_name');
|
||||
const git_committer_email: string = core.getInput('git_committer_email');
|
||||
const workdir: string = core.getInput('workdir') || '.';
|
||||
|
||||
if (workdir && workdir !== '.') {
|
||||
core.info(`📂 Using ${workdir} as working directory...`);
|
||||
process.chdir(workdir);
|
||||
if (inputs.workdir && inputs.workdir !== '.') {
|
||||
core.info(`📂 Using ${inputs.workdir} as working directory...`);
|
||||
process.chdir(inputs.workdir);
|
||||
}
|
||||
|
||||
core.info('📣 GnuPG info');
|
||||
|
@ -34,7 +25,7 @@ async function run(): Promise<void> {
|
|||
core.info(`Homedir : ${dirs.homedir}`);
|
||||
|
||||
core.info('🔮 Checking GPG private key');
|
||||
const privateKey = await openpgp.readPrivateKey(process.env.GPG_PRIVATE_KEY);
|
||||
const privateKey = await openpgp.readPrivateKey(inputs.gpgPrivateKey);
|
||||
core.debug(`Fingerprint : ${privateKey.fingerprint}`);
|
||||
core.debug(`KeyID : ${privateKey.keyID}`);
|
||||
core.debug(`Name : ${privateKey.name}`);
|
||||
|
@ -42,18 +33,18 @@ async function run(): Promise<void> {
|
|||
core.debug(`CreationTime : ${privateKey.creationTime}`);
|
||||
|
||||
core.info('🔑 Importing GPG private key');
|
||||
await gpg.importKey(process.env.GPG_PRIVATE_KEY).then(stdout => {
|
||||
await gpg.importKey(inputs.gpgPrivateKey).then(stdout => {
|
||||
core.debug(stdout);
|
||||
});
|
||||
|
||||
if (process.env.PASSPHRASE) {
|
||||
if (inputs.passphrase) {
|
||||
core.info('⚙️ Configuring GnuPG agent');
|
||||
await gpg.configureAgent(gpg.agentConfig);
|
||||
|
||||
core.info('📌 Getting keygrips');
|
||||
for (let keygrip of await gpg.getKeygrips(privateKey.fingerprint)) {
|
||||
core.info(`🔓 Presetting passphrase for ${keygrip}`);
|
||||
await gpg.presetPassphrase(keygrip, process.env.PASSPHRASE).then(stdout => {
|
||||
await gpg.presetPassphrase(keygrip, inputs.passphrase).then(stdout => {
|
||||
core.debug(stdout);
|
||||
});
|
||||
}
|
||||
|
@ -65,31 +56,31 @@ async function run(): Promise<void> {
|
|||
core.setOutput('name', privateKey.name);
|
||||
core.setOutput('email', privateKey.email);
|
||||
|
||||
if (git_user_signingkey) {
|
||||
if (inputs.gitUserSigningkey) {
|
||||
core.info('🔐 Setting GPG signing keyID for this Git repository');
|
||||
await git.setConfig('user.signingkey', privateKey.keyID);
|
||||
|
||||
const user_email = git_committer_email || privateKey.email;
|
||||
const user_name = git_committer_name || privateKey.name;
|
||||
const userEmail = inputs.gitCommitterEmail || privateKey.email;
|
||||
const userName = inputs.gitCommitterName || privateKey.name;
|
||||
|
||||
if (user_email != privateKey.email) {
|
||||
if (userEmail != privateKey.email) {
|
||||
core.setFailed('Committer email does not match GPG key user address');
|
||||
return;
|
||||
}
|
||||
|
||||
core.info(`🔨 Configuring Git committer (${user_name} <${user_email}>)`);
|
||||
await git.setConfig('user.name', user_name);
|
||||
await git.setConfig('user.email', user_email);
|
||||
core.info(`🔨 Configuring Git committer (${userName} <${userEmail}>)`);
|
||||
await git.setConfig('user.name', userName);
|
||||
await git.setConfig('user.email', userEmail);
|
||||
|
||||
if (git_commit_gpgsign) {
|
||||
if (inputs.gitCommitGpgsign) {
|
||||
core.info('💎 Sign all commits automatically');
|
||||
await git.setConfig('commit.gpgsign', 'true');
|
||||
}
|
||||
if (git_tag_gpgsign) {
|
||||
if (inputs.gitTagGpgsign) {
|
||||
core.info('💎 Sign all tags automatically');
|
||||
await git.setConfig('tag.gpgsign', 'true');
|
||||
}
|
||||
if (git_push_gpgsign) {
|
||||
if (inputs.gitPushGpgsign) {
|
||||
core.info('💎 Sign all pushes automatically');
|
||||
await git.setConfig('push.gpgsign', 'true');
|
||||
}
|
||||
|
@ -100,13 +91,13 @@ async function run(): Promise<void> {
|
|||
}
|
||||
|
||||
async function cleanup(): Promise<void> {
|
||||
if (!process.env.GPG_PRIVATE_KEY) {
|
||||
if (stateHelper.gpgPrivateKey.length <= 0) {
|
||||
core.debug('GPG private key is not defined. Skipping cleanup.');
|
||||
return;
|
||||
}
|
||||
try {
|
||||
core.info('🚿 Removing keys');
|
||||
const privateKey = await openpgp.readPrivateKey(process.env.GPG_PRIVATE_KEY);
|
||||
const privateKey = await openpgp.readPrivateKey(stateHelper.gpgPrivateKey);
|
||||
await gpg.deleteKey(privateKey.fingerprint);
|
||||
|
||||
core.info('💀 Killing GnuPG agent');
|
||||
|
@ -116,11 +107,8 @@ async function cleanup(): Promise<void> {
|
|||
}
|
||||
}
|
||||
|
||||
// Main
|
||||
if (!stateHelper.IsPost) {
|
||||
run();
|
||||
}
|
||||
// Post
|
||||
else {
|
||||
} else {
|
||||
cleanup();
|
||||
}
|
||||
|
|
|
@ -1,14 +1,12 @@
|
|||
// From https://github.com/actions/checkout/blob/master/src/state-helper.ts
|
||||
import * as core from '@actions/core';
|
||||
|
||||
import * as coreCommand from '@actions/core/lib/command';
|
||||
|
||||
/**
|
||||
* Indicates whether the POST action is running
|
||||
*/
|
||||
export const IsPost = !!process.env['STATE_isPost'];
|
||||
export const gpgPrivateKey = process.env['STATE_gpgPrivateKey'] || '';
|
||||
|
||||
// Publish a variable so that when the POST action runs, it can determine it should run the cleanup logic.
|
||||
// This is necessary since we don't have a separate entry point.
|
||||
if (!IsPost) {
|
||||
coreCommand.issueCommand('save-state', {name: 'isPost'}, 'true');
|
||||
export function setGpgPrivateKey(gpgPrivateKey: string) {
|
||||
core.saveState('gpgPrivateKey', gpgPrivateKey);
|
||||
}
|
||||
|
||||
if (!IsPost) {
|
||||
core.saveState('isPost', 'true');
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue