Move GPG_PRIVATE_KEY env var to gpg-private-key input

Move PASSPHRASE env var to passphrase input
Rename git_user_signingkey input to git-user-signingkey
Rename git_commit_gpgsign input to git-commit-gpgsign
Rename git_tag_gpgsign input to git-tag-gpgsign
Rename git_push_gpgsign input to git-push-gpgsign
Rename git_committer_name input to git-committer-name
Rename git_committer_email input to git-committer-email
This commit is contained in:
CrazyMax 2020-09-06 22:03:16 +02:00
parent 9fd6a9a68f
commit 106dc525b1
No known key found for this signature in database
GPG key ID: 3248E46B6BB8C7F7
7 changed files with 2264 additions and 2211 deletions

View file

@ -40,13 +40,12 @@ jobs:
id: import_gpg
uses: ./
with:
git_user_signingkey: true
git_commit_gpgsign: true
git_tag_gpgsign: true
git_push_gpgsign: true
env:
GPG_PRIVATE_KEY: ${{ steps.test.outputs.pgp }}
PASSPHRASE: ${{ steps.test.outputs.passphrase }}
gpg-private-key: ${{ steps.test.outputs.pgp }}
passphrase: ${{ steps.test.outputs.passphrase }}
git-user-signingkey: true
git-commit-gpgsign: true
git-tag-gpgsign: true
git-push-gpgsign: true
-
name: GPG user IDs
run: |
@ -82,13 +81,12 @@ jobs:
id: import_gpg
uses: ./
with:
git_user_signingkey: true
git_commit_gpgsign: true
git_tag_gpgsign: true
git_push_gpgsign: true
env:
GPG_PRIVATE_KEY: ${{ steps.test.outputs.pgp-base64 }}
PASSPHRASE: ${{ steps.test.outputs.passphrase }}
gpg-private-key: ${{ steps.test.outputs.pgp-base64 }}
passphrase: ${{ steps.test.outputs.passphrase }}
git-user-signingkey: true
git-commit-gpgsign: true
git-tag-gpgsign: true
git-push-gpgsign: true
-
name: GPG user IDs
run: |

View file

@ -23,7 +23,6 @@ ___
* [Customizing](#customizing)
* [inputs](#inputs)
* [outputs](#outputs)
* [environment variables](#environment-variables)
* [Keep up-to-date with GitHub Dependabot](#keep-up-to-date-with-github-dependabot)
* [How can I help?](#how-can-i-help)
* [License](#license)
@ -78,10 +77,10 @@ jobs:
-
name: Import GPG key
id: import_gpg
uses: crazy-max/ghaction-import-gpg@v2
env:
GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
PASSPHRASE: ${{ secrets.PASSPHRASE }}
uses: crazy-max/ghaction-import-gpg@v3
with:
gpg-private-key: ${{ secrets.GPG_PRIVATE_KEY }}
passphrase: ${{ secrets.PASSPHRASE }}
-
name: GPG user IDs
run: |
@ -109,13 +108,12 @@ jobs:
uses: actions/checkout@v2
-
name: Import GPG key
uses: crazy-max/ghaction-import-gpg@v2
uses: crazy-max/ghaction-import-gpg@v3
with:
git_user_signingkey: true
git_commit_gpgsign: true
env:
GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
PASSPHRASE: ${{ secrets.PASSPHRASE }}
gpg-private-key: ${{ secrets.GPG_PRIVATE_KEY }}
passphrase: ${{ secrets.PASSPHRASE }}
git-user-signingkey: true
git-commit-gpgsign: true
-
name: Sign commit and push changes
run: |
@ -133,15 +131,17 @@ Following inputs can be used as `step.with` keys
| Name | Type | Description |
|---------------------------------------|---------|------------------------------------------------|
| `git_user_signingkey` | Bool | Set GPG signing keyID for this Git repository (default `false`) |
| `git_commit_gpgsign`**¹** | Bool | Sign all commits automatically. (default `false`) |
| `git_tag_gpgsign`**¹** | Bool | Sign all tags automatically. (default `false`) |
| `git_push_gpgsign`**¹** | Bool | Sign all pushes automatically. (default `false`) |
| `git_committer_name`**¹** | String | Set commit author's name (defaults to the name associated with the GPG key) |
| `git_committer_email`**¹** | String | Set commit author's email (defaults to the email address associated with the GPG key) |
| `gpg-private-key` | String | GPG private key exported as an ASCII armored version or its base64 encoding (**required**) |
| `passphrase` | String | Passphrase of the GPG private key |
| `git-user-signingkey` | Bool | Set GPG signing keyID for this Git repository (default `false`) |
| `git-commit-gpgsign`**¹** | Bool | Sign all commits automatically. (default `false`) |
| `git-tag-gpgsign`**¹** | Bool | Sign all tags automatically. (default `false`) |
| `git-push-gpgsign`**¹** | Bool | Sign all pushes automatically. (default `false`) |
| `git-committer-name`**¹** | String | Set commit author's name (defaults to the name associated with the GPG key) |
| `git-committer-email`**¹** | String | Set commit author's email (defaults to the email address associated with the GPG key) |
| `workdir` | String | Working directory (below repository root) (default `.`) |
> **¹** `git_user_signingkey` needs to be enabled for these inputs to be used.
> **¹** `git-user-signingkey` needs to be enabled for these inputs to be used.
### outputs
@ -154,15 +154,6 @@ Following outputs are available
| `name` | String | Name associated with the GPG key |
| `email` | String | Email address associated with the GPG key |
### environment variables
Following environment variables must be used as `step.env` keys
| Name | Description |
|--------------------|---------------------------------------|
| `GPG_PRIVATE_KEY` | GPG private key exported as an ASCII armored version or its base64 encoding (**required**) |
| `PASSPHRASE` | Passphrase of the `GPG_PRIVATE_KEY` key if setted |
## Keep up-to-date with GitHub Dependabot
Since [Dependabot](https://docs.github.com/en/github/administering-a-repository/keeping-your-actions-up-to-date-with-github-dependabot)

View file

@ -7,26 +7,32 @@ branding:
icon: 'lock'
inputs:
git_user_signingkey:
gpg-private-key:
description: 'GPG private key exported as an ASCII armored version or its base64 encoding'
required: true
passphrase:
description: 'Passphrase of the GPG private key'
required: false
git-user-signingkey:
description: 'Set GPG signing keyID for this Git repository'
default: 'false'
required: false
git_commit_gpgsign:
description: 'Sign all commits automatically. git_user_signingkey needs to be enabled'
git-commit-gpgsign:
description: 'Sign all commits automatically. git-user-signingkey needs to be enabled'
default: 'false'
required: false
git_tag_gpgsign:
description: 'Sign all tags automatically. git_user_signingkey needs to be enabled'
git-tag-gpgsign:
description: 'Sign all tags automatically. git-user-signingkey needs to be enabled'
default: 'false'
required: false
git_push_gpgsign:
description: 'Sign all pushes automatically. git_user_signingkey needs to be enabled'
git-push-gpgsign:
description: 'Sign all pushes automatically. git-user-signingkey needs to be enabled'
default: 'false'
required: false
git_committer_name:
git-committer-name:
description: 'Commit author''s name'
required: false
git_committer_email:
git-committer-email:
description: 'Commit author''s email'
required: false
workdir:

4273
dist/index.js generated vendored

File diff suppressed because it is too large Load diff

27
src/context.ts Normal file
View file

@ -0,0 +1,27 @@
import * as core from '@actions/core';
export interface Inputs {
gpgPrivateKey: string;
passphrase: string;
gitUserSigningkey: boolean;
gitCommitGpgsign: boolean;
gitTagGpgsign: boolean;
gitPushGpgsign: boolean;
gitCommitterName: string;
gitCommitterEmail: string;
workdir: string;
}
export async function getInputs(): Promise<Inputs> {
return {
gpgPrivateKey: core.getInput('gpg-private-key', {required: true}),
passphrase: core.getInput('passphrase'),
gitUserSigningkey: /true/i.test(core.getInput('git-user-signingkey')),
gitCommitGpgsign: /true/i.test(core.getInput('git-commit-gpgsign')),
gitTagGpgsign: /true/i.test(core.getInput('git-tag-gpgsign')),
gitPushGpgsign: /true/i.test(core.getInput('git-push-gpgsign')),
gitCommitterName: core.getInput('git-committer-name'),
gitCommitterEmail: core.getInput('git-committer-name'),
workdir: core.getInput('workdir') || '.'
};
}

View file

@ -1,4 +1,5 @@
import * as core from '@actions/core';
import * as context from './context';
import * as git from './git';
import * as gpg from './gpg';
import * as openpgp from './openpgp';
@ -6,22 +7,12 @@ import * as stateHelper from './state-helper';
async function run(): Promise<void> {
try {
if (!process.env.GPG_PRIVATE_KEY) {
core.setFailed('GPG private key required');
return;
}
let inputs: context.Inputs = await context.getInputs();
stateHelper.setGpgPrivateKey(inputs.gpgPrivateKey);
const git_user_signingkey = /true/i.test(core.getInput('git_user_signingkey'));
const git_commit_gpgsign = /true/i.test(core.getInput('git_commit_gpgsign'));
const git_tag_gpgsign = /true/i.test(core.getInput('git_tag_gpgsign'));
const git_push_gpgsign = /true/i.test(core.getInput('git_push_gpgsign'));
const git_committer_name: string = core.getInput('git_committer_name');
const git_committer_email: string = core.getInput('git_committer_email');
const workdir: string = core.getInput('workdir') || '.';
if (workdir && workdir !== '.') {
core.info(`📂 Using ${workdir} as working directory...`);
process.chdir(workdir);
if (inputs.workdir && inputs.workdir !== '.') {
core.info(`📂 Using ${inputs.workdir} as working directory...`);
process.chdir(inputs.workdir);
}
core.info('📣 GnuPG info');
@ -34,7 +25,7 @@ async function run(): Promise<void> {
core.info(`Homedir : ${dirs.homedir}`);
core.info('🔮 Checking GPG private key');
const privateKey = await openpgp.readPrivateKey(process.env.GPG_PRIVATE_KEY);
const privateKey = await openpgp.readPrivateKey(inputs.gpgPrivateKey);
core.debug(`Fingerprint : ${privateKey.fingerprint}`);
core.debug(`KeyID : ${privateKey.keyID}`);
core.debug(`Name : ${privateKey.name}`);
@ -42,18 +33,18 @@ async function run(): Promise<void> {
core.debug(`CreationTime : ${privateKey.creationTime}`);
core.info('🔑 Importing GPG private key');
await gpg.importKey(process.env.GPG_PRIVATE_KEY).then(stdout => {
await gpg.importKey(inputs.gpgPrivateKey).then(stdout => {
core.debug(stdout);
});
if (process.env.PASSPHRASE) {
if (inputs.passphrase) {
core.info('⚙️ Configuring GnuPG agent');
await gpg.configureAgent(gpg.agentConfig);
core.info('📌 Getting keygrips');
for (let keygrip of await gpg.getKeygrips(privateKey.fingerprint)) {
core.info(`🔓 Presetting passphrase for ${keygrip}`);
await gpg.presetPassphrase(keygrip, process.env.PASSPHRASE).then(stdout => {
await gpg.presetPassphrase(keygrip, inputs.passphrase).then(stdout => {
core.debug(stdout);
});
}
@ -65,31 +56,31 @@ async function run(): Promise<void> {
core.setOutput('name', privateKey.name);
core.setOutput('email', privateKey.email);
if (git_user_signingkey) {
if (inputs.gitUserSigningkey) {
core.info('🔐 Setting GPG signing keyID for this Git repository');
await git.setConfig('user.signingkey', privateKey.keyID);
const user_email = git_committer_email || privateKey.email;
const user_name = git_committer_name || privateKey.name;
const userEmail = inputs.gitCommitterEmail || privateKey.email;
const userName = inputs.gitCommitterName || privateKey.name;
if (user_email != privateKey.email) {
if (userEmail != privateKey.email) {
core.setFailed('Committer email does not match GPG key user address');
return;
}
core.info(`🔨 Configuring Git committer (${user_name} <${user_email}>)`);
await git.setConfig('user.name', user_name);
await git.setConfig('user.email', user_email);
core.info(`🔨 Configuring Git committer (${userName} <${userEmail}>)`);
await git.setConfig('user.name', userName);
await git.setConfig('user.email', userEmail);
if (git_commit_gpgsign) {
if (inputs.gitCommitGpgsign) {
core.info('💎 Sign all commits automatically');
await git.setConfig('commit.gpgsign', 'true');
}
if (git_tag_gpgsign) {
if (inputs.gitTagGpgsign) {
core.info('💎 Sign all tags automatically');
await git.setConfig('tag.gpgsign', 'true');
}
if (git_push_gpgsign) {
if (inputs.gitPushGpgsign) {
core.info('💎 Sign all pushes automatically');
await git.setConfig('push.gpgsign', 'true');
}
@ -100,13 +91,13 @@ async function run(): Promise<void> {
}
async function cleanup(): Promise<void> {
if (!process.env.GPG_PRIVATE_KEY) {
if (stateHelper.gpgPrivateKey.length <= 0) {
core.debug('GPG private key is not defined. Skipping cleanup.');
return;
}
try {
core.info('🚿 Removing keys');
const privateKey = await openpgp.readPrivateKey(process.env.GPG_PRIVATE_KEY);
const privateKey = await openpgp.readPrivateKey(stateHelper.gpgPrivateKey);
await gpg.deleteKey(privateKey.fingerprint);
core.info('💀 Killing GnuPG agent');
@ -116,11 +107,8 @@ async function cleanup(): Promise<void> {
}
}
// Main
if (!stateHelper.IsPost) {
run();
}
// Post
else {
} else {
cleanup();
}

View file

@ -1,14 +1,12 @@
// From https://github.com/actions/checkout/blob/master/src/state-helper.ts
import * as core from '@actions/core';
import * as coreCommand from '@actions/core/lib/command';
/**
* Indicates whether the POST action is running
*/
export const IsPost = !!process.env['STATE_isPost'];
export const gpgPrivateKey = process.env['STATE_gpgPrivateKey'] || '';
// Publish a variable so that when the POST action runs, it can determine it should run the cleanup logic.
// This is necessary since we don't have a separate entry point.
if (!IsPost) {
coreCommand.issueCommand('save-state', {name: 'isPost'}, 'true');
export function setGpgPrivateKey(gpgPrivateKey: string) {
core.saveState('gpgPrivateKey', gpgPrivateKey);
}
if (!IsPost) {
core.saveState('isPost', 'true');
}