actions/gpg
1
0
Fork 0
mirror of https://github.com/crazy-max/ghaction-import-gpg.git synced 2024-09-13 04:57:10 -04:00
Code Issues Projects Releases Packages Wiki Activity

Add git_tag_gpgsign and git_push_gpgsign inputs

Browse source 
Some inputs and secrets have been renamed
This commit is contained in:
CrazyMax 2020-05-06 01:15:33 +02:00
parent a71299c503
commit e097cc9691
No known key found for this signature in database
GPG key ID: 3248E46B6BB8C7F7
4 changed files with 86 additions and 41 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
.github/workflows/ci.yml vendored
View file

@ -34,12 +34,15 @@ jobs:
run: |
env|sort
-
name: Import GPG key
name: Import GPG private key
uses: ./
with:
git_gpgsign: true
git_user_gpgsign: true
git_commit_gpgsign: true
git_tag_gpgsign: true
git_push_gpgsign: true
git_committer_name: Joe Tester
git_committer_email: joe@foo.bar
env:
SIGNING_KEY: ${{ secrets.SIGNING_KEY_TEST }}
GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY_TEST }}
PASSPHRASE: ${{ secrets.PASSPHRASE_TEST }}

28
README.md
View file

@ -28,7 +28,7 @@ On your local machine, export the GPG private key as an ASCII armored version:
gpg --armor --export-secret-key --output key.pgp joe@foo.bar
```
Copy the content of `key.pgp` file as a [`secret`](https://help.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets) named `SIGNING_KEY` for example. Create another secret with your `PASSPHRASE` if applicable.
Copy the content of `key.pgp` file as a [`secret`](https://help.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets) named `GPG_PRIVATE_KEY` for example. Create another secret with your `PASSPHRASE` if applicable.
```yaml
name: import-gpg
@ -48,10 +48,19 @@ jobs:
name: Import GPG key
uses: crazy-max/ghaction-import-gpg@v1
with:
git_gpgsign: true
git_user_signingkey: true
git_commit_gpgsign: true
git_tag_gpgsign: true
env:
SIGNING_KEY: ${{ secrets.SIGNING_KEY }}
GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
PASSPHRASE: ${{ secrets.PASSPHRASE }}
-
name: Sign commit and push changes
run: |
echo foo > bar.txt
git add .
git commit -S -m "This commit is signed!"
git push
```
## Customizing
@ -62,7 +71,10 @@ Following inputs can be used as `step.with` keys
| Name | Type | Description |
|------------------------|---------|----------------------------------------------------------|
| `git_gpgsign` | Bool | Enable signing for this Git repository (default `false`) |
| `git_user_signingkey` | Bool | Set GPG signing keyID for this Git repository (default `false`) |
| `git_commit_gpgsign` | Bool | Sign all commits automatically. `git_user_signingkey` needs to be enabled. (default `false`) |
| `git_tag_gpgsign` | Bool | Sign all tags automatically. `git_user_signingkey` needs to be enabled. (default `false`) |
| `git_push_gpgsign` | Bool | Sign all pushes automatically. `git_user_signingkey` needs to be enabled. (default `false`) |
| `git_committer_name` | String | Commit author's name (default [GITHUB_ACTOR](https://help.github.com/en/github/automating-your-workflow-with-github-actions/using-environment-variables#default-environment-variables) or `github-actions`) |
| `git_committer_email` | String | Commit author's email (default `<committer_name>@users.noreply.github.com`) |
@ -70,10 +82,10 @@ Following inputs can be used as `step.with` keys
Following environment variables can be used as `step.env` keys
| Name | Description |
|----------------|---------------------------------------|
| `SIGNING_KEY` | GPG private key exported as an ASCII armored version |
| `PASSPHRASE` | Passphrase of your GPG key if setted for your `SIGNING_KEY` |
| Name | Description |
|--------------------|---------------------------------------|
| `GPG_PRIVATE_KEY` | GPG private key exported as an ASCII armored version |
| `PASSPHRASE` | Passphrase of your `GPG_PRIVATE_KEY` key if setted |
## How can I help?

44
dist/index.js generated vendored
View file

@ -1019,11 +1019,14 @@ const stateHelper = __importStar(__webpack_require__(153));
function run() {
return __awaiter(this, void 0, void 0, function* () {
try {
if (!process.env.SIGNING_KEY) {
core.setFailed('Signing key required');
if (!process.env.GPG_PRIVATE_KEY) {
core.setFailed('GPG private key required');
return;
}
const git_gpgsign = /true/i.test(core.getInput('git_gpgsign'));
const git_commit_gpgsign = /true/i.test(core.getInput('git_commit_gpgsign'));
const git_tag_gpgsign = /true/i.test(core.getInput('git_tag_gpgsign'));
const git_push_gpgsign = /true/i.test(core.getInput('git_push_gpgsign'));
const git_user_signingkey = /true/i.test(core.getInput('git_user_signingkey'));
const git_committer_name = core.getInput('git_committer_name') || process.env['GITHUB_ACTOR'] || 'github-actions';
const git_committer_email = core.getInput('git_committer_email') || `${git_committer_name}@users.noreply.github.com`;
core.info('📣 GnuPG info');
@ -1034,15 +1037,15 @@ function run() {
core.info(`Libexecdir : ${dirs.libexecdir}`);
core.info(`Datadir : ${dirs.datadir}`);
core.info(`Homedir : ${dirs.homedir}`);
core.info('🔮 Checking signing key');
const privateKey = yield openpgp.readPrivateKey(process.env.SIGNING_KEY);
core.info('🔮 Checking GPG private key');
const privateKey = yield openpgp.readPrivateKey(process.env.GPG_PRIVATE_KEY);
core.debug(`Fingerprint : ${privateKey.fingerprint}`);
core.debug(`KeyID : ${privateKey.keyID}`);
core.debug(`Name : ${privateKey.name}`);
core.debug(`Email : ${privateKey.email}`);
core.debug(`CreationTime : ${privateKey.creationTime}`);
core.info('🔑 Importing secret key');
yield gpg.importKey(process.env.SIGNING_KEY).then(stdout => {
core.info('🔑 Importing GPG private key');
yield gpg.importKey(process.env.GPG_PRIVATE_KEY).then(stdout => {
core.debug(stdout);
});
if (process.env.PASSPHRASE) {
@ -1056,17 +1059,28 @@ function run() {
core.debug(stdout);
});
}
if (git_gpgsign) {
core.info(`🔨 Configuring Git committer (${git_committer_name} <${git_committer_email}>)`);
if (git_user_signingkey) {
core.info('🔐 Setting GPG signing keyID for this Git repository');
yield git.setConfig('user.signingkey', privateKey.keyID);
if (git_committer_email != privateKey.email) {
core.setFailed('Committer email does not match GPG key user address');
return;
}
core.info(`🔨 Configuring Git committer (${git_committer_name} <${git_committer_email}>)`);
yield git.setConfig('user.name', git_committer_name);
yield git.setConfig('user.email', git_committer_email);
core.info('💎 Enable signing for this Git repository');
yield git.setConfig('commit.gpgsign', 'true');
yield git.setConfig('user.signingkey', privateKey.keyID);
if (git_commit_gpgsign) {
core.info('💎 Sign all commits automatically');
yield git.setConfig('commit.gpgsign', 'true');
}
if (git_tag_gpgsign) {
core.info('💎 Sign all tags automatically');
yield git.setConfig('tag.gpgsign', 'true');
}
if (git_push_gpgsign) {
core.info('💎 Sign all pushes automatically');
yield git.setConfig('push.gpgsign', 'true');
}
}
}
catch (error) {
@ -1076,13 +1090,13 @@ function run() {
}
function cleanup() {
return __awaiter(this, void 0, void 0, function* () {
if (!process.env.SIGNING_KEY) {
core.debug('Signing key is not defined. Skipping cleanup.');
if (!process.env.GPG_PRIVATE_KEY) {
core.debug('GPG private key is not defined. Skipping cleanup.');
return;
}
try {
core.info('🚿 Removing keys');
const privateKey = yield openpgp.readPrivateKey(process.env.SIGNING_KEY);
const privateKey = yield openpgp.readPrivateKey(process.env.GPG_PRIVATE_KEY);
yield gpg.deleteKey(privateKey.fingerprint);
core.info('💀 Killing GnuPG agent');
yield gpg.killAgent();

46
src/main.ts
View file

@ -6,12 +6,15 @@ import * as stateHelper from './state-helper';
async function run(): Promise<void> {
try {
if (!process.env.SIGNING_KEY) {
core.setFailed('Signing key required');
if (!process.env.GPG_PRIVATE_KEY) {
core.setFailed('GPG private key required');
return;
}
const git_gpgsign = /true/i.test(core.getInput('git_gpgsign'));
const git_commit_gpgsign = /true/i.test(core.getInput('git_commit_gpgsign'));
const git_tag_gpgsign = /true/i.test(core.getInput('git_tag_gpgsign'));
const git_push_gpgsign = /true/i.test(core.getInput('git_push_gpgsign'));
const git_user_signingkey = /true/i.test(core.getInput('git_user_signingkey'));
const git_committer_name: string =
core.getInput('git_committer_name') || process.env['GITHUB_ACTOR'] || 'github-actions';
const git_committer_email: string =
@ -26,16 +29,16 @@ async function run(): Promise<void> {
core.info(`Datadir : ${dirs.datadir}`);
core.info(`Homedir : ${dirs.homedir}`);
core.info('🔮 Checking signing key');
const privateKey = await openpgp.readPrivateKey(process.env.SIGNING_KEY);
core.info('🔮 Checking GPG private key');
const privateKey = await openpgp.readPrivateKey(process.env.GPG_PRIVATE_KEY);
core.debug(`Fingerprint : ${privateKey.fingerprint}`);
core.debug(`KeyID : ${privateKey.keyID}`);
core.debug(`Name : ${privateKey.name}`);
core.debug(`Email : ${privateKey.email}`);
core.debug(`CreationTime : ${privateKey.creationTime}`);
core.info('🔑 Importing secret key');
await gpg.importKey(process.env.SIGNING_KEY).then(stdout => {
core.info('🔑 Importing GPG private key');
await gpg.importKey(process.env.GPG_PRIVATE_KEY).then(stdout => {
core.debug(stdout);
});
@ -53,18 +56,31 @@ async function run(): Promise<void> {
});
}
if (git_gpgsign) {
core.info(`🔨 Configuring Git committer (${git_committer_name} <${git_committer_email}>)`);
if (git_user_signingkey) {
core.info('🔐 Setting GPG signing keyID for this Git repository');
await git.setConfig('user.signingkey', privateKey.keyID);
if (git_committer_email != privateKey.email) {
core.setFailed('Committer email does not match GPG key user address');
return;
}
core.info(`🔨 Configuring Git committer (${git_committer_name} <${git_committer_email}>)`);
await git.setConfig('user.name', git_committer_name);
await git.setConfig('user.email', git_committer_email);
core.info('💎 Enable signing for this Git repository');
await git.setConfig('commit.gpgsign', 'true');
await git.setConfig('user.signingkey', privateKey.keyID);
if (git_commit_gpgsign) {
core.info('💎 Sign all commits automatically');
await git.setConfig('commit.gpgsign', 'true');
}
if (git_tag_gpgsign) {
core.info('💎 Sign all tags automatically');
await git.setConfig('tag.gpgsign', 'true');
}
if (git_push_gpgsign) {
core.info('💎 Sign all pushes automatically');
await git.setConfig('push.gpgsign', 'true');
}
}
} catch (error) {
core.setFailed(error.message);
@ -72,13 +88,13 @@ async function run(): Promise<void> {
}
async function cleanup(): Promise<void> {
if (!process.env.SIGNING_KEY) {
core.debug('Signing key is not defined. Skipping cleanup.');
if (!process.env.GPG_PRIVATE_KEY) {
core.debug('GPG private key is not defined. Skipping cleanup.');
return;
}
try {
core.info('🚿 Removing keys');
const privateKey = await openpgp.readPrivateKey(process.env.SIGNING_KEY);
const privateKey = await openpgp.readPrivateKey(process.env.GPG_PRIVATE_KEY);
await gpg.deleteKey(privateKey.fingerprint);
core.info('💀 Killing GnuPG agent');