mirror of
https://github.com/crazy-max/ghaction-import-gpg.git
synced 2024-12-23 19:52:09 -05:00
Add git_tag_gpgsign and git_push_gpgsign inputs
Some inputs and secrets have been renamed
This commit is contained in:
parent
a71299c503
commit
e097cc9691
4 changed files with 86 additions and 41 deletions
9
.github/workflows/ci.yml
vendored
9
.github/workflows/ci.yml
vendored
|
@ -34,12 +34,15 @@ jobs:
|
|||
run: |
|
||||
env|sort
|
||||
-
|
||||
name: Import GPG key
|
||||
name: Import GPG private key
|
||||
uses: ./
|
||||
with:
|
||||
git_gpgsign: true
|
||||
git_user_gpgsign: true
|
||||
git_commit_gpgsign: true
|
||||
git_tag_gpgsign: true
|
||||
git_push_gpgsign: true
|
||||
git_committer_name: Joe Tester
|
||||
git_committer_email: joe@foo.bar
|
||||
env:
|
||||
SIGNING_KEY: ${{ secrets.SIGNING_KEY_TEST }}
|
||||
GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY_TEST }}
|
||||
PASSPHRASE: ${{ secrets.PASSPHRASE_TEST }}
|
||||
|
|
28
README.md
28
README.md
|
@ -28,7 +28,7 @@ On your local machine, export the GPG private key as an ASCII armored version:
|
|||
gpg --armor --export-secret-key --output key.pgp joe@foo.bar
|
||||
```
|
||||
|
||||
Copy the content of `key.pgp` file as a [`secret`](https://help.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets) named `SIGNING_KEY` for example. Create another secret with your `PASSPHRASE` if applicable.
|
||||
Copy the content of `key.pgp` file as a [`secret`](https://help.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets) named `GPG_PRIVATE_KEY` for example. Create another secret with your `PASSPHRASE` if applicable.
|
||||
|
||||
```yaml
|
||||
name: import-gpg
|
||||
|
@ -48,10 +48,19 @@ jobs:
|
|||
name: Import GPG key
|
||||
uses: crazy-max/ghaction-import-gpg@v1
|
||||
with:
|
||||
git_gpgsign: true
|
||||
git_user_signingkey: true
|
||||
git_commit_gpgsign: true
|
||||
git_tag_gpgsign: true
|
||||
env:
|
||||
SIGNING_KEY: ${{ secrets.SIGNING_KEY }}
|
||||
GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
|
||||
PASSPHRASE: ${{ secrets.PASSPHRASE }}
|
||||
-
|
||||
name: Sign commit and push changes
|
||||
run: |
|
||||
echo foo > bar.txt
|
||||
git add .
|
||||
git commit -S -m "This commit is signed!"
|
||||
git push
|
||||
```
|
||||
|
||||
## Customizing
|
||||
|
@ -62,7 +71,10 @@ Following inputs can be used as `step.with` keys
|
|||
|
||||
| Name | Type | Description |
|
||||
|------------------------|---------|----------------------------------------------------------|
|
||||
| `git_gpgsign` | Bool | Enable signing for this Git repository (default `false`) |
|
||||
| `git_user_signingkey` | Bool | Set GPG signing keyID for this Git repository (default `false`) |
|
||||
| `git_commit_gpgsign` | Bool | Sign all commits automatically. `git_user_signingkey` needs to be enabled. (default `false`) |
|
||||
| `git_tag_gpgsign` | Bool | Sign all tags automatically. `git_user_signingkey` needs to be enabled. (default `false`) |
|
||||
| `git_push_gpgsign` | Bool | Sign all pushes automatically. `git_user_signingkey` needs to be enabled. (default `false`) |
|
||||
| `git_committer_name` | String | Commit author's name (default [GITHUB_ACTOR](https://help.github.com/en/github/automating-your-workflow-with-github-actions/using-environment-variables#default-environment-variables) or `github-actions`) |
|
||||
| `git_committer_email` | String | Commit author's email (default `<committer_name>@users.noreply.github.com`) |
|
||||
|
||||
|
@ -70,10 +82,10 @@ Following inputs can be used as `step.with` keys
|
|||
|
||||
Following environment variables can be used as `step.env` keys
|
||||
|
||||
| Name | Description |
|
||||
|----------------|---------------------------------------|
|
||||
| `SIGNING_KEY` | GPG private key exported as an ASCII armored version |
|
||||
| `PASSPHRASE` | Passphrase of your GPG key if setted for your `SIGNING_KEY` |
|
||||
| Name | Description |
|
||||
|--------------------|---------------------------------------|
|
||||
| `GPG_PRIVATE_KEY` | GPG private key exported as an ASCII armored version |
|
||||
| `PASSPHRASE` | Passphrase of your `GPG_PRIVATE_KEY` key if setted |
|
||||
|
||||
## How can I help?
|
||||
|
||||
|
|
44
dist/index.js
generated
vendored
44
dist/index.js
generated
vendored
|
@ -1019,11 +1019,14 @@ const stateHelper = __importStar(__webpack_require__(153));
|
|||
function run() {
|
||||
return __awaiter(this, void 0, void 0, function* () {
|
||||
try {
|
||||
if (!process.env.SIGNING_KEY) {
|
||||
core.setFailed('Signing key required');
|
||||
if (!process.env.GPG_PRIVATE_KEY) {
|
||||
core.setFailed('GPG private key required');
|
||||
return;
|
||||
}
|
||||
const git_gpgsign = /true/i.test(core.getInput('git_gpgsign'));
|
||||
const git_commit_gpgsign = /true/i.test(core.getInput('git_commit_gpgsign'));
|
||||
const git_tag_gpgsign = /true/i.test(core.getInput('git_tag_gpgsign'));
|
||||
const git_push_gpgsign = /true/i.test(core.getInput('git_push_gpgsign'));
|
||||
const git_user_signingkey = /true/i.test(core.getInput('git_user_signingkey'));
|
||||
const git_committer_name = core.getInput('git_committer_name') || process.env['GITHUB_ACTOR'] || 'github-actions';
|
||||
const git_committer_email = core.getInput('git_committer_email') || `${git_committer_name}@users.noreply.github.com`;
|
||||
core.info('📣 GnuPG info');
|
||||
|
@ -1034,15 +1037,15 @@ function run() {
|
|||
core.info(`Libexecdir : ${dirs.libexecdir}`);
|
||||
core.info(`Datadir : ${dirs.datadir}`);
|
||||
core.info(`Homedir : ${dirs.homedir}`);
|
||||
core.info('🔮 Checking signing key');
|
||||
const privateKey = yield openpgp.readPrivateKey(process.env.SIGNING_KEY);
|
||||
core.info('🔮 Checking GPG private key');
|
||||
const privateKey = yield openpgp.readPrivateKey(process.env.GPG_PRIVATE_KEY);
|
||||
core.debug(`Fingerprint : ${privateKey.fingerprint}`);
|
||||
core.debug(`KeyID : ${privateKey.keyID}`);
|
||||
core.debug(`Name : ${privateKey.name}`);
|
||||
core.debug(`Email : ${privateKey.email}`);
|
||||
core.debug(`CreationTime : ${privateKey.creationTime}`);
|
||||
core.info('🔑 Importing secret key');
|
||||
yield gpg.importKey(process.env.SIGNING_KEY).then(stdout => {
|
||||
core.info('🔑 Importing GPG private key');
|
||||
yield gpg.importKey(process.env.GPG_PRIVATE_KEY).then(stdout => {
|
||||
core.debug(stdout);
|
||||
});
|
||||
if (process.env.PASSPHRASE) {
|
||||
|
@ -1056,17 +1059,28 @@ function run() {
|
|||
core.debug(stdout);
|
||||
});
|
||||
}
|
||||
if (git_gpgsign) {
|
||||
core.info(`🔨 Configuring Git committer (${git_committer_name} <${git_committer_email}>)`);
|
||||
if (git_user_signingkey) {
|
||||
core.info('🔐 Setting GPG signing keyID for this Git repository');
|
||||
yield git.setConfig('user.signingkey', privateKey.keyID);
|
||||
if (git_committer_email != privateKey.email) {
|
||||
core.setFailed('Committer email does not match GPG key user address');
|
||||
return;
|
||||
}
|
||||
core.info(`🔨 Configuring Git committer (${git_committer_name} <${git_committer_email}>)`);
|
||||
yield git.setConfig('user.name', git_committer_name);
|
||||
yield git.setConfig('user.email', git_committer_email);
|
||||
core.info('💎 Enable signing for this Git repository');
|
||||
yield git.setConfig('commit.gpgsign', 'true');
|
||||
yield git.setConfig('user.signingkey', privateKey.keyID);
|
||||
if (git_commit_gpgsign) {
|
||||
core.info('💎 Sign all commits automatically');
|
||||
yield git.setConfig('commit.gpgsign', 'true');
|
||||
}
|
||||
if (git_tag_gpgsign) {
|
||||
core.info('💎 Sign all tags automatically');
|
||||
yield git.setConfig('tag.gpgsign', 'true');
|
||||
}
|
||||
if (git_push_gpgsign) {
|
||||
core.info('💎 Sign all pushes automatically');
|
||||
yield git.setConfig('push.gpgsign', 'true');
|
||||
}
|
||||
}
|
||||
}
|
||||
catch (error) {
|
||||
|
@ -1076,13 +1090,13 @@ function run() {
|
|||
}
|
||||
function cleanup() {
|
||||
return __awaiter(this, void 0, void 0, function* () {
|
||||
if (!process.env.SIGNING_KEY) {
|
||||
core.debug('Signing key is not defined. Skipping cleanup.');
|
||||
if (!process.env.GPG_PRIVATE_KEY) {
|
||||
core.debug('GPG private key is not defined. Skipping cleanup.');
|
||||
return;
|
||||
}
|
||||
try {
|
||||
core.info('🚿 Removing keys');
|
||||
const privateKey = yield openpgp.readPrivateKey(process.env.SIGNING_KEY);
|
||||
const privateKey = yield openpgp.readPrivateKey(process.env.GPG_PRIVATE_KEY);
|
||||
yield gpg.deleteKey(privateKey.fingerprint);
|
||||
core.info('💀 Killing GnuPG agent');
|
||||
yield gpg.killAgent();
|
||||
|
|
46
src/main.ts
46
src/main.ts
|
@ -6,12 +6,15 @@ import * as stateHelper from './state-helper';
|
|||
|
||||
async function run(): Promise<void> {
|
||||
try {
|
||||
if (!process.env.SIGNING_KEY) {
|
||||
core.setFailed('Signing key required');
|
||||
if (!process.env.GPG_PRIVATE_KEY) {
|
||||
core.setFailed('GPG private key required');
|
||||
return;
|
||||
}
|
||||
|
||||
const git_gpgsign = /true/i.test(core.getInput('git_gpgsign'));
|
||||
const git_commit_gpgsign = /true/i.test(core.getInput('git_commit_gpgsign'));
|
||||
const git_tag_gpgsign = /true/i.test(core.getInput('git_tag_gpgsign'));
|
||||
const git_push_gpgsign = /true/i.test(core.getInput('git_push_gpgsign'));
|
||||
const git_user_signingkey = /true/i.test(core.getInput('git_user_signingkey'));
|
||||
const git_committer_name: string =
|
||||
core.getInput('git_committer_name') || process.env['GITHUB_ACTOR'] || 'github-actions';
|
||||
const git_committer_email: string =
|
||||
|
@ -26,16 +29,16 @@ async function run(): Promise<void> {
|
|||
core.info(`Datadir : ${dirs.datadir}`);
|
||||
core.info(`Homedir : ${dirs.homedir}`);
|
||||
|
||||
core.info('🔮 Checking signing key');
|
||||
const privateKey = await openpgp.readPrivateKey(process.env.SIGNING_KEY);
|
||||
core.info('🔮 Checking GPG private key');
|
||||
const privateKey = await openpgp.readPrivateKey(process.env.GPG_PRIVATE_KEY);
|
||||
core.debug(`Fingerprint : ${privateKey.fingerprint}`);
|
||||
core.debug(`KeyID : ${privateKey.keyID}`);
|
||||
core.debug(`Name : ${privateKey.name}`);
|
||||
core.debug(`Email : ${privateKey.email}`);
|
||||
core.debug(`CreationTime : ${privateKey.creationTime}`);
|
||||
|
||||
core.info('🔑 Importing secret key');
|
||||
await gpg.importKey(process.env.SIGNING_KEY).then(stdout => {
|
||||
core.info('🔑 Importing GPG private key');
|
||||
await gpg.importKey(process.env.GPG_PRIVATE_KEY).then(stdout => {
|
||||
core.debug(stdout);
|
||||
});
|
||||
|
||||
|
@ -53,18 +56,31 @@ async function run(): Promise<void> {
|
|||
});
|
||||
}
|
||||
|
||||
if (git_gpgsign) {
|
||||
core.info(`🔨 Configuring Git committer (${git_committer_name} <${git_committer_email}>)`);
|
||||
if (git_user_signingkey) {
|
||||
core.info('🔐 Setting GPG signing keyID for this Git repository');
|
||||
await git.setConfig('user.signingkey', privateKey.keyID);
|
||||
|
||||
if (git_committer_email != privateKey.email) {
|
||||
core.setFailed('Committer email does not match GPG key user address');
|
||||
return;
|
||||
}
|
||||
|
||||
core.info(`🔨 Configuring Git committer (${git_committer_name} <${git_committer_email}>)`);
|
||||
await git.setConfig('user.name', git_committer_name);
|
||||
await git.setConfig('user.email', git_committer_email);
|
||||
|
||||
core.info('💎 Enable signing for this Git repository');
|
||||
await git.setConfig('commit.gpgsign', 'true');
|
||||
await git.setConfig('user.signingkey', privateKey.keyID);
|
||||
if (git_commit_gpgsign) {
|
||||
core.info('💎 Sign all commits automatically');
|
||||
await git.setConfig('commit.gpgsign', 'true');
|
||||
}
|
||||
if (git_tag_gpgsign) {
|
||||
core.info('💎 Sign all tags automatically');
|
||||
await git.setConfig('tag.gpgsign', 'true');
|
||||
}
|
||||
if (git_push_gpgsign) {
|
||||
core.info('💎 Sign all pushes automatically');
|
||||
await git.setConfig('push.gpgsign', 'true');
|
||||
}
|
||||
}
|
||||
} catch (error) {
|
||||
core.setFailed(error.message);
|
||||
|
@ -72,13 +88,13 @@ async function run(): Promise<void> {
|
|||
}
|
||||
|
||||
async function cleanup(): Promise<void> {
|
||||
if (!process.env.SIGNING_KEY) {
|
||||
core.debug('Signing key is not defined. Skipping cleanup.');
|
||||
if (!process.env.GPG_PRIVATE_KEY) {
|
||||
core.debug('GPG private key is not defined. Skipping cleanup.');
|
||||
return;
|
||||
}
|
||||
try {
|
||||
core.info('🚿 Removing keys');
|
||||
const privateKey = await openpgp.readPrivateKey(process.env.SIGNING_KEY);
|
||||
const privateKey = await openpgp.readPrivateKey(process.env.GPG_PRIVATE_KEY);
|
||||
await gpg.deleteKey(privateKey.fingerprint);
|
||||
|
||||
core.info('💀 Killing GnuPG agent');
|
||||
|
|
Loading…
Reference in a new issue