diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index bcc3ff5..438cc1c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -34,12 +34,15 @@ jobs: run: | env|sort - - name: Import GPG key + name: Import GPG private key uses: ./ with: - git_gpgsign: true + git_user_gpgsign: true + git_commit_gpgsign: true + git_tag_gpgsign: true + git_push_gpgsign: true git_committer_name: Joe Tester git_committer_email: joe@foo.bar env: - SIGNING_KEY: ${{ secrets.SIGNING_KEY_TEST }} + GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY_TEST }} PASSPHRASE: ${{ secrets.PASSPHRASE_TEST }} diff --git a/README.md b/README.md index 65ddacb..545d8c4 100644 --- a/README.md +++ b/README.md @@ -28,7 +28,7 @@ On your local machine, export the GPG private key as an ASCII armored version: gpg --armor --export-secret-key --output key.pgp joe@foo.bar ``` -Copy the content of `key.pgp` file as a [`secret`](https://help.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets) named `SIGNING_KEY` for example. Create another secret with your `PASSPHRASE` if applicable. +Copy the content of `key.pgp` file as a [`secret`](https://help.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets) named `GPG_PRIVATE_KEY` for example. Create another secret with your `PASSPHRASE` if applicable. ```yaml name: import-gpg @@ -48,10 +48,19 @@ jobs: name: Import GPG key uses: crazy-max/ghaction-import-gpg@v1 with: - git_gpgsign: true + git_user_signingkey: true + git_commit_gpgsign: true + git_tag_gpgsign: true env: - SIGNING_KEY: ${{ secrets.SIGNING_KEY }} + GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }} PASSPHRASE: ${{ secrets.PASSPHRASE }} + - + name: Sign commit and push changes + run: | + echo foo > bar.txt + git add . + git commit -S -m "This commit is signed!" + git push ``` ## Customizing @@ -62,7 +71,10 @@ Following inputs can be used as `step.with` keys | Name | Type | Description | |------------------------|---------|----------------------------------------------------------| -| `git_gpgsign` | Bool | Enable signing for this Git repository (default `false`) | +| `git_user_signingkey` | Bool | Set GPG signing keyID for this Git repository (default `false`) | +| `git_commit_gpgsign` | Bool | Sign all commits automatically. `git_user_signingkey` needs to be enabled. (default `false`) | +| `git_tag_gpgsign` | Bool | Sign all tags automatically. `git_user_signingkey` needs to be enabled. (default `false`) | +| `git_push_gpgsign` | Bool | Sign all pushes automatically. `git_user_signingkey` needs to be enabled. (default `false`) | | `git_committer_name` | String | Commit author's name (default [GITHUB_ACTOR](https://help.github.com/en/github/automating-your-workflow-with-github-actions/using-environment-variables#default-environment-variables) or `github-actions`) | | `git_committer_email` | String | Commit author's email (default `@users.noreply.github.com`) | @@ -70,10 +82,10 @@ Following inputs can be used as `step.with` keys Following environment variables can be used as `step.env` keys -| Name | Description | -|----------------|---------------------------------------| -| `SIGNING_KEY` | GPG private key exported as an ASCII armored version | -| `PASSPHRASE` | Passphrase of your GPG key if setted for your `SIGNING_KEY` | +| Name | Description | +|--------------------|---------------------------------------| +| `GPG_PRIVATE_KEY` | GPG private key exported as an ASCII armored version | +| `PASSPHRASE` | Passphrase of your `GPG_PRIVATE_KEY` key if setted | ## How can I help? diff --git a/dist/index.js b/dist/index.js index 42876ae..d57945f 100644 --- a/dist/index.js +++ b/dist/index.js @@ -1019,11 +1019,14 @@ const stateHelper = __importStar(__webpack_require__(153)); function run() { return __awaiter(this, void 0, void 0, function* () { try { - if (!process.env.SIGNING_KEY) { - core.setFailed('Signing key required'); + if (!process.env.GPG_PRIVATE_KEY) { + core.setFailed('GPG private key required'); return; } - const git_gpgsign = /true/i.test(core.getInput('git_gpgsign')); + const git_commit_gpgsign = /true/i.test(core.getInput('git_commit_gpgsign')); + const git_tag_gpgsign = /true/i.test(core.getInput('git_tag_gpgsign')); + const git_push_gpgsign = /true/i.test(core.getInput('git_push_gpgsign')); + const git_user_signingkey = /true/i.test(core.getInput('git_user_signingkey')); const git_committer_name = core.getInput('git_committer_name') || process.env['GITHUB_ACTOR'] || 'github-actions'; const git_committer_email = core.getInput('git_committer_email') || `${git_committer_name}@users.noreply.github.com`; core.info('📣 GnuPG info'); @@ -1034,15 +1037,15 @@ function run() { core.info(`Libexecdir : ${dirs.libexecdir}`); core.info(`Datadir : ${dirs.datadir}`); core.info(`Homedir : ${dirs.homedir}`); - core.info('🔮 Checking signing key'); - const privateKey = yield openpgp.readPrivateKey(process.env.SIGNING_KEY); + core.info('🔮 Checking GPG private key'); + const privateKey = yield openpgp.readPrivateKey(process.env.GPG_PRIVATE_KEY); core.debug(`Fingerprint : ${privateKey.fingerprint}`); core.debug(`KeyID : ${privateKey.keyID}`); core.debug(`Name : ${privateKey.name}`); core.debug(`Email : ${privateKey.email}`); core.debug(`CreationTime : ${privateKey.creationTime}`); - core.info('🔑 Importing secret key'); - yield gpg.importKey(process.env.SIGNING_KEY).then(stdout => { + core.info('🔑 Importing GPG private key'); + yield gpg.importKey(process.env.GPG_PRIVATE_KEY).then(stdout => { core.debug(stdout); }); if (process.env.PASSPHRASE) { @@ -1056,17 +1059,28 @@ function run() { core.debug(stdout); }); } - if (git_gpgsign) { - core.info(`🔨 Configuring Git committer (${git_committer_name} <${git_committer_email}>)`); + if (git_user_signingkey) { + core.info('🔐 Setting GPG signing keyID for this Git repository'); + yield git.setConfig('user.signingkey', privateKey.keyID); if (git_committer_email != privateKey.email) { core.setFailed('Committer email does not match GPG key user address'); return; } + core.info(`🔨 Configuring Git committer (${git_committer_name} <${git_committer_email}>)`); yield git.setConfig('user.name', git_committer_name); yield git.setConfig('user.email', git_committer_email); - core.info('💎 Enable signing for this Git repository'); - yield git.setConfig('commit.gpgsign', 'true'); - yield git.setConfig('user.signingkey', privateKey.keyID); + if (git_commit_gpgsign) { + core.info('💎 Sign all commits automatically'); + yield git.setConfig('commit.gpgsign', 'true'); + } + if (git_tag_gpgsign) { + core.info('💎 Sign all tags automatically'); + yield git.setConfig('tag.gpgsign', 'true'); + } + if (git_push_gpgsign) { + core.info('💎 Sign all pushes automatically'); + yield git.setConfig('push.gpgsign', 'true'); + } } } catch (error) { @@ -1076,13 +1090,13 @@ function run() { } function cleanup() { return __awaiter(this, void 0, void 0, function* () { - if (!process.env.SIGNING_KEY) { - core.debug('Signing key is not defined. Skipping cleanup.'); + if (!process.env.GPG_PRIVATE_KEY) { + core.debug('GPG private key is not defined. Skipping cleanup.'); return; } try { core.info('🚿 Removing keys'); - const privateKey = yield openpgp.readPrivateKey(process.env.SIGNING_KEY); + const privateKey = yield openpgp.readPrivateKey(process.env.GPG_PRIVATE_KEY); yield gpg.deleteKey(privateKey.fingerprint); core.info('💀 Killing GnuPG agent'); yield gpg.killAgent(); diff --git a/src/main.ts b/src/main.ts index 9ec5168..6f2072c 100644 --- a/src/main.ts +++ b/src/main.ts @@ -6,12 +6,15 @@ import * as stateHelper from './state-helper'; async function run(): Promise { try { - if (!process.env.SIGNING_KEY) { - core.setFailed('Signing key required'); + if (!process.env.GPG_PRIVATE_KEY) { + core.setFailed('GPG private key required'); return; } - const git_gpgsign = /true/i.test(core.getInput('git_gpgsign')); + const git_commit_gpgsign = /true/i.test(core.getInput('git_commit_gpgsign')); + const git_tag_gpgsign = /true/i.test(core.getInput('git_tag_gpgsign')); + const git_push_gpgsign = /true/i.test(core.getInput('git_push_gpgsign')); + const git_user_signingkey = /true/i.test(core.getInput('git_user_signingkey')); const git_committer_name: string = core.getInput('git_committer_name') || process.env['GITHUB_ACTOR'] || 'github-actions'; const git_committer_email: string = @@ -26,16 +29,16 @@ async function run(): Promise { core.info(`Datadir : ${dirs.datadir}`); core.info(`Homedir : ${dirs.homedir}`); - core.info('🔮 Checking signing key'); - const privateKey = await openpgp.readPrivateKey(process.env.SIGNING_KEY); + core.info('🔮 Checking GPG private key'); + const privateKey = await openpgp.readPrivateKey(process.env.GPG_PRIVATE_KEY); core.debug(`Fingerprint : ${privateKey.fingerprint}`); core.debug(`KeyID : ${privateKey.keyID}`); core.debug(`Name : ${privateKey.name}`); core.debug(`Email : ${privateKey.email}`); core.debug(`CreationTime : ${privateKey.creationTime}`); - core.info('🔑 Importing secret key'); - await gpg.importKey(process.env.SIGNING_KEY).then(stdout => { + core.info('🔑 Importing GPG private key'); + await gpg.importKey(process.env.GPG_PRIVATE_KEY).then(stdout => { core.debug(stdout); }); @@ -53,18 +56,31 @@ async function run(): Promise { }); } - if (git_gpgsign) { - core.info(`🔨 Configuring Git committer (${git_committer_name} <${git_committer_email}>)`); + if (git_user_signingkey) { + core.info('🔐 Setting GPG signing keyID for this Git repository'); + await git.setConfig('user.signingkey', privateKey.keyID); + if (git_committer_email != privateKey.email) { core.setFailed('Committer email does not match GPG key user address'); return; } + + core.info(`🔨 Configuring Git committer (${git_committer_name} <${git_committer_email}>)`); await git.setConfig('user.name', git_committer_name); await git.setConfig('user.email', git_committer_email); - core.info('💎 Enable signing for this Git repository'); - await git.setConfig('commit.gpgsign', 'true'); - await git.setConfig('user.signingkey', privateKey.keyID); + if (git_commit_gpgsign) { + core.info('💎 Sign all commits automatically'); + await git.setConfig('commit.gpgsign', 'true'); + } + if (git_tag_gpgsign) { + core.info('💎 Sign all tags automatically'); + await git.setConfig('tag.gpgsign', 'true'); + } + if (git_push_gpgsign) { + core.info('💎 Sign all pushes automatically'); + await git.setConfig('push.gpgsign', 'true'); + } } } catch (error) { core.setFailed(error.message); @@ -72,13 +88,13 @@ async function run(): Promise { } async function cleanup(): Promise { - if (!process.env.SIGNING_KEY) { - core.debug('Signing key is not defined. Skipping cleanup.'); + if (!process.env.GPG_PRIVATE_KEY) { + core.debug('GPG private key is not defined. Skipping cleanup.'); return; } try { core.info('🚿 Removing keys'); - const privateKey = await openpgp.readPrivateKey(process.env.SIGNING_KEY); + const privateKey = await openpgp.readPrivateKey(process.env.GPG_PRIVATE_KEY); await gpg.deleteKey(privateKey.fingerprint); core.info('💀 Killing GnuPG agent');