actions/gpg
1
0
Fork 0
mirror of https://github.com/crazy-max/ghaction-import-gpg.git synced 2024-11-26 06:51:07 -05:00
Code Issues Projects Releases Packages Wiki Activity

Add git_tag_gpgsign and git_push_gpgsign inputs

Browse source 
Some inputs and secrets have been renamed
This commit is contained in:
CrazyMax 2020-05-06 01:15:33 +02:00
parent a71299c503
commit e097cc9691
No known key found for this signature in database
GPG key ID: 3248E46B6BB8C7F7
4 changed files with 86 additions and 41 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
.github/workflows/ci.yml vendored
View file

@ -34,12 +34,15 @@ jobs:
run: | run: |
env|sort env|sort
- -
name: Import GPG key name: Import GPG private key
uses: ./ uses: ./
with: with:
git_gpgsign: true git_user_gpgsign: true
git_commit_gpgsign: true
git_tag_gpgsign: true
git_push_gpgsign: true
git_committer_name: Joe Tester git_committer_name: Joe Tester
git_committer_email: joe@foo.bar git_committer_email: joe@foo.bar
env: env:
SIGNING_KEY: ${{ secrets.SIGNING_KEY_TEST }} GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY_TEST }}
PASSPHRASE: ${{ secrets.PASSPHRASE_TEST }} PASSPHRASE: ${{ secrets.PASSPHRASE_TEST }}

26
README.md
View file

@ -28,7 +28,7 @@ On your local machine, export the GPG private key as an ASCII armored version:
gpg --armor --export-secret-key --output key.pgp joe@foo.bar gpg --armor --export-secret-key --output key.pgp joe@foo.bar
``` ```
Copy the content of `key.pgp` file as a [`secret`](https://help.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets) named `SIGNING_KEY` for example. Create another secret with your `PASSPHRASE` if applicable. Copy the content of `key.pgp` file as a [`secret`](https://help.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets) named `GPG_PRIVATE_KEY` for example. Create another secret with your `PASSPHRASE` if applicable.
```yaml ```yaml
name: import-gpg name: import-gpg
@ -48,10 +48,19 @@ jobs:
name: Import GPG key name: Import GPG key
uses: crazy-max/ghaction-import-gpg@v1 uses: crazy-max/ghaction-import-gpg@v1
with: with:
git_gpgsign: true git_user_signingkey: true
git_commit_gpgsign: true
git_tag_gpgsign: true
env: env:
SIGNING_KEY: ${{ secrets.SIGNING_KEY }} GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
PASSPHRASE: ${{ secrets.PASSPHRASE }} PASSPHRASE: ${{ secrets.PASSPHRASE }}
-
name: Sign commit and push changes
run: |
echo foo > bar.txt
git add .
git commit -S -m "This commit is signed!"
git push
``` ```
## Customizing ## Customizing
@ -62,7 +71,10 @@ Following inputs can be used as `step.with` keys
| Name | Type | Description | | Name | Type | Description |
|------------------------|---------|----------------------------------------------------------| |------------------------|---------|----------------------------------------------------------|
| `git_gpgsign` | Bool | Enable signing for this Git repository (default `false`) | | `git_user_signingkey` | Bool | Set GPG signing keyID for this Git repository (default `false`) |
| `git_commit_gpgsign` | Bool | Sign all commits automatically. `git_user_signingkey` needs to be enabled. (default `false`) |
| `git_tag_gpgsign` | Bool | Sign all tags automatically. `git_user_signingkey` needs to be enabled. (default `false`) |
| `git_push_gpgsign` | Bool | Sign all pushes automatically. `git_user_signingkey` needs to be enabled. (default `false`) |
| `git_committer_name` | String | Commit author's name (default [GITHUB_ACTOR](https://help.github.com/en/github/automating-your-workflow-with-github-actions/using-environment-variables#default-environment-variables) or `github-actions`) | | `git_committer_name` | String | Commit author's name (default [GITHUB_ACTOR](https://help.github.com/en/github/automating-your-workflow-with-github-actions/using-environment-variables#default-environment-variables) or `github-actions`) |
| `git_committer_email` | String | Commit author's email (default `<committer_name>@users.noreply.github.com`) | | `git_committer_email` | String | Commit author's email (default `<committer_name>@users.noreply.github.com`) |
@ -71,9 +83,9 @@ Following inputs can be used as `step.with` keys
Following environment variables can be used as `step.env` keys Following environment variables can be used as `step.env` keys
| Name | Description | | Name | Description |
|----------------|---------------------------------------| |--------------------|---------------------------------------|
| `SIGNING_KEY` | GPG private key exported as an ASCII armored version | | `GPG_PRIVATE_KEY` | GPG private key exported as an ASCII armored version |
| `PASSPHRASE` | Passphrase of your GPG key if setted for your `SIGNING_KEY` | | `PASSPHRASE` | Passphrase of your `GPG_PRIVATE_KEY` key if setted |
## How can I help? ## How can I help?

42
dist/index.js generated vendored
View file

@ -1019,11 +1019,14 @@ const stateHelper = __importStar(__webpack_require__(153));
function run() { function run() {
return __awaiter(this, void 0, void 0, function* () { return __awaiter(this, void 0, void 0, function* () {
try { try {
if (!process.env.SIGNING_KEY) { if (!process.env.GPG_PRIVATE_KEY) {
core.setFailed('Signing key required'); core.setFailed('GPG private key required');
return; return;
} }
const git_gpgsign = /true/i.test(core.getInput('git_gpgsign')); const git_commit_gpgsign = /true/i.test(core.getInput('git_commit_gpgsign'));
const git_tag_gpgsign = /true/i.test(core.getInput('git_tag_gpgsign'));
const git_push_gpgsign = /true/i.test(core.getInput('git_push_gpgsign'));
const git_user_signingkey = /true/i.test(core.getInput('git_user_signingkey'));
const git_committer_name = core.getInput('git_committer_name') || process.env['GITHUB_ACTOR'] || 'github-actions'; const git_committer_name = core.getInput('git_committer_name') || process.env['GITHUB_ACTOR'] || 'github-actions';
const git_committer_email = core.getInput('git_committer_email') || `${git_committer_name}@users.noreply.github.com`; const git_committer_email = core.getInput('git_committer_email') || `${git_committer_name}@users.noreply.github.com`;
core.info('📣 GnuPG info'); core.info('📣 GnuPG info');
@ -1034,15 +1037,15 @@ function run() {
core.info(`Libexecdir : ${dirs.libexecdir}`); core.info(`Libexecdir : ${dirs.libexecdir}`);
core.info(`Datadir : ${dirs.datadir}`); core.info(`Datadir : ${dirs.datadir}`);
core.info(`Homedir : ${dirs.homedir}`); core.info(`Homedir : ${dirs.homedir}`);
core.info('🔮 Checking signing key'); core.info('🔮 Checking GPG private key');
const privateKey = yield openpgp.readPrivateKey(process.env.SIGNING_KEY); const privateKey = yield openpgp.readPrivateKey(process.env.GPG_PRIVATE_KEY);
core.debug(`Fingerprint : ${privateKey.fingerprint}`); core.debug(`Fingerprint : ${privateKey.fingerprint}`);
core.debug(`KeyID : ${privateKey.keyID}`); core.debug(`KeyID : ${privateKey.keyID}`);
core.debug(`Name : ${privateKey.name}`); core.debug(`Name : ${privateKey.name}`);
core.debug(`Email : ${privateKey.email}`); core.debug(`Email : ${privateKey.email}`);
core.debug(`CreationTime : ${privateKey.creationTime}`); core.debug(`CreationTime : ${privateKey.creationTime}`);
core.info('🔑 Importing secret key'); core.info('🔑 Importing GPG private key');
yield gpg.importKey(process.env.SIGNING_KEY).then(stdout => { yield gpg.importKey(process.env.GPG_PRIVATE_KEY).then(stdout => {
core.debug(stdout); core.debug(stdout);
}); });
if (process.env.PASSPHRASE) { if (process.env.PASSPHRASE) {
@ -1056,17 +1059,28 @@ function run() {
core.debug(stdout); core.debug(stdout);
}); });
} }
if (git_gpgsign) { if (git_user_signingkey) {
core.info(`🔨 Configuring Git committer (${git_committer_name} <${git_committer_email}>)`); core.info('🔐 Setting GPG signing keyID for this Git repository');
yield git.setConfig('user.signingkey', privateKey.keyID);
if (git_committer_email != privateKey.email) { if (git_committer_email != privateKey.email) {
core.setFailed('Committer email does not match GPG key user address'); core.setFailed('Committer email does not match GPG key user address');
return; return;
} }
core.info(`🔨 Configuring Git committer (${git_committer_name} <${git_committer_email}>)`);
yield git.setConfig('user.name', git_committer_name); yield git.setConfig('user.name', git_committer_name);
yield git.setConfig('user.email', git_committer_email); yield git.setConfig('user.email', git_committer_email);
core.info('💎 Enable signing for this Git repository'); if (git_commit_gpgsign) {
core.info('💎 Sign all commits automatically');
yield git.setConfig('commit.gpgsign', 'true'); yield git.setConfig('commit.gpgsign', 'true');
yield git.setConfig('user.signingkey', privateKey.keyID); }
if (git_tag_gpgsign) {
core.info('💎 Sign all tags automatically');
yield git.setConfig('tag.gpgsign', 'true');
}
if (git_push_gpgsign) {
core.info('💎 Sign all pushes automatically');
yield git.setConfig('push.gpgsign', 'true');
}
} }
} }
catch (error) { catch (error) {
@ -1076,13 +1090,13 @@ function run() {
} }
function cleanup() { function cleanup() {
return __awaiter(this, void 0, void 0, function* () { return __awaiter(this, void 0, void 0, function* () {
if (!process.env.SIGNING_KEY) { if (!process.env.GPG_PRIVATE_KEY) {
core.debug('Signing key is not defined. Skipping cleanup.'); core.debug('GPG private key is not defined. Skipping cleanup.');
return; return;
} }
try { try {
core.info('🚿 Removing keys'); core.info('🚿 Removing keys');
const privateKey = yield openpgp.readPrivateKey(process.env.SIGNING_KEY); const privateKey = yield openpgp.readPrivateKey(process.env.GPG_PRIVATE_KEY);
yield gpg.deleteKey(privateKey.fingerprint); yield gpg.deleteKey(privateKey.fingerprint);
core.info('💀 Killing GnuPG agent'); core.info('💀 Killing GnuPG agent');
yield gpg.killAgent(); yield gpg.killAgent();

44
src/main.ts
View file

@ -6,12 +6,15 @@ import * as stateHelper from './state-helper';
async function run(): Promise<void> { async function run(): Promise<void> {
try { try {
if (!process.env.SIGNING_KEY) { if (!process.env.GPG_PRIVATE_KEY) {
core.setFailed('Signing key required'); core.setFailed('GPG private key required');
return; return;
} }
const git_gpgsign = /true/i.test(core.getInput('git_gpgsign')); const git_commit_gpgsign = /true/i.test(core.getInput('git_commit_gpgsign'));
const git_tag_gpgsign = /true/i.test(core.getInput('git_tag_gpgsign'));
const git_push_gpgsign = /true/i.test(core.getInput('git_push_gpgsign'));
const git_user_signingkey = /true/i.test(core.getInput('git_user_signingkey'));
const git_committer_name: string = const git_committer_name: string =
core.getInput('git_committer_name') || process.env['GITHUB_ACTOR'] || 'github-actions'; core.getInput('git_committer_name') || process.env['GITHUB_ACTOR'] || 'github-actions';
const git_committer_email: string = const git_committer_email: string =
@ -26,16 +29,16 @@ async function run(): Promise<void> {
core.info(`Datadir : ${dirs.datadir}`); core.info(`Datadir : ${dirs.datadir}`);
core.info(`Homedir : ${dirs.homedir}`); core.info(`Homedir : ${dirs.homedir}`);
core.info('🔮 Checking signing key'); core.info('🔮 Checking GPG private key');
const privateKey = await openpgp.readPrivateKey(process.env.SIGNING_KEY); const privateKey = await openpgp.readPrivateKey(process.env.GPG_PRIVATE_KEY);
core.debug(`Fingerprint : ${privateKey.fingerprint}`); core.debug(`Fingerprint : ${privateKey.fingerprint}`);
core.debug(`KeyID : ${privateKey.keyID}`); core.debug(`KeyID : ${privateKey.keyID}`);
core.debug(`Name : ${privateKey.name}`); core.debug(`Name : ${privateKey.name}`);
core.debug(`Email : ${privateKey.email}`); core.debug(`Email : ${privateKey.email}`);
core.debug(`CreationTime : ${privateKey.creationTime}`); core.debug(`CreationTime : ${privateKey.creationTime}`);
core.info('🔑 Importing secret key'); core.info('🔑 Importing GPG private key');
await gpg.importKey(process.env.SIGNING_KEY).then(stdout => { await gpg.importKey(process.env.GPG_PRIVATE_KEY).then(stdout => {
core.debug(stdout); core.debug(stdout);
}); });
@ -53,18 +56,31 @@ async function run(): Promise<void> {
}); });
} }
if (git_gpgsign) { if (git_user_signingkey) {
core.info(`🔨 Configuring Git committer (${git_committer_name} <${git_committer_email}>)`); core.info('🔐 Setting GPG signing keyID for this Git repository');
await git.setConfig('user.signingkey', privateKey.keyID);
if (git_committer_email != privateKey.email) { if (git_committer_email != privateKey.email) {
core.setFailed('Committer email does not match GPG key user address'); core.setFailed('Committer email does not match GPG key user address');
return; return;
} }
core.info(`🔨 Configuring Git committer (${git_committer_name} <${git_committer_email}>)`);
await git.setConfig('user.name', git_committer_name); await git.setConfig('user.name', git_committer_name);
await git.setConfig('user.email', git_committer_email); await git.setConfig('user.email', git_committer_email);
core.info('💎 Enable signing for this Git repository'); if (git_commit_gpgsign) {
core.info('💎 Sign all commits automatically');
await git.setConfig('commit.gpgsign', 'true'); await git.setConfig('commit.gpgsign', 'true');
await git.setConfig('user.signingkey', privateKey.keyID); }
if (git_tag_gpgsign) {
core.info('💎 Sign all tags automatically');
await git.setConfig('tag.gpgsign', 'true');
}
if (git_push_gpgsign) {
core.info('💎 Sign all pushes automatically');
await git.setConfig('push.gpgsign', 'true');
}
} }
} catch (error) { } catch (error) {
core.setFailed(error.message); core.setFailed(error.message);
@ -72,13 +88,13 @@ async function run(): Promise<void> {
} }
async function cleanup(): Promise<void> { async function cleanup(): Promise<void> {
if (!process.env.SIGNING_KEY) { if (!process.env.GPG_PRIVATE_KEY) {
core.debug('Signing key is not defined. Skipping cleanup.'); core.debug('GPG private key is not defined. Skipping cleanup.');
return; return;
} }
try { try {
core.info('🚿 Removing keys'); core.info('🚿 Removing keys');
const privateKey = await openpgp.readPrivateKey(process.env.SIGNING_KEY); const privateKey = await openpgp.readPrivateKey(process.env.GPG_PRIVATE_KEY);
await gpg.deleteKey(privateKey.fingerprint); await gpg.deleteKey(privateKey.fingerprint);
core.info('💀 Killing GnuPG agent'); core.info('💀 Killing GnuPG agent');