mirror of
https://github.com/crazy-max/ghaction-import-gpg.git
synced 2024-11-29 08:21:06 -05:00
Add git_tag_gpgsign and git_push_gpgsign inputs
Some inputs and secrets have been renamed
This commit is contained in:
parent
a71299c503
commit
e097cc9691
4 changed files with 86 additions and 41 deletions
9
.github/workflows/ci.yml
vendored
9
.github/workflows/ci.yml
vendored
|
@ -34,12 +34,15 @@ jobs:
|
||||||
run: |
|
run: |
|
||||||
env|sort
|
env|sort
|
||||||
-
|
-
|
||||||
name: Import GPG key
|
name: Import GPG private key
|
||||||
uses: ./
|
uses: ./
|
||||||
with:
|
with:
|
||||||
git_gpgsign: true
|
git_user_gpgsign: true
|
||||||
|
git_commit_gpgsign: true
|
||||||
|
git_tag_gpgsign: true
|
||||||
|
git_push_gpgsign: true
|
||||||
git_committer_name: Joe Tester
|
git_committer_name: Joe Tester
|
||||||
git_committer_email: joe@foo.bar
|
git_committer_email: joe@foo.bar
|
||||||
env:
|
env:
|
||||||
SIGNING_KEY: ${{ secrets.SIGNING_KEY_TEST }}
|
GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY_TEST }}
|
||||||
PASSPHRASE: ${{ secrets.PASSPHRASE_TEST }}
|
PASSPHRASE: ${{ secrets.PASSPHRASE_TEST }}
|
||||||
|
|
28
README.md
28
README.md
|
@ -28,7 +28,7 @@ On your local machine, export the GPG private key as an ASCII armored version:
|
||||||
gpg --armor --export-secret-key --output key.pgp joe@foo.bar
|
gpg --armor --export-secret-key --output key.pgp joe@foo.bar
|
||||||
```
|
```
|
||||||
|
|
||||||
Copy the content of `key.pgp` file as a [`secret`](https://help.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets) named `SIGNING_KEY` for example. Create another secret with your `PASSPHRASE` if applicable.
|
Copy the content of `key.pgp` file as a [`secret`](https://help.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets) named `GPG_PRIVATE_KEY` for example. Create another secret with your `PASSPHRASE` if applicable.
|
||||||
|
|
||||||
```yaml
|
```yaml
|
||||||
name: import-gpg
|
name: import-gpg
|
||||||
|
@ -48,10 +48,19 @@ jobs:
|
||||||
name: Import GPG key
|
name: Import GPG key
|
||||||
uses: crazy-max/ghaction-import-gpg@v1
|
uses: crazy-max/ghaction-import-gpg@v1
|
||||||
with:
|
with:
|
||||||
git_gpgsign: true
|
git_user_signingkey: true
|
||||||
|
git_commit_gpgsign: true
|
||||||
|
git_tag_gpgsign: true
|
||||||
env:
|
env:
|
||||||
SIGNING_KEY: ${{ secrets.SIGNING_KEY }}
|
GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
|
||||||
PASSPHRASE: ${{ secrets.PASSPHRASE }}
|
PASSPHRASE: ${{ secrets.PASSPHRASE }}
|
||||||
|
-
|
||||||
|
name: Sign commit and push changes
|
||||||
|
run: |
|
||||||
|
echo foo > bar.txt
|
||||||
|
git add .
|
||||||
|
git commit -S -m "This commit is signed!"
|
||||||
|
git push
|
||||||
```
|
```
|
||||||
|
|
||||||
## Customizing
|
## Customizing
|
||||||
|
@ -62,7 +71,10 @@ Following inputs can be used as `step.with` keys
|
||||||
|
|
||||||
| Name | Type | Description |
|
| Name | Type | Description |
|
||||||
|------------------------|---------|----------------------------------------------------------|
|
|------------------------|---------|----------------------------------------------------------|
|
||||||
| `git_gpgsign` | Bool | Enable signing for this Git repository (default `false`) |
|
| `git_user_signingkey` | Bool | Set GPG signing keyID for this Git repository (default `false`) |
|
||||||
|
| `git_commit_gpgsign` | Bool | Sign all commits automatically. `git_user_signingkey` needs to be enabled. (default `false`) |
|
||||||
|
| `git_tag_gpgsign` | Bool | Sign all tags automatically. `git_user_signingkey` needs to be enabled. (default `false`) |
|
||||||
|
| `git_push_gpgsign` | Bool | Sign all pushes automatically. `git_user_signingkey` needs to be enabled. (default `false`) |
|
||||||
| `git_committer_name` | String | Commit author's name (default [GITHUB_ACTOR](https://help.github.com/en/github/automating-your-workflow-with-github-actions/using-environment-variables#default-environment-variables) or `github-actions`) |
|
| `git_committer_name` | String | Commit author's name (default [GITHUB_ACTOR](https://help.github.com/en/github/automating-your-workflow-with-github-actions/using-environment-variables#default-environment-variables) or `github-actions`) |
|
||||||
| `git_committer_email` | String | Commit author's email (default `<committer_name>@users.noreply.github.com`) |
|
| `git_committer_email` | String | Commit author's email (default `<committer_name>@users.noreply.github.com`) |
|
||||||
|
|
||||||
|
@ -70,10 +82,10 @@ Following inputs can be used as `step.with` keys
|
||||||
|
|
||||||
Following environment variables can be used as `step.env` keys
|
Following environment variables can be used as `step.env` keys
|
||||||
|
|
||||||
| Name | Description |
|
| Name | Description |
|
||||||
|----------------|---------------------------------------|
|
|--------------------|---------------------------------------|
|
||||||
| `SIGNING_KEY` | GPG private key exported as an ASCII armored version |
|
| `GPG_PRIVATE_KEY` | GPG private key exported as an ASCII armored version |
|
||||||
| `PASSPHRASE` | Passphrase of your GPG key if setted for your `SIGNING_KEY` |
|
| `PASSPHRASE` | Passphrase of your `GPG_PRIVATE_KEY` key if setted |
|
||||||
|
|
||||||
## How can I help?
|
## How can I help?
|
||||||
|
|
||||||
|
|
44
dist/index.js
generated
vendored
44
dist/index.js
generated
vendored
|
@ -1019,11 +1019,14 @@ const stateHelper = __importStar(__webpack_require__(153));
|
||||||
function run() {
|
function run() {
|
||||||
return __awaiter(this, void 0, void 0, function* () {
|
return __awaiter(this, void 0, void 0, function* () {
|
||||||
try {
|
try {
|
||||||
if (!process.env.SIGNING_KEY) {
|
if (!process.env.GPG_PRIVATE_KEY) {
|
||||||
core.setFailed('Signing key required');
|
core.setFailed('GPG private key required');
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
const git_gpgsign = /true/i.test(core.getInput('git_gpgsign'));
|
const git_commit_gpgsign = /true/i.test(core.getInput('git_commit_gpgsign'));
|
||||||
|
const git_tag_gpgsign = /true/i.test(core.getInput('git_tag_gpgsign'));
|
||||||
|
const git_push_gpgsign = /true/i.test(core.getInput('git_push_gpgsign'));
|
||||||
|
const git_user_signingkey = /true/i.test(core.getInput('git_user_signingkey'));
|
||||||
const git_committer_name = core.getInput('git_committer_name') || process.env['GITHUB_ACTOR'] || 'github-actions';
|
const git_committer_name = core.getInput('git_committer_name') || process.env['GITHUB_ACTOR'] || 'github-actions';
|
||||||
const git_committer_email = core.getInput('git_committer_email') || `${git_committer_name}@users.noreply.github.com`;
|
const git_committer_email = core.getInput('git_committer_email') || `${git_committer_name}@users.noreply.github.com`;
|
||||||
core.info('📣 GnuPG info');
|
core.info('📣 GnuPG info');
|
||||||
|
@ -1034,15 +1037,15 @@ function run() {
|
||||||
core.info(`Libexecdir : ${dirs.libexecdir}`);
|
core.info(`Libexecdir : ${dirs.libexecdir}`);
|
||||||
core.info(`Datadir : ${dirs.datadir}`);
|
core.info(`Datadir : ${dirs.datadir}`);
|
||||||
core.info(`Homedir : ${dirs.homedir}`);
|
core.info(`Homedir : ${dirs.homedir}`);
|
||||||
core.info('🔮 Checking signing key');
|
core.info('🔮 Checking GPG private key');
|
||||||
const privateKey = yield openpgp.readPrivateKey(process.env.SIGNING_KEY);
|
const privateKey = yield openpgp.readPrivateKey(process.env.GPG_PRIVATE_KEY);
|
||||||
core.debug(`Fingerprint : ${privateKey.fingerprint}`);
|
core.debug(`Fingerprint : ${privateKey.fingerprint}`);
|
||||||
core.debug(`KeyID : ${privateKey.keyID}`);
|
core.debug(`KeyID : ${privateKey.keyID}`);
|
||||||
core.debug(`Name : ${privateKey.name}`);
|
core.debug(`Name : ${privateKey.name}`);
|
||||||
core.debug(`Email : ${privateKey.email}`);
|
core.debug(`Email : ${privateKey.email}`);
|
||||||
core.debug(`CreationTime : ${privateKey.creationTime}`);
|
core.debug(`CreationTime : ${privateKey.creationTime}`);
|
||||||
core.info('🔑 Importing secret key');
|
core.info('🔑 Importing GPG private key');
|
||||||
yield gpg.importKey(process.env.SIGNING_KEY).then(stdout => {
|
yield gpg.importKey(process.env.GPG_PRIVATE_KEY).then(stdout => {
|
||||||
core.debug(stdout);
|
core.debug(stdout);
|
||||||
});
|
});
|
||||||
if (process.env.PASSPHRASE) {
|
if (process.env.PASSPHRASE) {
|
||||||
|
@ -1056,17 +1059,28 @@ function run() {
|
||||||
core.debug(stdout);
|
core.debug(stdout);
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
if (git_gpgsign) {
|
if (git_user_signingkey) {
|
||||||
core.info(`🔨 Configuring Git committer (${git_committer_name} <${git_committer_email}>)`);
|
core.info('🔐 Setting GPG signing keyID for this Git repository');
|
||||||
|
yield git.setConfig('user.signingkey', privateKey.keyID);
|
||||||
if (git_committer_email != privateKey.email) {
|
if (git_committer_email != privateKey.email) {
|
||||||
core.setFailed('Committer email does not match GPG key user address');
|
core.setFailed('Committer email does not match GPG key user address');
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
core.info(`🔨 Configuring Git committer (${git_committer_name} <${git_committer_email}>)`);
|
||||||
yield git.setConfig('user.name', git_committer_name);
|
yield git.setConfig('user.name', git_committer_name);
|
||||||
yield git.setConfig('user.email', git_committer_email);
|
yield git.setConfig('user.email', git_committer_email);
|
||||||
core.info('💎 Enable signing for this Git repository');
|
if (git_commit_gpgsign) {
|
||||||
yield git.setConfig('commit.gpgsign', 'true');
|
core.info('💎 Sign all commits automatically');
|
||||||
yield git.setConfig('user.signingkey', privateKey.keyID);
|
yield git.setConfig('commit.gpgsign', 'true');
|
||||||
|
}
|
||||||
|
if (git_tag_gpgsign) {
|
||||||
|
core.info('💎 Sign all tags automatically');
|
||||||
|
yield git.setConfig('tag.gpgsign', 'true');
|
||||||
|
}
|
||||||
|
if (git_push_gpgsign) {
|
||||||
|
core.info('💎 Sign all pushes automatically');
|
||||||
|
yield git.setConfig('push.gpgsign', 'true');
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
catch (error) {
|
catch (error) {
|
||||||
|
@ -1076,13 +1090,13 @@ function run() {
|
||||||
}
|
}
|
||||||
function cleanup() {
|
function cleanup() {
|
||||||
return __awaiter(this, void 0, void 0, function* () {
|
return __awaiter(this, void 0, void 0, function* () {
|
||||||
if (!process.env.SIGNING_KEY) {
|
if (!process.env.GPG_PRIVATE_KEY) {
|
||||||
core.debug('Signing key is not defined. Skipping cleanup.');
|
core.debug('GPG private key is not defined. Skipping cleanup.');
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
try {
|
try {
|
||||||
core.info('🚿 Removing keys');
|
core.info('🚿 Removing keys');
|
||||||
const privateKey = yield openpgp.readPrivateKey(process.env.SIGNING_KEY);
|
const privateKey = yield openpgp.readPrivateKey(process.env.GPG_PRIVATE_KEY);
|
||||||
yield gpg.deleteKey(privateKey.fingerprint);
|
yield gpg.deleteKey(privateKey.fingerprint);
|
||||||
core.info('💀 Killing GnuPG agent');
|
core.info('💀 Killing GnuPG agent');
|
||||||
yield gpg.killAgent();
|
yield gpg.killAgent();
|
||||||
|
|
46
src/main.ts
46
src/main.ts
|
@ -6,12 +6,15 @@ import * as stateHelper from './state-helper';
|
||||||
|
|
||||||
async function run(): Promise<void> {
|
async function run(): Promise<void> {
|
||||||
try {
|
try {
|
||||||
if (!process.env.SIGNING_KEY) {
|
if (!process.env.GPG_PRIVATE_KEY) {
|
||||||
core.setFailed('Signing key required');
|
core.setFailed('GPG private key required');
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
const git_gpgsign = /true/i.test(core.getInput('git_gpgsign'));
|
const git_commit_gpgsign = /true/i.test(core.getInput('git_commit_gpgsign'));
|
||||||
|
const git_tag_gpgsign = /true/i.test(core.getInput('git_tag_gpgsign'));
|
||||||
|
const git_push_gpgsign = /true/i.test(core.getInput('git_push_gpgsign'));
|
||||||
|
const git_user_signingkey = /true/i.test(core.getInput('git_user_signingkey'));
|
||||||
const git_committer_name: string =
|
const git_committer_name: string =
|
||||||
core.getInput('git_committer_name') || process.env['GITHUB_ACTOR'] || 'github-actions';
|
core.getInput('git_committer_name') || process.env['GITHUB_ACTOR'] || 'github-actions';
|
||||||
const git_committer_email: string =
|
const git_committer_email: string =
|
||||||
|
@ -26,16 +29,16 @@ async function run(): Promise<void> {
|
||||||
core.info(`Datadir : ${dirs.datadir}`);
|
core.info(`Datadir : ${dirs.datadir}`);
|
||||||
core.info(`Homedir : ${dirs.homedir}`);
|
core.info(`Homedir : ${dirs.homedir}`);
|
||||||
|
|
||||||
core.info('🔮 Checking signing key');
|
core.info('🔮 Checking GPG private key');
|
||||||
const privateKey = await openpgp.readPrivateKey(process.env.SIGNING_KEY);
|
const privateKey = await openpgp.readPrivateKey(process.env.GPG_PRIVATE_KEY);
|
||||||
core.debug(`Fingerprint : ${privateKey.fingerprint}`);
|
core.debug(`Fingerprint : ${privateKey.fingerprint}`);
|
||||||
core.debug(`KeyID : ${privateKey.keyID}`);
|
core.debug(`KeyID : ${privateKey.keyID}`);
|
||||||
core.debug(`Name : ${privateKey.name}`);
|
core.debug(`Name : ${privateKey.name}`);
|
||||||
core.debug(`Email : ${privateKey.email}`);
|
core.debug(`Email : ${privateKey.email}`);
|
||||||
core.debug(`CreationTime : ${privateKey.creationTime}`);
|
core.debug(`CreationTime : ${privateKey.creationTime}`);
|
||||||
|
|
||||||
core.info('🔑 Importing secret key');
|
core.info('🔑 Importing GPG private key');
|
||||||
await gpg.importKey(process.env.SIGNING_KEY).then(stdout => {
|
await gpg.importKey(process.env.GPG_PRIVATE_KEY).then(stdout => {
|
||||||
core.debug(stdout);
|
core.debug(stdout);
|
||||||
});
|
});
|
||||||
|
|
||||||
|
@ -53,18 +56,31 @@ async function run(): Promise<void> {
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
if (git_gpgsign) {
|
if (git_user_signingkey) {
|
||||||
core.info(`🔨 Configuring Git committer (${git_committer_name} <${git_committer_email}>)`);
|
core.info('🔐 Setting GPG signing keyID for this Git repository');
|
||||||
|
await git.setConfig('user.signingkey', privateKey.keyID);
|
||||||
|
|
||||||
if (git_committer_email != privateKey.email) {
|
if (git_committer_email != privateKey.email) {
|
||||||
core.setFailed('Committer email does not match GPG key user address');
|
core.setFailed('Committer email does not match GPG key user address');
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
core.info(`🔨 Configuring Git committer (${git_committer_name} <${git_committer_email}>)`);
|
||||||
await git.setConfig('user.name', git_committer_name);
|
await git.setConfig('user.name', git_committer_name);
|
||||||
await git.setConfig('user.email', git_committer_email);
|
await git.setConfig('user.email', git_committer_email);
|
||||||
|
|
||||||
core.info('💎 Enable signing for this Git repository');
|
if (git_commit_gpgsign) {
|
||||||
await git.setConfig('commit.gpgsign', 'true');
|
core.info('💎 Sign all commits automatically');
|
||||||
await git.setConfig('user.signingkey', privateKey.keyID);
|
await git.setConfig('commit.gpgsign', 'true');
|
||||||
|
}
|
||||||
|
if (git_tag_gpgsign) {
|
||||||
|
core.info('💎 Sign all tags automatically');
|
||||||
|
await git.setConfig('tag.gpgsign', 'true');
|
||||||
|
}
|
||||||
|
if (git_push_gpgsign) {
|
||||||
|
core.info('💎 Sign all pushes automatically');
|
||||||
|
await git.setConfig('push.gpgsign', 'true');
|
||||||
|
}
|
||||||
}
|
}
|
||||||
} catch (error) {
|
} catch (error) {
|
||||||
core.setFailed(error.message);
|
core.setFailed(error.message);
|
||||||
|
@ -72,13 +88,13 @@ async function run(): Promise<void> {
|
||||||
}
|
}
|
||||||
|
|
||||||
async function cleanup(): Promise<void> {
|
async function cleanup(): Promise<void> {
|
||||||
if (!process.env.SIGNING_KEY) {
|
if (!process.env.GPG_PRIVATE_KEY) {
|
||||||
core.debug('Signing key is not defined. Skipping cleanup.');
|
core.debug('GPG private key is not defined. Skipping cleanup.');
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
try {
|
try {
|
||||||
core.info('🚿 Removing keys');
|
core.info('🚿 Removing keys');
|
||||||
const privateKey = await openpgp.readPrivateKey(process.env.SIGNING_KEY);
|
const privateKey = await openpgp.readPrivateKey(process.env.GPG_PRIVATE_KEY);
|
||||||
await gpg.deleteKey(privateKey.fingerprint);
|
await gpg.deleteKey(privateKey.fingerprint);
|
||||||
|
|
||||||
core.info('💀 Killing GnuPG agent');
|
core.info('💀 Killing GnuPG agent');
|
||||||
|
|
Loading…
Reference in a new issue