9.3 KiB
About
GitHub Action to easily import a GPG key.
Features
- Works on Linux, macOS and Windows virtual environments
- Allow seeding the internal cache of
gpg-agent
with provided passphrase - Signing-only subkeys support
- Purge imported GPG key, cache information and kill agent from runner
- (Git) Enable signing for Git commits, tags and pushes
- (Git) Configure and check committer info against GPG key
Prerequisites
First, generate a GPG key and export the GPG private key as an ASCII armored version to your clipboard:
# macOS
gpg --armor --export-secret-key joe@foo.bar | pbcopy
# Ubuntu (assuming GNU base64)
gpg --armor --export-secret-key joe@foo.bar -w0 | xclip
# Arch
gpg --armor --export-secret-key joe@foo.bar | xclip -selection clipboard -i
# FreeBSD (assuming BSD base64)
gpg --armor --export-secret-key joe@foo.bar | xclip
Paste your clipboard as a secret
named GPG_PRIVATE_KEY
for example. Create another secret with the
PASSPHRASE
if applicable.
Usage
Workflow
name: import-gpg
on:
push:
branches: master
jobs:
import-gpg:
runs-on: ubuntu-latest
steps:
-
name: Checkout
uses: actions/checkout@v4
-
name: Import GPG key
uses: crazy-max/ghaction-import-gpg@v6
with:
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
passphrase: ${{ secrets.PASSPHRASE }}
-
name: List keys
run: gpg -K
Sign commits
name: import-gpg
on:
push:
branches: master
jobs:
sign-commit:
runs-on: ubuntu-latest
steps:
-
name: Checkout
uses: actions/checkout@v4
-
name: Import GPG key
uses: crazy-max/ghaction-import-gpg@v6
with:
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
passphrase: ${{ secrets.PASSPHRASE }}
git_user_signingkey: true
git_commit_gpgsign: true
-
name: Sign commit and push changes
run: |
echo foo > bar.txt
git add .
git commit -S -m "This commit is signed!"
git push
Use a subkey
With the input fingerprint
, you can specify which one of the subkeys in a GPG
key you want to use for signing.
name: import-gpg
on:
push:
branches: master
jobs:
import-gpg:
runs-on: ubuntu-latest
steps:
-
name: Checkout
uses: actions/checkout@v4
-
name: Import GPG key
uses: crazy-max/ghaction-import-gpg@v6
with:
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
passphrase: ${{ secrets.PASSPHRASE }}
fingerprint: "C17D11ADF199F12A30A0910F1F80449BE0B08CB8"
-
name: List keys
run: gpg -K
For example, given this GPG key with a signing subkey:
pub ed25519 2021-09-24 [C]
87F257B89CE462100BEC0FFE6071D218380FDCC8
Keygrip = F5C3ABFAAB36B427FD98C4EDD0387E08EA1E8092
uid [ unknown] Joe Bar <joe@bar.foo>
sub ed25519 2021-09-24 [S]
C17D11ADF199F12A30A0910F1F80449BE0B08CB8
Keygrip = DEE0FC98F441519CA5DE5D79773CB29009695FEB
You can use the subkey with signing capability whose fingerprint is C17D11ADF199F12A30A0910F1F80449BE0B08CB8
.
Set key's trust level
With the trust_level
input, you can specify the trust level of the GPG key.
Valid values are:
1
: unknown2
: never3
: marginal4
: full5
: ultimate
name: import-gpg
on:
push:
branches: master
jobs:
import-gpg:
runs-on: ubuntu-latest
steps:
-
name: Checkout
uses: actions/checkout@v4
-
name: Import GPG key
uses: crazy-max/ghaction-import-gpg@v6
with:
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
passphrase: ${{ secrets.PASSPHRASE }}
trust_level: 5
Customizing
inputs
The following inputs can be used as step.with
keys
Name | Type | Description |
---|---|---|
gpg_private_key |
String | GPG private key exported as an ASCII armored version or its base64 encoding (required) |
passphrase |
String | Passphrase of the GPG private key |
trust_level |
String | Set key's trust level |
git_config_global |
Bool | Set Git config global (default false ) |
git_user_signingkey |
Bool | Set GPG signing keyID for this Git repository (default false ) |
git_commit_gpgsign |
Bool | Sign all commits automatically. (default false ) |
git_tag_gpgsign |
Bool | Sign all tags automatically. (default false ) |
git_push_gpgsign |
String | Sign all pushes automatically. (default if-asked ) |
git_committer_name |
String | Set commit author's name (defaults to the name associated with the GPG key) |
git_committer_email |
String | Set commit author's email (defaults to the email address associated with the GPG key) |
workdir |
String | Working directory (below repository root) (default . ) |
fingerprint |
String | Specific fingerprint to use (subkey) |
Note
git_user_signingkey
needs to be enabled forgit_commit_gpgsign
,git_tag_gpgsign
,git_push_gpgsign
,git_committer_name
,git_committer_email
inputs.
outputs
Following outputs are available
Name | Type | Description |
---|---|---|
fingerprint |
String | Fingerprint of the GPG key (recommended as user ID) |
keyid |
String | Low 64 bits of the X.509 certificate SHA-1 fingerprint |
name |
String | Name associated with the GPG key |
email |
String | Email address associated with the GPG key |
Notes
Make sure to add the corresponding public key to your GitHub account. This is easy to forget, since unlike SSH keys, where you only need to upload 1 thing to GitHub, in this case, you need to upload both the public and private keys to enable this workflow.
Contributing
Want to contribute? Awesome! The most basic way to show your support is to star the project, or to raise issues. You can also support this project by becoming a sponsor on GitHub or by making a PayPal donation to ensure this journey continues indefinitely!
Thanks again for your support, it is much appreciated! 🙏
License
MIT. See LICENSE
for more details.