Action to import a GPG key with environment secrets
Find a file
2022-02-12 18:54:11 +01:00
.github Cleanup (#117) 2021-11-19 12:54:41 +01:00
__tests__ Handle signing-only subkeys (#112) 2021-10-15 13:40:04 +02:00
dist Cleanup (#117) 2021-11-19 12:54:41 +01:00
hack Enhance workflow (#77) 2021-03-30 20:00:40 +02:00
src Cleanup (#117) 2021-11-19 12:54:41 +01:00
.dockerignore Enhance workflow (#77) 2021-03-30 20:00:40 +02:00
.editorconfig Initial commit 2020-05-03 20:46:05 +02:00
.gitattributes Initial commit 2020-05-03 20:46:05 +02:00
.gitignore OpenPGP.js v5 (#78) 2021-09-05 01:00:24 +02:00
.prettierrc.json Codecov 2020-05-06 18:00:13 +02:00
action.yml Handle signing-only subkeys (#112) 2021-10-15 13:40:04 +02:00
CHANGELOG.md Update CHANGELOG 2021-10-15 14:28:09 +02:00
docker-bake.hcl Enhance workflow (#77) 2021-03-30 20:00:40 +02:00
jest.config.js Use built-in getExecOutput (#102) 2021-08-10 09:00:29 +02:00
LICENSE Update LICENSE 2022-02-12 18:54:11 +01:00
package.json Bump openpgp from 5.0.0 to 5.0.1 (#116) 2021-11-19 09:35:40 +01:00
README.md Handle signing-only subkeys (#112) 2021-10-15 13:40:04 +02:00
tsconfig.json Codecov 2020-05-06 18:00:13 +02:00
yarn.lock Bump openpgp from 5.0.0 to 5.0.1 (#116) 2021-11-19 09:35:40 +01:00

GitHub release GitHub marketplace Test workflow Codecov Become a sponsor Paypal Donate

About

GitHub Action to easily import a GPG key.

If you are interested, check out my other :octocat: GitHub Actions!

Import GPG


Features

  • Works on Linux, macOS and Windows virtual environments
  • Allow to seed the internal cache of gpg-agent with provided passphrase
  • Purge imported GPG key, cache information and kill agent from runner
  • (Git) Enable signing for Git commits, tags and pushes
  • (Git) Configure and check committer info against GPG key

Prerequisites

First, generate a GPG key and export the GPG private key as an ASCII armored version to your clipboard:

# macOS
gpg --armor --export-secret-key joe@foo.bar | pbcopy

# Ubuntu (assuming GNU base64)
gpg --armor --export-secret-key joe@foo.bar -w0 | xclip

# Arch
gpg --armor --export-secret-key joe@foo.bar | xclip -selection clipboard -i

# FreeBSD (assuming BSD base64)
gpg --armor --export-secret-key joe@foo.bar | xclip

Paste your clipboard as a secret named GPG_PRIVATE_KEY for example. Create another secret with the PASSPHRASE if applicable.

Usage

Workflow

name: import-gpg

on:
  push:
    branches: master

jobs:
  import-gpg:
    runs-on: ubuntu-latest
    steps:
      -
        name: Checkout
        uses: actions/checkout@v2
      -
        name: Import GPG key
        id: import_gpg
        uses: crazy-max/ghaction-import-gpg@v4
        with:
          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
          passphrase: ${{ secrets.PASSPHRASE }}
      -
        name: GPG user IDs
        run: |
          echo "fingerprint: ${{ steps.import_gpg.outputs.fingerprint }}"
          echo "keyid:       ${{ steps.import_gpg.outputs.keyid }}"
          echo "name:        ${{ steps.import_gpg.outputs.name }}"
          echo "email:       ${{ steps.import_gpg.outputs.email }}"          

Sign commits

name: import-gpg

on:
  push:
    branches: master

jobs:
  sign-commit:
    runs-on: ubuntu-latest
    steps:
      -
        name: Checkout
        uses: actions/checkout@v2
      -
        name: Import GPG key
        uses: crazy-max/ghaction-import-gpg@v4
        with:
          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
          passphrase: ${{ secrets.PASSPHRASE }}
          git_user_signingkey: true
          git_commit_gpgsign: true
      -
        name: Sign commit and push changes
        run: |
          echo foo > bar.txt
          git add .
          git commit -S -m "This commit is signed!"
          git push          

Customizing

inputs

Following inputs can be used as step.with keys

Name Type Description
gpg_private_key String GPG private key exported as an ASCII armored version or its base64 encoding (required)
passphrase String Passphrase of the GPG private key
git_config_global Bool Set Git config global (default false)
git_user_signingkey Bool Set GPG signing keyID for this Git repository (default false)
git_commit_gpgsign Bool Sign all commits automatically. (default false)
git_tag_gpgsign Bool Sign all tags automatically. (default false)
git_push_gpgsign String Sign all pushes automatically. (default if-asked)
git_committer_name String Set commit author's name (defaults to the name associated with the GPG key)
git_committer_email String Set commit author's email (defaults to the email address associated with the GPG key)
workdir String Working directory (below repository root) (default .)
fingerprint String Specific fingerprint to use (subkey)

git_user_signingkey needs to be enabled for git_commit_gpgsign, git_tag_gpgsign, git_push_gpgsign, git_committer_name, git_committer_email inputs.

outputs

Following outputs are available

Name Type Description
fingerprint String Fingerprint of the GPG key (recommended as user ID)
keyid String Low 64 bits of the X.509 certificate SHA-1 fingerprint
name String Name associated with the GPG key
email String Email address associated with the GPG key

Contributing

Want to contribute? Awesome! The most basic way to show your support is to star the project, or to raise issues. If you want to open a pull request, please read the contributing guidelines.

You can also support this project by becoming a sponsor on GitHub or by making a Paypal donation to ensure this journey continues indefinitely!

Thanks again for your support, it is much appreciated! 🙏

License

MIT. See LICENSE for more details.