Action to import a GPG key with environment secrets
Find a file
CrazyMax 01dd5d3ca4
Merge pull request #186 from crazy-max/dependabot/npm_and_yarn/actions/core-1.10.1
build(deps): bump @actions/core from 1.10.0 to 1.10.1
2023-12-26 17:50:28 +01:00
.github build(deps): bump actions/github-script from 6 to 7 2023-11-14 05:50:47 +00:00
.yarn chore: update yarn to 3.6.3 2023-09-10 04:07:44 +02:00
__tests__ gpg: fallback to gpg homedir if HOME not set 2023-09-03 15:31:29 +02:00
dist chore: update generated content 2023-12-26 17:48:21 +01:00
src gpg: fallback to gpg homedir if HOME not set 2023-09-03 15:31:29 +02:00
.dockerignore update yarn to 3.5.1 2023-05-06 17:17:46 +02:00
.editorconfig Initial commit 2020-05-03 20:46:05 +02:00
.eslintignore chore: update dev dependencies 2023-09-10 04:07:44 +02:00
.eslintrc.json chore: update dev dependencies 2023-09-10 04:07:44 +02:00
.gitattributes update yarn to 3.5.1 2023-05-06 17:17:46 +02:00
.gitignore update yarn to 3.5.1 2023-05-06 17:17:46 +02:00
.prettierignore update yarn to 3.5.1 2023-05-06 17:17:46 +02:00
.prettierrc.json Codecov 2020-05-06 18:00:13 +02:00
.yarnrc.yml chore: update yarn to 3.6.3 2023-09-10 04:07:44 +02:00
action.yml chore: node 20 as default runtime 2023-09-10 04:07:44 +02:00
codecov.yml codecov: update config 2023-09-10 04:07:43 +02:00
dev.Dockerfile chore: update dev dependencies 2023-09-10 04:07:44 +02:00
docker-bake.hcl update yarn to 3.5.1 2023-05-06 17:17:46 +02:00
jest.config.ts chore: update dev dependencies 2023-09-10 04:07:44 +02:00
LICENSE new year 2023-02-18 22:46:29 +01:00
package.json build(deps): bump @actions/core from 1.10.0 to 1.10.1 2023-12-26 16:47:42 +00:00
README.md docs: bump actions to latest major 2023-09-10 15:26:34 +02:00
tsconfig.json chore: update dev dependencies 2023-09-10 04:07:44 +02:00
yarn.lock build(deps): bump @actions/core from 1.10.0 to 1.10.1 2023-12-26 16:47:42 +00:00

GitHub release GitHub marketplace Test workflow Codecov Become a sponsor Paypal Donate

About

GitHub Action to easily import a GPG key.

Import GPG


Features

  • Works on Linux, macOS and Windows virtual environments
  • Allow seeding the internal cache of gpg-agent with provided passphrase
  • Signing-only subkeys support
  • Purge imported GPG key, cache information and kill agent from runner
  • (Git) Enable signing for Git commits, tags and pushes
  • (Git) Configure and check committer info against GPG key

Prerequisites

First, generate a GPG key and export the GPG private key as an ASCII armored version to your clipboard:

# macOS
gpg --armor --export-secret-key joe@foo.bar | pbcopy

# Ubuntu (assuming GNU base64)
gpg --armor --export-secret-key joe@foo.bar -w0 | xclip

# Arch
gpg --armor --export-secret-key joe@foo.bar | xclip -selection clipboard -i

# FreeBSD (assuming BSD base64)
gpg --armor --export-secret-key joe@foo.bar | xclip

Paste your clipboard as a secret named GPG_PRIVATE_KEY for example. Create another secret with the PASSPHRASE if applicable.

Usage

Workflow

name: import-gpg

on:
  push:
    branches: master

jobs:
  import-gpg:
    runs-on: ubuntu-latest
    steps:
      -
        name: Checkout
        uses: actions/checkout@v4
      -
        name: Import GPG key
        uses: crazy-max/ghaction-import-gpg@v6
        with:
          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
          passphrase: ${{ secrets.PASSPHRASE }}
      -
        name: List keys
        run: gpg -K

Sign commits

name: import-gpg

on:
  push:
    branches: master

jobs:
  sign-commit:
    runs-on: ubuntu-latest
    steps:
      -
        name: Checkout
        uses: actions/checkout@v4
      -
        name: Import GPG key
        uses: crazy-max/ghaction-import-gpg@v6
        with:
          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
          passphrase: ${{ secrets.PASSPHRASE }}
          git_user_signingkey: true
          git_commit_gpgsign: true
      -
        name: Sign commit and push changes
        run: |
          echo foo > bar.txt
          git add .
          git commit -S -m "This commit is signed!"
          git push          

Use a subkey

With the input fingerprint, you can specify which one of the subkeys in a GPG key you want to use for signing.

name: import-gpg

on:
  push:
    branches: master

jobs:
  import-gpg:
    runs-on: ubuntu-latest
    steps:
      -
        name: Checkout
        uses: actions/checkout@v4
      -
        name: Import GPG key
        uses: crazy-max/ghaction-import-gpg@v6
        with:
          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
          passphrase: ${{ secrets.PASSPHRASE }}
          fingerprint: "C17D11ADF199F12A30A0910F1F80449BE0B08CB8"
      -
        name: List keys
        run: gpg -K

For example, given this GPG key with a signing subkey:

pub   ed25519 2021-09-24 [C]
      87F257B89CE462100BEC0FFE6071D218380FDCC8
      Keygrip = F5C3ABFAAB36B427FD98C4EDD0387E08EA1E8092
uid           [ unknown] Joe Bar <joe@bar.foo>
sub   ed25519 2021-09-24 [S]
      C17D11ADF199F12A30A0910F1F80449BE0B08CB8
      Keygrip = DEE0FC98F441519CA5DE5D79773CB29009695FEB

You can use the subkey with signing capability whose fingerprint is C17D11ADF199F12A30A0910F1F80449BE0B08CB8.

Set key's trust level

With the trust_level input, you can specify the trust level of the GPG key.

Valid values are:

  • 1: unknown
  • 2: never
  • 3: marginal
  • 4: full
  • 5: ultimate
name: import-gpg

on:
  push:
    branches: master

jobs:
  import-gpg:
    runs-on: ubuntu-latest
    steps:
      -
        name: Checkout
        uses: actions/checkout@v4
      -
        name: Import GPG key
        uses: crazy-max/ghaction-import-gpg@v6
        with:
          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
          passphrase: ${{ secrets.PASSPHRASE }}
          trust_level: 5

Customizing

inputs

The following inputs can be used as step.with keys

Name Type Description
gpg_private_key String GPG private key exported as an ASCII armored version or its base64 encoding (required)
passphrase String Passphrase of the GPG private key
trust_level String Set key's trust level
git_config_global Bool Set Git config global (default false)
git_user_signingkey Bool Set GPG signing keyID for this Git repository (default false)
git_commit_gpgsign Bool Sign all commits automatically. (default false)
git_tag_gpgsign Bool Sign all tags automatically. (default false)
git_push_gpgsign String Sign all pushes automatically. (default if-asked)
git_committer_name String Set commit author's name (defaults to the name associated with the GPG key)
git_committer_email String Set commit author's email (defaults to the email address associated with the GPG key)
workdir String Working directory (below repository root) (default .)
fingerprint String Specific fingerprint to use (subkey)

Note

git_user_signingkey needs to be enabled for git_commit_gpgsign, git_tag_gpgsign, git_push_gpgsign, git_committer_name, git_committer_email inputs.

outputs

Following outputs are available

Name Type Description
fingerprint String Fingerprint of the GPG key (recommended as user ID)
keyid String Low 64 bits of the X.509 certificate SHA-1 fingerprint
name String Name associated with the GPG key
email String Email address associated with the GPG key

Contributing

Want to contribute? Awesome! The most basic way to show your support is to star the project, or to raise issues. You can also support this project by becoming a sponsor on GitHub or by making a PayPal donation to ensure this journey continues indefinitely!

Thanks again for your support, it is much appreciated! 🙏

License

MIT. See LICENSE for more details.