add signing commits to workflows and actions

Cardinal-Cryptography · Nov 27, 2024 · 03e8acb · 03e8acb
1 parent 91f3409
commit 03e8acb
Show file tree

Hide file tree

Showing 4 changed files with 37 additions and 0 deletions.
diff --git a/.github/workflows/_branchpreview-create.yml b/.github/workflows/_branchpreview-create.yml
@@ -63,6 +63,8 @@ jobs:
           argo-sync-user-token: ${{ secrets.ARGO_SYNC_USER_TOKEN }}
           git-commit-author: ${{ secrets.AUTOCOMMIT_AUTHOR }}
           git-commit-email: ${{ secrets.AUTOCOMMIT_EMAIL }}
+          git-commit-gpg-key-b64: ${{ secrets.AUTOCOMMIT_GPG_KEY_B64 }}
+          git-commit-gpg-key-fingerprint: ${{ secrets.AUTOCOMMIT_GPG_KEY_FINGERPRINT }}
           hard-refresh: 'true'
           post-frontend-url: '${{ inputs.post-frontend-url }}'
           pull-request-number: '${{ inputs.pull-request-number }}'
diff --git a/.github/workflows/_branchpreview-delete.yml b/.github/workflows/_branchpreview-delete.yml
@@ -36,3 +36,5 @@ jobs:
           argo-sync-user-token: ${{ secrets.ARGO_SYNC_USER_TOKEN }}
           git-commit-author: ${{ secrets.AUTOCOMMIT_AUTHOR }}
           git-commit-email: ${{ secrets.AUTOCOMMIT_EMAIL }}
+          git-commit-gpg-key-b64: ${{ secrets.AUTOCOMMIT_GPG_KEY_B64 }}
+          git-commit-gpg-key-fingerprint: ${{ secrets.AUTOCOMMIT_GPG_KEY_FINGERPRINT }}
diff --git a/create-branchpreview/action.yml b/create-branchpreview/action.yml
@@ -29,6 +29,12 @@ inputs:
   git-commit-email:
     description: 'Git commit email when pushing to branchpreviews repository'
     required: true
+  git-commit-gpg-key-b64:
+    description: base64 encoded signing key
+    required: true
+  git-commit-gpg-key-fingerprint:
+    description: fingerprint of gpg key
+    required: true
   image:
     description: 'Full docker image in format of host/repo:tag'
     required: true
@@ -118,11 +124,22 @@ runs:
         echo "all-base64=${all_base64}" >> $GITHUB_OUTPUT
       # yamllint enable rule:line-length
 
+    - name: Configure signing key
+      shell: bash
+      # yamllint disable rule:line-length
+      run: |
+        echo ${{ inputs.git-commit-gpg-key-b64 }} | base64 -d > key.gpg
+        gpg --import key.gpg
+        rm key.gpg
+        git config --global user.signingkey $(echo ${{ inputs.git-commit-gpg-key-fingerprint }} | tail -c 17)
+      # yamllint enable rule:line-length
+
     - name: Commit branchpreview change
       uses: EndBug/add-and-commit@v9.1.1
       with:
         author_name: '${{ inputs.git-commit-author }}'
         author_email: '${{ inputs.git-commit-email }}'
+        commit: -S
         # yamllint disable-line rule:line-length
         message: 'Upsert ${{ inputs.repository-name }}:${{ inputs.branch-name }} with image tag: ${{ steps.start-branchpreview.outputs.image-tag }}'
         add: '["*.yaml","*.txt"]'

diff --git a/delete-branchpreview/action.yml b/delete-branchpreview/action.yml
@@ -30,6 +30,12 @@ inputs:
   git-commit-email:
     description: 'Git commit email when pushing to branchpreviews repository'
     required: true
+  git-commit-gpg-key-b64:
+    description: base64 encoded signing key
+    required: true
+  git-commit-gpg-key-fingerprint:
+    description: fingerprint of gpg key
+    required: true
 
 runs:
   using: "composite"
@@ -79,6 +85,16 @@ runs:
           '${{ inputs.repository-name }}' \
           '${{ inputs.branch-name }}'
 
+    - name: Configure signing key
+      shell: bash
+      # yamllint disable rule:line-length
+      run: |
+        echo ${{ inputs.git-commit-gpg-key-b64 }} | base64 -d > key.gpg
+        gpg --import key.gpg
+        rm key.gpg
+        git config --global user.signingkey $(echo ${{ inputs.git-commit-gpg-key-fingerprint }} | tail -c 17)
+      # yamllint enable rule:line-length
+
     - name: Commit deletion of the branchpreview
       uses: EndBug/add-and-commit@v9.1.1
       with: