ci: Use goreleaser image to run goreleaser

e-breuninger · Jan 24, 2024 · d3d2d2f · d3d2d2f
1 parent 06dcd9c
commit d3d2d2f
Show file tree

Hide file tree

Showing 3 changed files with 34 additions and 20 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -14,14 +14,17 @@ jobs:
       id-token: write  # to enable use of OIDC for npm provenance
     runs-on: ubuntu-latest
     container:
-      image: node:lts-alpine3.17
+      image: node:lts-alpine3.19
     env:
       NPM_CACHE_DIR: ~/.cache/npm
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     if: ${{ github.event.workflow_run.conclusion == 'success' }}
     steps:
       - name: Install job dependencies
-        run: apk add tar git
+        run: apk add tar git gpg gpg-agent cosign
+      - name: Import GPG key
+        run: |
+          echo -n "${{ secrets.GPG_PRIVATE_KEY }}" > key.gpg
       - uses: actions/cache@v4
         with:
           path: ~/.cache
@@ -42,22 +45,35 @@ jobs:
         run: |
           git config --global --add safe.directory $PWD
           npx semantic-release
-      - name: Set up Go
-        uses: actions/setup-go@v5
+  gorelease:
+    needs: semantic-release
+    permissions:
+      contents: write  # to be able to publish a GitHub release
+      issues: write  # to be able to comment on released issues
+      pull-requests: write  # to be able to comment on released pull requests
+      id-token: write  # to enable use of OIDC for npm provenance
+    runs-on: ubuntu-latest
+    container:
+      image: goreleaser/goreleaser
+    env:
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    if: ${{ github.event.workflow_run.conclusion == 'success' }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
         with:
-          go-version: stable
-      - name: Import GPG key
-        id: import_gpg
-        uses: paultyng/[email protected]
-        env:
-          GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
-          PASSPHRASE: ${{ secrets.PASSPHRASE }}
+          ref: master
+          fetch-depth: 0
       - name: Run GoReleaser
-        uses: goreleaser/[email protected]
-        with:
-          version: latest
-          args: release --clean
+        run: |
+          apk add gpg-agent
+          echo -n "${{ secrets.GPG_PRIVATE_KEY }}" > key.gpg
+          echo "${{ secrets.PASSPHRASE }}" | gpg --batch --yes --passphrase-fd 0 --import key.gpg
+          echo "allow-preset-passphrase" > $HOME/.gnupg/gpg-agent.conf
+          gpgconf --reload gpg-agent
+          HEXPASSWD=$(echo -n "${{ secrets.PASSPHRASE }}" | hexdump -v -e '/1 "%02X"')
+          gpg-connect-agent "preset_passphrase ${{ secrets.KEYGRIP }} -1 $HEXPASSWD" /bye
+          git config --global --add safe.directory $PWD
+          goreleaser release --clean
         env:
-          GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          GPG_PASSWORD: ${{ secrets.PASSPHRASE }}
diff --git a/.gitignore b/.gitignore
@@ -5,3 +5,4 @@ _output/
 node_modules
 package-lock.json
 package.json
+key.gpg
diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -32,15 +32,12 @@ signs:
       # if you are using this is a GitHub action or some other automated pipeline, you
       # need to pass the batch flag to indicate its not interactive.
       - "--batch"
-      - "--passphrase-fd"
-      - "0"
       - "--local-user"
       - "{{ .Env.GPG_FINGERPRINT }}" # set this environment variable for your signing key
       - "--output"
       - "${signature}"
       - "--detach-sign"
       - "${artifact}"
-    stdin: "{{ .Env.GPG_PASSWORD }}"
 release:
   # If you want to manually examine the release before its live, uncomment this line:
   draft: false