Merge pull request #819 from greenbone/y0urself/pontos-sign-208

[20.08] Add signing to workflow ...
greenbone · Aug 3, 2021 · 9d14be1 · 9d14be1
2 parents a7b7611 + 49ed7d1
commit 9d14be1
Showing 1 changed file with 20 additions and 1 deletion.
diff --git a/.github/workflows/release-pontos-patch.yml b/.github/workflows/release-pontos-patch.yml
@@ -11,6 +11,9 @@ jobs:
       GITHUB_USER: ${{ secrets.GREENBONE_BOT }}
       GITHUB_MAIL: ${{ secrets.GREENBONE_BOT_MAIL }}
       GITHUB_TOKEN: ${{ secrets.GREENBONE_BOT_TOKEN }}
+      GPG_KEY: ${{ secrets.GPG_KEY }}
+      GPG_FINGERPRINT: ${{ secrets.GPG_FINGERPRINT }}
+      GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
     name: Release patch with pontos
     # If the label 'make patch release' is set. If PR is closed because of an merge
     if: contains( github.event.pull_request.labels.*.name, 'make patch release') && github.event.pull_request.merged == true
@@ -35,15 +38,31 @@ jobs:
         git config --global user.name "${{ env.GITHUB_USER }}"
         git config --global user.email "${{ env.GITHUB_MAIL }}"
         git remote set-url origin https://${{ env.GITHUB_TOKEN }}@github.com/${{ github.repository }}
-      
     - name: Print base branch
       # we always should've checked out the correct branch'
       run: echo "Current Branch is $GITHUB_BASE_REF"
     - name: Prepare patch release with pontos
       run: |
         . .venv/bin/activate
         pontos-release prepare --patch
+        echo "VERSION=$(pontos-version show)" >> $GITHUB_ENV
     - name: Release with pontos
       run: |
         . .venv/bin/activate
         pontos-release release
+    - name: Import key from secrets
+      run: |
+        echo -e "${{ env.GPG_KEY }}" >> tmp.file
+        gpg                                        \
+          --pinentry-mode loopback                 \
+          --passphrase ${{ env.GPG_PASSPHRASE }}   \
+          --import tmp.file
+        rm tmp.file
+    - name: Sign with pontos-release sign
+      run: |
+        echo "Signing assets for ${{env.VERSION}}"
+        . .venv/bin/activate
+        pontos-release sign                        \
+          --signing-key ${{ env.GPG_FINGERPRINT }} \
+          --passphrase ${{ env.GPG_PASSPHRASE }}   \
+          --release-version ${{ env.VERSION }}