diff --git a/.github/workflows/release-pontos-patch.yml b/.github/workflows/release-pontos-patch.yml index e95a6c7d0..4a73c7064 100644 --- a/.github/workflows/release-pontos-patch.yml +++ b/.github/workflows/release-pontos-patch.yml @@ -11,6 +11,9 @@ jobs: GITHUB_USER: ${{ secrets.GREENBONE_BOT }} GITHUB_MAIL: ${{ secrets.GREENBONE_BOT_MAIL }} GITHUB_TOKEN: ${{ secrets.GREENBONE_BOT_TOKEN }} + GPG_KEY: ${{ secrets.GPG_KEY }} + GPG_FINGERPRINT: ${{ secrets.GPG_FINGERPRINT }} + GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} name: Release patch with pontos # If the label 'make patch release' is set. If PR is closed because of an merge if: contains( github.event.pull_request.labels.*.name, 'make patch release') && github.event.pull_request.merged == true @@ -35,7 +38,6 @@ jobs: git config --global user.name "${{ env.GITHUB_USER }}" git config --global user.email "${{ env.GITHUB_MAIL }}" git remote set-url origin https://${{ env.GITHUB_TOKEN }}@github.com/${{ github.repository }} - - name: Print base branch # we always should've checked out the correct branch' run: echo "Current Branch is $GITHUB_BASE_REF" @@ -43,7 +45,24 @@ jobs: run: | . .venv/bin/activate pontos-release prepare --patch + echo "VERSION=$(pontos-version show)" >> $GITHUB_ENV - name: Release with pontos run: | . .venv/bin/activate pontos-release release + - name: Import key from secrets + run: | + echo -e "${{ env.GPG_KEY }}" >> tmp.file + gpg \ + --pinentry-mode loopback \ + --passphrase ${{ env.GPG_PASSPHRASE }} \ + --import tmp.file + rm tmp.file + - name: Sign with pontos-release sign + run: | + echo "Signing assets for ${{env.VERSION}}" + . .venv/bin/activate + pontos-release sign \ + --signing-key ${{ env.GPG_FINGERPRINT }} \ + --passphrase ${{ env.GPG_PASSPHRASE }} \ + --release-version ${{ env.VERSION }}