mirror of
https://github.com/outbackdingo/firezone.git
synced 2026-01-27 18:18:55 +00:00
883d95c2c8
In order to secure an APT repository, the `Release` file containing the hashes of all packages needs to be signed with a GPG key. These signatures simply need to be synced back up to the repository. The rest is handled by `apt` itself. Resolves: #10599
32 lines
912 B
YAML
32 lines
912 B
YAML
name: "Setup GnuPG"
|
|
description: "Sets up gpg for non-interactive signing"
|
|
inputs:
|
|
key:
|
|
description: "The GPG key to import"
|
|
required: true
|
|
email:
|
|
description: "The email to associate with the key"
|
|
required: true
|
|
outputs:
|
|
key_id:
|
|
description: The short-ID of the GPG key.
|
|
value: ${{ steps.import.outputs.key_id }}
|
|
runs:
|
|
using: "composite"
|
|
steps:
|
|
- name: Set GnuPG options
|
|
run: |
|
|
mkdir --parents --mode 0700 ~/.gnupg
|
|
|
|
echo "use-agent" >> ~/.gnupg/gpg.conf
|
|
echo "pinentry-mode loopback" >> ~/.gnupg/gpg.conf
|
|
shell: bash
|
|
- name: Import key
|
|
id: import
|
|
shell: bash
|
|
run: |
|
|
echo "${{ inputs.key }}" | gpg --import --batch
|
|
GPG_KEY_ID=$(gpg --list-secret-keys --with-colons ${{ inputs.email }} 2> /dev/null | grep '^sec:' | cut --delimiter ':' --fields 5)
|
|
|
|
echo "key_id=$GPG_KEY_ID" >> $GITHUB_OUTPUT
|