Sign release archives with GPG #242
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
on: | |
push: | |
branches: | |
- master | |
env: | |
JAVA_DISTRIBUTION: zulu | |
JAVA_VERSION: 22.0.2+9 | |
GRADLE_OPTS: -Dorg.gradle.daemon=false | |
jobs: | |
windows: | |
runs-on: windows-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
persist-credentials: false | |
submodules: true | |
- name: Install JDK | |
uses: actions/setup-java@v4 | |
with: | |
distribution: ${{ env.JAVA_DISTRIBUTION }} | |
java-version: ${{ env.JAVA_VERSION }} | |
- name: Build | |
run: ./gradlew distZip --info | |
- name: Extract Release Variables | |
id: extract_release_variables | |
shell: bash | |
run: | | |
echo "tag_name=$(find build/distributions/ControllerBuddy-*.zip -maxdepth 1 -print0 | xargs -0 -I filename basename -s .zip filename | sed s/-windows-x86-64//)" >> $GITHUB_OUTPUT | |
echo "archive_path=$(find build/distributions/ControllerBuddy-*.zip -maxdepth 1 -print0)" >> $GITHUB_OUTPUT | |
- name: Tag Commit | |
uses: tvdias/[email protected] | |
with: | |
repo-token: ${{ secrets.GITHUB_TOKEN }} | |
tag: ${{ steps.extract_release_variables.outputs.tag_name }} | |
- name: Import GPG Key | |
uses: crazy-max/ghaction-import-gpg@v6 | |
with: | |
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} | |
passphrase: ${{ secrets.GPG_PRIVATE_KEY_PASSPHRASE }} | |
- name: Sign Archive | |
id: sign_archive | |
shell: bash | |
run: | | |
signature_path="${{ steps.extract_release_variables.outputs.archive_path }}.sig" | |
gpg --local-user 8590BB74C0F559F8AC911C1D8058553A1FD36B23 --pinentry-mode loopback --passphrase ${{ secrets.GPG_PRIVATE_KEY_PASSPHRASE }} --detach-sig --output "$signature_path" --yes ${{ steps.extract_release_variables.outputs.archive_path }} | |
echo "signature_path=$signature_path" >> $GITHUB_OUTPUT | |
- name: Release | |
id: release | |
uses: softprops/action-gh-release@v2 | |
with: | |
tag_name: ${{ steps.extract_release_variables.outputs.tag_name }} | |
draft: false | |
prerelease: false | |
files: | | |
${{ steps.extract_release_variables.outputs.archive_path }} | |
${{ steps.sign_archive.outputs.signature_path }} | |
linux: | |
needs: windows | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
persist-credentials: false | |
submodules: true | |
- name: Install JDK | |
uses: actions/setup-java@v4 | |
with: | |
distribution: ${{ env.JAVA_DISTRIBUTION }} | |
java-version: ${{ env.JAVA_VERSION }} | |
- name: Build | |
run: ./gradlew distTar --info | |
- name: Extract Release Variables | |
id: extract_release_variables | |
shell: bash | |
run: | | |
echo "tag_name=$(find build/distributions/ControllerBuddy-*.tgz -maxdepth 1 -print0 | xargs -0 -I filename basename -s .tgz filename | sed s/-linux-x86-64//)" >> $GITHUB_OUTPUT | |
echo "archive_path=$(find build/distributions/ControllerBuddy-*.tgz -maxdepth 1 -print0)" >> $GITHUB_OUTPUT | |
- name: Import GPG Key | |
uses: crazy-max/ghaction-import-gpg@v6 | |
with: | |
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} | |
passphrase: ${{ secrets.GPG_PRIVATE_KEY_PASSPHRASE }} | |
- name: Sign Archive | |
id: sign_archive | |
shell: bash | |
run: | | |
signature_path="${{ steps.extract_release_variables.outputs.archive_path }}.sig" | |
gpg --local-user 8590BB74C0F559F8AC911C1D8058553A1FD36B23 --pinentry-mode loopback --passphrase ${{ secrets.GPG_PRIVATE_KEY_PASSPHRASE }} --detach-sig --output "$signature_path" --yes ${{ steps.extract_release_variables.outputs.archive_path }} | |
echo "signature_path=$signature_path" >> $GITHUB_OUTPUT | |
- name: Release | |
id: release | |
uses: softprops/action-gh-release@v2 | |
with: | |
tag_name: ${{ steps.extract_release_variables.outputs.tag_name }} | |
draft: false | |
prerelease: false | |
generate_release_notes: true | |
files: | | |
${{ steps.extract_release_variables.outputs.archive_path }} | |
${{ steps.sign_archive.outputs.signature_path }} |