:: commit c39be10c92b9a97e2f17c745e31bd49e5eb3fcaf
gha: Sign release tarballs and binary branch commits
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 82133321..d846496b 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -13,7 +13,15 @@ jobs:
steps:
- name: Install dependencies
- run: pacman --noconfirm -Syu && pacman --needed --noconfirm -S base-devel gzip bzip2 lzip zstd git autoconf automake nasm curl mtools llvm clang lld mingw-w64-gcc
+ run: pacman --noconfirm -Syu && pacman --needed --noconfirm -S base-devel gnupg gzip bzip2 lzip zstd git autoconf automake nasm curl mtools llvm clang lld mingw-w64-gcc
+
+ - name: Import GPG public key
+ run: gpg --batch --keyserver keyserver.ubuntu.com --recv-keys 05D29860D0A0668AAEFB9D691F3C021BECA23821
+
+ - name: Import GPG private key
+ run: echo "$MINTSUKI_PRIVATE_KEY" | gpg --batch --import
+ env:
+ MINTSUKI_PRIVATE_KEY: ${{ secrets.MINTSUKI_PRIVATE_KEY }}
- name: Checkout code
uses: actions/checkout@v4
@@ -21,7 +29,12 @@ jobs:
fetch-depth: '0'
- name: Git config
- run: git config --global --add safe.directory "$GITHUB_WORKSPACE"
+ run: |
+ set -e
+ git config --global --add safe.directory "$GITHUB_WORKSPACE"
+ git config --global user.name 'Mintsuki'
+ git config --global user.email 'mintsuki@protonmail.com'
+ git config --global user.signingkey 05D29860D0A0668AAEFB9D691F3C021BECA23821
- name: Get tag name
run: echo "TAG_NAME=$(git describe --exact-match --tags $(git log -n1 --pretty='%h'))" >> $GITHUB_ENV
@@ -64,8 +77,7 @@ jobs:
- name: Push binaries to binary branch
run: |
- git config user.name 'mintsuki'
- git config user.email 'mintsuki@users.noreply.github.com'
+ set -e
git remote set-url origin https://x-access-token:${{ secrets.GITHUB_TOKEN }}@github.com/limine-bootloader/limine.git
git fetch --all
git checkout $BRANCH_NAME-binary || git checkout --orphan $BRANCH_NAME-binary
@@ -73,7 +85,7 @@ jobs:
cp -r build/bin/. ./
rm -rf build
git add -f .
- git commit -m "Binary release $TAG_NAME"
+ git commit -m "Binary release $TAG_NAME" -S
git push origin $BRANCH_NAME-binary
git tag $TAG_NAME-binary
git push origin $BRANCH_NAME-binary --tags
@@ -84,11 +96,28 @@ jobs:
- name: Package release tarball
run: ./bootstrap && ./configure --enable-all && make dist
+ - name: Sign release tarball
+ run: gpg --batch --default-key 05D29860D0A0668AAEFB9D691F3C021BECA23821 --detach-sign limine-*.tar.*
+
- name: Create release notes
run: |
- echo "Changelog can be found [here](https://github.com/limine-bootloader/limine/releases/download/$TAG_NAME/ChangeLog)." > rel_notes.txt
- echo "" >> rel_notes.txt
- echo "Binary release can be found [here](https://github.com/limine-bootloader/limine/tree/$TAG_NAME-binary)." >> rel_notes.txt
+ cat <<'EOF' >rel_notes.txt
+ Changelog can be found [here](https://github.com/limine-bootloader/limine/releases/download/$TAG_NAME/ChangeLog).
+
+ Binary release can be found [here](https://github.com/limine-bootloader/limine/tree/$TAG_NAME-binary).
+
+ Tarballs are signed using key ID 05D29860D0A0668AAEFB9D691F3C021BECA23821 which can be obtained from the keyservers: keys.openpgp.org, keyring.debian.org, keyserver.ubuntu.com.
+
+ Import the public key with:
+ ```bash
+ gpg --keyserver <a keyserver from list above> --recv-keys 05D29860D0A0668AAEFB9D691F3C021BECA23821
+ ```
+
+ In order to verify the tarball with the given signature, do:
+ ```bash
+ gpg --verify <tarball sig file> <associated tarball>
+ ```
+ EOF
- name: Release
uses: softprops/action-gh-release@v2
