forgejo: sign RPM before deploying

This commit is contained in:
Antoine Martin 2024-08-22 16:13:07 -04:00
parent 57cc5b49b3
commit c850a81498
Signed by: forge
GPG key ID: D62A472A4AA7D541
2 changed files with 17 additions and 2 deletions

View file

@ -1,4 +1,4 @@
#!/bin/sh
#!/bin/bash
# shellcheck disable=SC3040
set -eu -o pipefail
@ -10,6 +10,20 @@ readonly TARGET_REPO=$CI_RPM_REPO
readonly group="qubes/$QUBES_REL"
readonly rpm=$(find . -name 'qubes-template-*.rpm')
echo "Signing $rpm"
gpg --import <<< $FORGE_REPO_PRIVKEY
gpg --export -a > forge-repo.pub
rpm --import forge-repo.pub
cat << EOF > $HOME/.rpmmacros
%_signature gpg
%_gpg_path $HOME/.gnupg
%_gpg_name RPM Registry
%_gpgbin /usr/bin/gpg
EOF
rpm --addsign $rpm
echo "Sending $rpm to $TARGET_REPO/$group/upload"
curl -s --user $FORGE_REPO_USER:$FORGE_REPO_TOKEN --upload-file $rpm $TARGET_REPO/$group/upload

View file

@ -48,10 +48,11 @@ jobs:
env:
CI_RPM_REPO: 'https://ayakael.net/api/packages/forge/rpm'
FORGE_REPO_TOKEN: ${{ secrets.FORGE_REPO_TOKEN }}
FORGE_REPO_PRIVKEY: ${{ secrets.FORGE_REPO_PRIVKEY }}
FORGE_REPO_USER: ${{ vars.FORGE_REPO_USER }}
steps:
- name: Setting up environment
run: apk add nodejs curl findutils git gawk
run: apk add nodejs curl findutils git gawk bash rpm gpg gpg-agent
- name: Repo pull
uses: actions/checkout@v4
- name: Package download