forgejo: sign RPM before deploying
This commit is contained in:
parent
57cc5b49b3
commit
c850a81498
2 changed files with 17 additions and 2 deletions
|
@ -1,4 +1,4 @@
|
|||
#!/bin/sh
|
||||
#!/bin/bash
|
||||
|
||||
# shellcheck disable=SC3040
|
||||
set -eu -o pipefail
|
||||
|
@ -10,6 +10,20 @@ readonly TARGET_REPO=$CI_RPM_REPO
|
|||
readonly group="qubes/$QUBES_REL"
|
||||
readonly rpm=$(find . -name 'qubes-template-*.rpm')
|
||||
|
||||
echo "Signing $rpm"
|
||||
gpg --import <<< $FORGE_REPO_PRIVKEY
|
||||
gpg --export -a > forge-repo.pub
|
||||
rpm --import forge-repo.pub
|
||||
|
||||
cat << EOF > $HOME/.rpmmacros
|
||||
%_signature gpg
|
||||
%_gpg_path $HOME/.gnupg
|
||||
%_gpg_name RPM Registry
|
||||
%_gpgbin /usr/bin/gpg
|
||||
EOF
|
||||
|
||||
rpm --addsign $rpm
|
||||
|
||||
echo "Sending $rpm to $TARGET_REPO/$group/upload"
|
||||
curl -s --user $FORGE_REPO_USER:$FORGE_REPO_TOKEN --upload-file $rpm $TARGET_REPO/$group/upload
|
||||
|
||||
|
|
|
@ -48,10 +48,11 @@ jobs:
|
|||
env:
|
||||
CI_RPM_REPO: 'https://ayakael.net/api/packages/forge/rpm'
|
||||
FORGE_REPO_TOKEN: ${{ secrets.FORGE_REPO_TOKEN }}
|
||||
FORGE_REPO_PRIVKEY: ${{ secrets.FORGE_REPO_PRIVKEY }}
|
||||
FORGE_REPO_USER: ${{ vars.FORGE_REPO_USER }}
|
||||
steps:
|
||||
- name: Setting up environment
|
||||
run: apk add nodejs curl findutils git gawk
|
||||
run: apk add nodejs curl findutils git gawk bash rpm gpg gpg-agent
|
||||
- name: Repo pull
|
||||
uses: actions/checkout@v4
|
||||
- name: Package download
|
||||
|
|
Loading…
Reference in a new issue