Skip to content

fix(release): allow dirmngr SRV lookup for GPG keyserver#829

Open
codysoyland wants to merge 1 commit into
mainfrom
fix-release-gpg-keyserver
Open

fix(release): allow dirmngr SRV lookup for GPG keyserver#829
codysoyland wants to merge 1 commit into
mainfrom
fix-release-gpg-keyserver

Conversation

@codysoyland
Copy link
Copy Markdown
Contributor

@codysoyland codysoyland commented Apr 22, 2026

Summary

  • GPG's dirmngr does a DNS SRV lookup for _pgpkey-https._tcp.keys.openpgp.org before connecting to keys.openpgp.org, and harden-runner treats this as a separate endpoint
  • Add _pgpkey-https._tcp.keys.openpgp.org:443 to allowed-endpoints, matching the pattern already used in terraform-provider-cosign
  • Fixes the release workflow failure in https://github.com/chainguard-dev/terraform-provider-apko/actions/runs/24800104335

Test plan

  • Re-run the release workflow and verify the GPG key upload step succeeds

🤖 Generated with Claude Code

@codysoyland @claude
fix(release): allow dirmngr SRV lookup for GPG keyserver in harden-ru…
656fbcc 
…nner

GPG's dirmngr resolves _pgpkey-https._tcp.keys.openpgp.org via DNS SRV
before connecting to keys.openpgp.org, which harden-runner blocks as a
separate endpoint. Add it to allowed-endpoints, matching the pattern
used in terraform-provider-cosign.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jdolitsky jdolitsky jdolitsky approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@codysoyland @jdolitsky