Skip to content

Commit e3ec108

Browse files
fix: action-commit-push GPG and SSH issues (#27)
Co-authored-by: ChristophShyper <45788587+ChristophShyper@users.noreply.github.com>
1 parent ebc33df commit e3ec108

1 file changed

Lines changed: 81 additions & 30 deletions

File tree

.github/workflows/e2e-action-commit-push.yml

Lines changed: 81 additions & 30 deletions
Original file line numberDiff line numberDiff line change
@@ -519,10 +519,13 @@ jobs:
519519
id: gpg
520520
run: |
521521
set -euo pipefail
522+
gpg_batch_file="${RUNNER_TEMP}/gpg-batch"
523+
gpg_private_file="${RUNNER_TEMP}/gpg-private.asc"
524+
gpg_public_file="${RUNNER_TEMP}/gpg-public.asc"
522525
export GNUPGHOME
523526
GNUPGHOME="$(mktemp -d)"
524527
chmod 700 "${GNUPGHOME}"
525-
cat > gpg-batch <<EOF
528+
cat > "${gpg_batch_file}" <<EOF
526529
Key-Type: RSA
527530
Key-Length: 2048
528531
Name-Real: Triglav E2E
@@ -531,32 +534,54 @@ jobs:
531534
Expire-Date: 0
532535
%commit
533536
EOF
534-
gpg --batch --generate-key gpg-batch
535-
gpg --batch --pinentry-mode loopback --passphrase triglav-passphrase --armor --export-secret-keys "${{ github.actor }}@users.noreply.github.com" > gpg-private.asc
536-
gpg --armor --export "${{ github.actor }}@users.noreply.github.com" > gpg-public.asc
537+
gpg --batch --generate-key "${gpg_batch_file}"
538+
gpg --batch --pinentry-mode loopback --passphrase triglav-passphrase --armor --export-secret-keys "${{ github.actor }}@users.noreply.github.com" > "${gpg_private_file}"
539+
gpg --armor --export "${{ github.actor }}@users.noreply.github.com" > "${gpg_public_file}"
537540
{
538541
echo "secret_key<<EOF"
539-
cat gpg-private.asc
542+
cat "${gpg_private_file}"
540543
echo "EOF"
541544
echo "public_key<<EOF"
542-
cat gpg-public.asc
545+
cat "${gpg_public_file}"
543546
echo "EOF"
544547
} >> "${GITHUB_OUTPUT}"
545548
546549
- name: Create test file
547550
run: echo "E2E gpg signing test $(date -u)" > e2e-gpg-signing.md
548551

552+
- name: Build action image from source
553+
if: ${{ inputs.mode == 'ref' }}
554+
run: |
555+
set -euo pipefail
556+
action_src="${RUNNER_TEMP}/action-commit-push-src"
557+
rm -rf "${action_src}"
558+
git clone --depth 1 --branch master https://github.com/devops-infra/action-commit-push "${action_src}"
559+
docker build -t triglav-action-commit-push:test "${action_src}"
560+
549561
- name: Commit and push signed changes with GPG
550562
if: ${{ inputs.mode == 'ref' }}
551-
id: gpg_commit
552-
uses: devops-infra/action-commit-push@master
553-
with:
554-
github_token: ${{ secrets.GITHUB_TOKEN }}
555-
commit_message: "test(commit-push): gpg signed commit"
556-
target_branch: test/e2e-commit-push-gpg-${{ github.run_id }}
557-
signing_mode: gpg
558-
signing_key: ${{ steps.gpg.outputs.secret_key }}
559-
signing_passphrase: triglav-passphrase
563+
env:
564+
INPUT_SIGNING_KEY: ${{ steps.gpg.outputs.secret_key }}
565+
INPUT_SIGNING_PASSPHRASE: triglav-passphrase
566+
run: |
567+
set -euo pipefail
568+
rm -f "${RUNNER_TEMP}/gpg-action-output.txt"
569+
docker run --rm \
570+
-v "$PWD:/github/workspace" \
571+
-v "${RUNNER_TEMP}:/github/runner_temp" \
572+
-w /github/workspace \
573+
-e GITHUB_WORKSPACE=/github/workspace \
574+
-e GITHUB_ACTOR="${{ github.actor }}" \
575+
-e GITHUB_REPOSITORY="${{ github.repository }}" \
576+
-e GITHUB_TOKEN="${{ secrets.GITHUB_TOKEN }}" \
577+
-e GITHUB_OUTPUT=/github/runner_temp/gpg-action-output.txt \
578+
-e INPUT_ORGANIZATION_DOMAIN=github.com \
579+
-e INPUT_COMMIT_MESSAGE="test(commit-push): gpg signed commit" \
580+
-e INPUT_TARGET_BRANCH="test/e2e-commit-push-gpg-${{ github.run_id }}" \
581+
-e INPUT_SIGNING_MODE=gpg \
582+
-e INPUT_SIGNING_KEY \
583+
-e INPUT_SIGNING_PASSPHRASE \
584+
triglav-action-commit-push:test
560585
561586
- name: GPG signing via docker image (preview)
562587
if: ${{ inputs.mode == 'image' }}
@@ -572,11 +597,12 @@ jobs:
572597
if: ${{ inputs.mode == 'ref' }}
573598
run: |
574599
set -euo pipefail
600+
gpg_public_file="${RUNNER_TEMP}/gpg-public-verify.asc"
575601
export GNUPGHOME
576602
GNUPGHOME="$(mktemp -d)"
577603
chmod 700 "${GNUPGHOME}"
578-
printf '%s\n' "${{ steps.gpg.outputs.public_key }}" > gpg-public.asc
579-
gpg --import gpg-public.asc >/dev/null 2>&1
604+
printf '%s\n' "${{ steps.gpg.outputs.public_key }}" > "${gpg_public_file}"
605+
gpg --import "${gpg_public_file}" >/dev/null 2>&1
580606
git fetch origin "test/e2e-commit-push-gpg-${{ github.run_id }}"
581607
git verify-commit "origin/test/e2e-commit-push-gpg-${{ github.run_id }}"
582608
@@ -603,29 +629,53 @@ jobs:
603629
id: ssh
604630
run: |
605631
set -euo pipefail
606-
ssh-keygen -q -t ed25519 -N '' -C "${{ github.actor }}@users.noreply.github.com" -f ssh-signing-key
632+
ssh_private_key="${RUNNER_TEMP}/ssh-signing-key"
633+
ssh_public_key="${RUNNER_TEMP}/ssh-signing-key.pub"
634+
rm -f "${ssh_private_key}" "${ssh_public_key}"
635+
ssh-keygen -q -t ed25519 -N '' -C "${{ github.actor }}@users.noreply.github.com" -f "${ssh_private_key}"
607636
{
608637
echo "private_key<<EOF"
609-
cat ssh-signing-key
638+
cat "${ssh_private_key}"
610639
echo "EOF"
611640
echo "public_key<<EOF"
612-
cat ssh-signing-key.pub
641+
cat "${ssh_public_key}"
613642
echo "EOF"
614643
} >> "${GITHUB_OUTPUT}"
615644
616645
- name: Create test file
617646
run: echo "E2E ssh signing test $(date -u)" > e2e-ssh-signing.md
618647

648+
- name: Build action image from source
649+
if: ${{ inputs.mode == 'ref' }}
650+
run: |
651+
set -euo pipefail
652+
action_src="${RUNNER_TEMP}/action-commit-push-src"
653+
rm -rf "${action_src}"
654+
git clone --depth 1 --branch master https://github.com/devops-infra/action-commit-push "${action_src}"
655+
docker build -t triglav-action-commit-push:test "${action_src}"
656+
619657
- name: Commit and push signed changes with SSH
620658
if: ${{ inputs.mode == 'ref' }}
621-
id: ssh_commit
622-
uses: devops-infra/action-commit-push@master
623-
with:
624-
github_token: ${{ secrets.GITHUB_TOKEN }}
625-
commit_message: "test(commit-push): ssh signed commit"
626-
target_branch: test/e2e-commit-push-ssh-${{ github.run_id }}
627-
signing_mode: ssh
628-
signing_key: ${{ steps.ssh.outputs.private_key }}
659+
env:
660+
INPUT_SIGNING_KEY: ${{ steps.ssh.outputs.private_key }}
661+
run: |
662+
set -euo pipefail
663+
rm -f "${RUNNER_TEMP}/ssh-action-output.txt"
664+
docker run --rm \
665+
-v "$PWD:/github/workspace" \
666+
-v "${RUNNER_TEMP}:/github/runner_temp" \
667+
-w /github/workspace \
668+
-e GITHUB_WORKSPACE=/github/workspace \
669+
-e GITHUB_ACTOR="${{ github.actor }}" \
670+
-e GITHUB_REPOSITORY="${{ github.repository }}" \
671+
-e GITHUB_TOKEN="${{ secrets.GITHUB_TOKEN }}" \
672+
-e GITHUB_OUTPUT=/github/runner_temp/ssh-action-output.txt \
673+
-e INPUT_ORGANIZATION_DOMAIN=github.com \
674+
-e INPUT_COMMIT_MESSAGE="test(commit-push): ssh signed commit" \
675+
-e INPUT_TARGET_BRANCH="test/e2e-commit-push-ssh-${{ github.run_id }}" \
676+
-e INPUT_SIGNING_MODE=ssh \
677+
-e INPUT_SIGNING_KEY \
678+
triglav-action-commit-push:test
629679
630680
- name: SSH signing via docker image (preview)
631681
if: ${{ inputs.mode == 'image' }}
@@ -641,9 +691,10 @@ jobs:
641691
if: ${{ inputs.mode == 'ref' }}
642692
run: |
643693
set -euo pipefail
644-
printf '%s %s\n' "${{ github.actor }}@users.noreply.github.com" "${{ steps.ssh.outputs.public_key }}" > allowed_signers
694+
allowed_signers_file="${RUNNER_TEMP}/allowed_signers"
695+
printf '%s %s\n' "${{ github.actor }}@users.noreply.github.com" "${{ steps.ssh.outputs.public_key }}" > "${allowed_signers_file}"
645696
git config gpg.format ssh
646-
git config gpg.ssh.allowedSignersFile "$PWD/allowed_signers"
697+
git config gpg.ssh.allowedSignersFile "${allowed_signers_file}"
647698
git fetch origin "test/e2e-commit-push-ssh-${{ github.run_id }}"
648699
git verify-commit "origin/test/e2e-commit-push-ssh-${{ github.run_id }}"
649700

0 commit comments

Comments
 (0)