@@ -519,10 +519,13 @@ jobs:
519519 id : gpg
520520 run : |
521521 set -euo pipefail
522+ gpg_batch_file="${RUNNER_TEMP}/gpg-batch"
523+ gpg_private_file="${RUNNER_TEMP}/gpg-private.asc"
524+ gpg_public_file="${RUNNER_TEMP}/gpg-public.asc"
522525 export GNUPGHOME
523526 GNUPGHOME="$(mktemp -d)"
524527 chmod 700 "${GNUPGHOME}"
525- cat > gpg-batch <<EOF
528+ cat > "${gpg_batch_file}" <<EOF
526529 Key-Type: RSA
527530 Key-Length: 2048
528531 Name-Real: Triglav E2E
@@ -531,32 +534,54 @@ jobs:
531534 Expire-Date: 0
532535 %commit
533536 EOF
534- gpg --batch --generate-key gpg-batch
535- gpg --batch --pinentry-mode loopback --passphrase triglav-passphrase --armor --export-secret-keys "${{ github.actor }}@users.noreply.github.com" > gpg-private.asc
536- gpg --armor --export "${{ github.actor }}@users.noreply.github.com" > gpg-public.asc
537+ gpg --batch --generate-key "${gpg_batch_file}"
538+ gpg --batch --pinentry-mode loopback --passphrase triglav-passphrase --armor --export-secret-keys "${{ github.actor }}@users.noreply.github.com" > "${gpg_private_file}"
539+ gpg --armor --export "${{ github.actor }}@users.noreply.github.com" > "${gpg_public_file}"
537540 {
538541 echo "secret_key<<EOF"
539- cat gpg-private.asc
542+ cat "${gpg_private_file}"
540543 echo "EOF"
541544 echo "public_key<<EOF"
542- cat gpg-public.asc
545+ cat "${gpg_public_file}"
543546 echo "EOF"
544547 } >> "${GITHUB_OUTPUT}"
545548
546549 - name : Create test file
547550 run : echo "E2E gpg signing test $(date -u)" > e2e-gpg-signing.md
548551
552+ - name : Build action image from source
553+ if : ${{ inputs.mode == 'ref' }}
554+ run : |
555+ set -euo pipefail
556+ action_src="${RUNNER_TEMP}/action-commit-push-src"
557+ rm -rf "${action_src}"
558+ git clone --depth 1 --branch master https://github.com/devops-infra/action-commit-push "${action_src}"
559+ docker build -t triglav-action-commit-push:test "${action_src}"
560+
549561 - name : Commit and push signed changes with GPG
550562 if : ${{ inputs.mode == 'ref' }}
551- id : gpg_commit
552- uses : devops-infra/action-commit-push@master
553- with :
554- github_token : ${{ secrets.GITHUB_TOKEN }}
555- commit_message : " test(commit-push): gpg signed commit"
556- target_branch : test/e2e-commit-push-gpg-${{ github.run_id }}
557- signing_mode : gpg
558- signing_key : ${{ steps.gpg.outputs.secret_key }}
559- signing_passphrase : triglav-passphrase
563+ env :
564+ INPUT_SIGNING_KEY : ${{ steps.gpg.outputs.secret_key }}
565+ INPUT_SIGNING_PASSPHRASE : triglav-passphrase
566+ run : |
567+ set -euo pipefail
568+ rm -f "${RUNNER_TEMP}/gpg-action-output.txt"
569+ docker run --rm \
570+ -v "$PWD:/github/workspace" \
571+ -v "${RUNNER_TEMP}:/github/runner_temp" \
572+ -w /github/workspace \
573+ -e GITHUB_WORKSPACE=/github/workspace \
574+ -e GITHUB_ACTOR="${{ github.actor }}" \
575+ -e GITHUB_REPOSITORY="${{ github.repository }}" \
576+ -e GITHUB_TOKEN="${{ secrets.GITHUB_TOKEN }}" \
577+ -e GITHUB_OUTPUT=/github/runner_temp/gpg-action-output.txt \
578+ -e INPUT_ORGANIZATION_DOMAIN=github.com \
579+ -e INPUT_COMMIT_MESSAGE="test(commit-push): gpg signed commit" \
580+ -e INPUT_TARGET_BRANCH="test/e2e-commit-push-gpg-${{ github.run_id }}" \
581+ -e INPUT_SIGNING_MODE=gpg \
582+ -e INPUT_SIGNING_KEY \
583+ -e INPUT_SIGNING_PASSPHRASE \
584+ triglav-action-commit-push:test
560585
561586 - name : GPG signing via docker image (preview)
562587 if : ${{ inputs.mode == 'image' }}
@@ -572,11 +597,12 @@ jobs:
572597 if : ${{ inputs.mode == 'ref' }}
573598 run : |
574599 set -euo pipefail
600+ gpg_public_file="${RUNNER_TEMP}/gpg-public-verify.asc"
575601 export GNUPGHOME
576602 GNUPGHOME="$(mktemp -d)"
577603 chmod 700 "${GNUPGHOME}"
578- printf '%s\n' "${{ steps.gpg.outputs.public_key }}" > gpg-public.asc
579- gpg --import gpg-public.asc >/dev/null 2>&1
604+ printf '%s\n' "${{ steps.gpg.outputs.public_key }}" > "${gpg_public_file}"
605+ gpg --import "${gpg_public_file}" >/dev/null 2>&1
580606 git fetch origin "test/e2e-commit-push-gpg-${{ github.run_id }}"
581607 git verify-commit "origin/test/e2e-commit-push-gpg-${{ github.run_id }}"
582608
@@ -603,29 +629,53 @@ jobs:
603629 id : ssh
604630 run : |
605631 set -euo pipefail
606- ssh-keygen -q -t ed25519 -N '' -C "${{ github.actor }}@users.noreply.github.com" -f ssh-signing-key
632+ ssh_private_key="${RUNNER_TEMP}/ssh-signing-key"
633+ ssh_public_key="${RUNNER_TEMP}/ssh-signing-key.pub"
634+ rm -f "${ssh_private_key}" "${ssh_public_key}"
635+ ssh-keygen -q -t ed25519 -N '' -C "${{ github.actor }}@users.noreply.github.com" -f "${ssh_private_key}"
607636 {
608637 echo "private_key<<EOF"
609- cat ssh-signing-key
638+ cat "${ssh_private_key}"
610639 echo "EOF"
611640 echo "public_key<<EOF"
612- cat ssh-signing-key.pub
641+ cat "${ssh_public_key}"
613642 echo "EOF"
614643 } >> "${GITHUB_OUTPUT}"
615644
616645 - name : Create test file
617646 run : echo "E2E ssh signing test $(date -u)" > e2e-ssh-signing.md
618647
648+ - name : Build action image from source
649+ if : ${{ inputs.mode == 'ref' }}
650+ run : |
651+ set -euo pipefail
652+ action_src="${RUNNER_TEMP}/action-commit-push-src"
653+ rm -rf "${action_src}"
654+ git clone --depth 1 --branch master https://github.com/devops-infra/action-commit-push "${action_src}"
655+ docker build -t triglav-action-commit-push:test "${action_src}"
656+
619657 - name : Commit and push signed changes with SSH
620658 if : ${{ inputs.mode == 'ref' }}
621- id : ssh_commit
622- uses : devops-infra/action-commit-push@master
623- with :
624- github_token : ${{ secrets.GITHUB_TOKEN }}
625- commit_message : " test(commit-push): ssh signed commit"
626- target_branch : test/e2e-commit-push-ssh-${{ github.run_id }}
627- signing_mode : ssh
628- signing_key : ${{ steps.ssh.outputs.private_key }}
659+ env :
660+ INPUT_SIGNING_KEY : ${{ steps.ssh.outputs.private_key }}
661+ run : |
662+ set -euo pipefail
663+ rm -f "${RUNNER_TEMP}/ssh-action-output.txt"
664+ docker run --rm \
665+ -v "$PWD:/github/workspace" \
666+ -v "${RUNNER_TEMP}:/github/runner_temp" \
667+ -w /github/workspace \
668+ -e GITHUB_WORKSPACE=/github/workspace \
669+ -e GITHUB_ACTOR="${{ github.actor }}" \
670+ -e GITHUB_REPOSITORY="${{ github.repository }}" \
671+ -e GITHUB_TOKEN="${{ secrets.GITHUB_TOKEN }}" \
672+ -e GITHUB_OUTPUT=/github/runner_temp/ssh-action-output.txt \
673+ -e INPUT_ORGANIZATION_DOMAIN=github.com \
674+ -e INPUT_COMMIT_MESSAGE="test(commit-push): ssh signed commit" \
675+ -e INPUT_TARGET_BRANCH="test/e2e-commit-push-ssh-${{ github.run_id }}" \
676+ -e INPUT_SIGNING_MODE=ssh \
677+ -e INPUT_SIGNING_KEY \
678+ triglav-action-commit-push:test
629679
630680 - name : SSH signing via docker image (preview)
631681 if : ${{ inputs.mode == 'image' }}
@@ -641,9 +691,10 @@ jobs:
641691 if : ${{ inputs.mode == 'ref' }}
642692 run : |
643693 set -euo pipefail
644- printf '%s %s\n' "${{ github.actor }}@users.noreply.github.com" "${{ steps.ssh.outputs.public_key }}" > allowed_signers
694+ allowed_signers_file="${RUNNER_TEMP}/allowed_signers"
695+ printf '%s %s\n' "${{ github.actor }}@users.noreply.github.com" "${{ steps.ssh.outputs.public_key }}" > "${allowed_signers_file}"
645696 git config gpg.format ssh
646- git config gpg.ssh.allowedSignersFile "$PWD/allowed_signers "
697+ git config gpg.ssh.allowedSignersFile "${allowed_signers_file} "
647698 git fetch origin "test/e2e-commit-push-ssh-${{ github.run_id }}"
648699 git verify-commit "origin/test/e2e-commit-push-ssh-${{ github.run_id }}"
649700
0 commit comments