ci: sign RPM packages during release

jfut · jfut · commit d79b73788def · 2026-06-23T21:44:49.000+09:00
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -15,16 +15,27 @@ jobs:
       contents: write
 
     steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
         with:
           fetch-depth: 0
           persist-credentials: false
 
+      - name: Write RPM signing key
+        env:
+          RPM_SIGNING_KEY: ${{ secrets.RPM_SIGNING_KEY }}
+        run: |
+          set -euo pipefail
+          test -n "$RPM_SIGNING_KEY"
+          umask 077
+          printf '%s\n' "$RPM_SIGNING_KEY" > "$RUNNER_TEMP/rpm-signing-key.asc"
+
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@5daf1e915a5f0af01ddbcd89a43b8061ff4f1a89 # v7.2.2
         with:
           distribution: goreleaser
-          version: '~> v2'
+          version: v2.16.0
           args: release --clean
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GPG_KEY_PATH: ${{ runner.temp }}/rpm-signing-key.asc
+          NFPM_PASSPHRASE: ${{ secrets.NFPM_PASSPHRASE }}
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
@@ -50,10 +50,11 @@ nfpms:
     package_name: sslcert-cli
     file_name_template: "{{ .ConventionalFileName }}"
     description: |-
-      sslcert-cli is a fast updater for ipset IP sets
+      sslcert-cli is a command-line tool for creating SSL certificate files.
     maintainer: Jun Futagawa <jfut@integ.jp>
     license: MIT
     vendor: sslcert-cli project
+    homepage: https://github.com/jfut/sslcert-cli
     bindir: /usr/bin
     section: utils
     formats:
@@ -62,6 +63,9 @@ nfpms:
       - rpm
       - termux.deb
       - archlinux
+    rpm:
+      signature:
+        key_file: '{{ with index .Env "GPG_KEY_PATH" }}{{ . }}{{ end }}'
     contents:
       - src: sslcert-cli
         dst: /usr/bin/sslcert-cli
diff --git a/README.md b/README.md
@@ -99,6 +99,8 @@ Server configuration examples:
 
 ## Release
 
+GitHub Actions signs RPM artifacts with the GPG private key stored in `RPM_SIGNING_KEY`. If the key has a passphrase, store it in `NFPM_PASSPHRASE`.
+
 1. Run `git tag -s vX.Y.Z -m vX.Y.Z`.
 2. Run `git push origin vX.Y.Z` and wait for the Release to be created.
 3. Edit the created Release.
diff --git a/sslcert-cli b/sslcert-cli
@@ -1,11 +1,8 @@
 #!/bin/bash
+# SPDX-License-Identifier: MIT
+# SPDX-FileCopyrightText: Copyright 2023-2026 Jun Futagawa (jfut)
 #
-# Create SSL certificate files such as a private key, CSR, and CRT, and also support generating mTLS private CA and client certificates.
-#
-# Copyright (c) 2023-2026 Jun Futagawa (jfut)
-#
-# This software is released under the MIT License.
-# http://opensource.org/licenses/mit-license.php
+# sslcert-cli is a command-line tool for creating SSL certificate files.
 
 set -euo pipefail
 
