Skip to content

Commit d79b737

Browse files
committed
ci: sign RPM packages during release
1 parent 64ee3c3 commit d79b737

4 files changed

Lines changed: 23 additions & 9 deletions

File tree

.github/workflows/release.yaml

Lines changed: 13 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -15,16 +15,27 @@ jobs:
1515
contents: write
1616

1717
steps:
18-
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
18+
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
1919
with:
2020
fetch-depth: 0
2121
persist-credentials: false
2222

23+
- name: Write RPM signing key
24+
env:
25+
RPM_SIGNING_KEY: ${{ secrets.RPM_SIGNING_KEY }}
26+
run: |
27+
set -euo pipefail
28+
test -n "$RPM_SIGNING_KEY"
29+
umask 077
30+
printf '%s\n' "$RPM_SIGNING_KEY" > "$RUNNER_TEMP/rpm-signing-key.asc"
31+
2332
- name: Run GoReleaser
2433
uses: goreleaser/goreleaser-action@5daf1e915a5f0af01ddbcd89a43b8061ff4f1a89 # v7.2.2
2534
with:
2635
distribution: goreleaser
27-
version: '~> v2'
36+
version: v2.16.0
2837
args: release --clean
2938
env:
3039
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
40+
GPG_KEY_PATH: ${{ runner.temp }}/rpm-signing-key.asc
41+
NFPM_PASSPHRASE: ${{ secrets.NFPM_PASSPHRASE }}

.goreleaser.yaml

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -50,10 +50,11 @@ nfpms:
5050
package_name: sslcert-cli
5151
file_name_template: "{{ .ConventionalFileName }}"
5252
description: |-
53-
sslcert-cli is a fast updater for ipset IP sets
53+
sslcert-cli is a command-line tool for creating SSL certificate files.
5454
maintainer: Jun Futagawa <jfut@integ.jp>
5555
license: MIT
5656
vendor: sslcert-cli project
57+
homepage: https://github.com/jfut/sslcert-cli
5758
bindir: /usr/bin
5859
section: utils
5960
formats:
@@ -62,6 +63,9 @@ nfpms:
6263
- rpm
6364
- termux.deb
6465
- archlinux
66+
rpm:
67+
signature:
68+
key_file: '{{ with index .Env "GPG_KEY_PATH" }}{{ . }}{{ end }}'
6569
contents:
6670
- src: sslcert-cli
6771
dst: /usr/bin/sslcert-cli

README.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -99,6 +99,8 @@ Server configuration examples:
9999

100100
## Release
101101

102+
GitHub Actions signs RPM artifacts with the GPG private key stored in `RPM_SIGNING_KEY`. If the key has a passphrase, store it in `NFPM_PASSPHRASE`.
103+
102104
1. Run `git tag -s vX.Y.Z -m vX.Y.Z`.
103105
2. Run `git push origin vX.Y.Z` and wait for the Release to be created.
104106
3. Edit the created Release.

sslcert-cli

Lines changed: 3 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1,11 +1,8 @@
11
#!/bin/bash
2+
# SPDX-License-Identifier: MIT
3+
# SPDX-FileCopyrightText: Copyright 2023-2026 Jun Futagawa (jfut)
24
#
3-
# Create SSL certificate files such as a private key, CSR, and CRT, and also support generating mTLS private CA and client certificates.
4-
#
5-
# Copyright (c) 2023-2026 Jun Futagawa (jfut)
6-
#
7-
# This software is released under the MIT License.
8-
# http://opensource.org/licenses/mit-license.php
5+
# sslcert-cli is a command-line tool for creating SSL certificate files.
96

107
set -euo pipefail
118

0 commit comments

Comments
 (0)