@@ -24,28 +24,44 @@ jobs:
2424 cache : maven
2525
2626 - name : Setup GPG
27+ env :
28+ GPG_PRIVATE_KEY : ${{ secrets.GPG_PRIVATE_KEY }}
29+ GPG_KEYNAME : ${{ secrets.GPG_KEYNAME }}
2730 run : |
31+ set -euo pipefail
2832 echo "Setting up GPG..."
2933 mkdir -p ~/.gnupg
3034 chmod 700 ~/.gnupg
31-
32- # Import private key
33- echo "${{ secrets.GPG_PRIVATE_KEY }}" > private.key
35+
36+ if [ -z "${GPG_KEYNAME:-}" ]; then
37+ echo "::error::GPG_KEYNAME is empty — set it to the long key ID or fingerprint (no spaces) from gpg --list-secret-keys --keyid-format LONG"
38+ exit 1
39+ fi
40+ if [ -z "${GPG_PRIVATE_KEY:-}" ]; then
41+ echo "::error::GPG_PRIVATE_KEY is empty — paste the full armored block (BEGIN/END PGP PRIVATE KEY BLOCK)"
42+ exit 1
43+ fi
44+
45+ # Strip CR (Windows line endings break gpg --import)
46+ printf '%s\n' "$GPG_PRIVATE_KEY" | tr -d '\r' > private.key
3447 echo "Importing GPG key..."
3548 gpg --batch --import private.key
36- rm private.key
37-
38- # Configure GPG
49+ rm -f private.key
50+
3951 echo "Configuring GPG..."
4052 cat > ~/.gnupg/gpg.conf << EOF
41- default-key ${{ secrets. GPG_KEYNAME }}
53+ default-key $GPG_KEYNAME
4254 use-agent
4355 pinentry-mode loopback
4456 EOF
45-
46- # Debug information
47- echo "=== GPG Keys ==="
57+
58+ echo "=== GPG secret keys ==="
4859 gpg --list-secret-keys --keyid-format LONG
60+ if ! gpg --list-secret-keys --keyid-format LONG 2>/dev/null | grep -q '^sec'; then
61+ echo "::error::No secret key after import. Use gpg --export-secret-keys (not --export), full private armored block, and matching GPG_KEYNAME."
62+ exit 1
63+ fi
64+ echo "=== GPG public keys ==="
4965 gpg --list-keys --keyid-format LONG
5066
5167 - name : Configure Maven
0 commit comments