Merge pull request #44 from remyroy/pgp-signature

Add PGP signatures and attestations to build process
eth-educators · May 7, 2024 · 2a22142 · 2a22142
2 parents 36a86b9 + a2e361a
commit 2a22142
Showing 1 changed file with 32 additions and 2 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -4,6 +4,10 @@ on: [workflow_dispatch]
 jobs:
   ci-build:
     runs-on: ${{ matrix.os }}
+    permissions:
+      id-token: write
+      contents: read
+      attestations: write
     strategy:
       fail-fast: false
       matrix:
@@ -77,15 +81,29 @@ jobs:
         if: ${{ startsWith(matrix.os, 'macos-') }}
         run: |
           brew install coreutils
-      - name: Compress the file (Linux & macOS)
+      - name: Import GPG key
+        uses: crazy-max/ghaction-import-gpg@v6
+        id: import-gpg-key
+        with:
+          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
+          passphrase: ${{ secrets.PASSPHRASE }}
+          trust_level: 5
+      - name: List GPG keys
+        run: gpg -K
+      - name: Create archive, checksum and GPG signature (Linux & macOS)
         if: ${{ startsWith(matrix.os, 'ubuntu-') || startsWith(matrix.os, 'macos-') }}
+        env:
+          GPG_KEY_ID: ${{ steps.import-gpg-key.outputs.fingerprint }}
         run: |
           tar -zcvf ${BUILD_FILE_NAME}.tar.gz ./${BUILD_FILE_NAME}
           mkdir -p output/artifacts
           cp ${BUILD_FILE_NAME}.tar.gz output/artifacts
           sha256sum ${BUILD_FILE_NAME}.tar.gz | head -c 64 > output/artifacts/${BUILD_FILE_NAME}.sha256
-      - name: Compress the file (Windows)
+          gpg --default-key ${GPG_KEY_ID} --sign --armor --output output/artifacts/${BUILD_FILE_NAME}.tar.gz.asc --detach-sig ${BUILD_FILE_NAME}.tar.gz
+      - name: Create archive, checksum and GPG signature (Windows)
         if: ${{ startsWith(matrix.os, 'windows-') }}
+        env:
+          GPG_KEY_ID: ${{ steps.import-gpg-key.outputs.fingerprint }}
         run: |
           $env:ZIP_FILE_NAME = ($env:BUILD_FILE_NAME + ".zip")
           echo ("ZIP_FILE_NAME=" + $env:ZIP_FILE_NAME) | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
@@ -94,6 +112,18 @@ jobs:
           copy $env:ZIP_FILE_NAME output\artifacts
           $env:CHECKSUM_FILE_NAME_PATH = ("output\artifacts\" + $env:BUILD_FILE_NAME + ".sha256")
           certUtil -hashfile $env:ZIP_FILE_NAME SHA256 | findstr /i /v "SHA256" | findstr /i /v "CertUtil" > $env:CHECKSUM_FILE_NAME_PATH
+          $env:SIGNATURE_FILE_NAME_PATH = ("output\artifacts\" + $env:ZIP_FILE_NAME + ".asc")
+          gpg --default-key $env:GPG_KEY_ID --sign --armor --output $env:SIGNATURE_FILE_NAME_PATH --detach-sig $env:ZIP_FILE_NAME
+      - name: Generate artifacts attestation (Linux & macOS)
+        if: ${{ startsWith(matrix.os, 'ubuntu-') || startsWith(matrix.os, 'macos-') }}
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-path: output/artifacts/*
+      - name: Generate artifacts attestation (Windows)
+        if: ${{ startsWith(matrix.os, 'windows-') }}
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-path: output\artifacts\*
       - name: Archive production artifacts (Linux & macOS)
         if: ${{ startsWith(matrix.os, 'ubuntu-') || startsWith(matrix.os, 'macos-') }}
         uses: actions/upload-artifact@v4