From 5c2cbfec773c4ef1706948bdc427f944b6911ee0 Mon Sep 17 00:00:00 2001
From: Gordon Leigh <gordon@propulsionworks.io>
Date: Fri, 4 Oct 2024 21:39:39 +0200
Subject: [PATCH] Build: set up CI commit signing

---
 .github/workflows/release.yaml | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index a8a9a87..abeccd8 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -43,12 +43,25 @@ jobs:
       - name: Configure Git
         shell: bash
         run: |
+          git config gpg.format ssh
+          git config user.signingkey "${SSH_SIGNING_KEY_PUB}"
+          git config commit.gpgsign true
           git config user.name "${{ github.actor }}"
           git config user.email "${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com"
 
+      - name: Add signing key
+        shell: bash
+        run: |
+          ssh-agent -a "${SSH_AUTH_SOCK}"
+          ssh-add - <<< "${SSH_SIGNING_KEY}"
+        env:
+          SSH_AUTH_SOCK: /tmp/ssh-agent-sock
+          SSH_SIGNING_KEY: ${{ secrets.SSH_SIGNING_KEY }}
+
       - name: Release
         run: npm run release
         env:
+          SSH_AUTH_SOCK: /tmp/ssh-agent-sock
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
           NPM_CONFIG_PROVENANCE: true