Update Signing Key #152
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Update Signing Key | |
| on: | |
| push: | |
| branches: | |
| - master | |
| paths: | |
| - '.github/workflows/keyupdate.yml' | |
| schedule: | |
| - cron: '15 1 * * 1' | |
| permissions: | |
| packages: write | |
| contents: write | |
| concurrency: | |
| group: "release" | |
| jobs: | |
| variables: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| enc-gpg: ${{ steps.config.outputs.enc-gpg }} | |
| pub-gpg: ${{ steps.config.outputs.pub-gpg }} | |
| email: ${{ steps.config.outputs.email }} | |
| repo-name: ${{ steps.config.outputs.repo-name }} | |
| packager: ${{ steps.config.outputs.packager }} | |
| matrix: ${{ steps.set-matrix.outputs.matrix }} | |
| steps: | |
| - uses: actions/checkout@v6 | |
| with: | |
| submodules: recursive | |
| ref: master | |
| - id: config | |
| uses: ./.github/actions/load-config | |
| - id: set-matrix | |
| run: | | |
| set_output () { | |
| if [[ -z "${ACT}" ]]; then | |
| echo "${1}=${2}" | tee -a "${GITHUB_OUTPUT}" | |
| else | |
| echo "set-output name=${1}::${2}" | |
| echo "::set-output name=${1}::${2}" | |
| fi | |
| } | |
| set_output matrix "`find . -iname 'PKGBUILD' -exec bash -c \"basename \\$(dirname \\"{}\\")\" \\; | jq -R -s -c 'split(\"\n\")[:-1]'`" | |
| updateExpiry: | |
| runs-on: ubuntu-latest | |
| needs: variables | |
| outputs: | |
| rebuild: ${{ steps.vars.outputs.run == 'gen' || steps.check.outputs.update == 'true' }} | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - id: vars | |
| run: | | |
| set_output () { | |
| if [[ -z "${ACT}" ]]; then | |
| echo "${1}=${2}" | tee -a "${GITHUB_OUTPUT}" | |
| else | |
| echo "set-output name=${1}::${2}" | |
| echo "::set-output name=${1}::${2}" | |
| fi | |
| } | |
| if [ -z "${{ secrets.ENCRYPTION_KEY }}" ]; then | |
| set_output run false | |
| else | |
| set_output run true | |
| fi | |
| - name: Import Keys | |
| if: ${{ steps.vars.outputs.run == 'true' }} | |
| run: | | |
| openssl aes-256-cbc -d -a -pbkdf2 -in ${{ needs.variables.outputs.enc-gpg }} -pass pass:${{ secrets.ENCRYPTION_KEY }} | gpg --import | |
| if [ -f "${{ needs.variables.outputs.pub-gpg }}" ]; then | |
| cat ${{ needs.variables.outputs.pub-gpg }} | gpg --import | |
| fi | |
| - id: check | |
| if: ${{ steps.vars.outputs.run == 'true' }} | |
| run: | | |
| set_output () { | |
| if [[ -z "${ACT}" ]]; then | |
| echo "${1}=${2}" | tee -a "${GITHUB_OUTPUT}" | |
| else | |
| echo "set-output name=${1}::${2}" | |
| echo "::set-output name=${1}::${2}" | |
| fi | |
| } | |
| set_output keyId "$(gpg --list-secret-keys --keyid-format=long ${{ needs.variables.outputs.email }} | grep 'sec' | awk 'match($0, /[0-9A-Z]{16}/) {print substr($0, RSTART, RLENGTH)}')" | |
| expiry=`gpg --list-secret-keys --keyid-format=long ${{ needs.variables.outputs.email }} | grep 'sec' | awk 'match ($6, /[0-9-]{10}/){print substr($6, RSTART, RLENGTH)}'` | |
| echo "Key Expires on ${expiry}" | |
| dtSec=$(date --date "$expiry" +'%s') # For "now", use $(date +'%s') | |
| taSec=$(date --date "30 days" +'%s') | |
| if [ $dtSec -lt $taSec ]; then | |
| set_output update true | |
| else | |
| set_output update false | |
| fi | |
| - name: Update Expiry | |
| if: ${{ steps.check.outputs.update == 'true' }} | |
| run: | | |
| gpg --batch --command-fd 0 --edit-key ${{ steps.check.outputs.keyId }} <<-END | |
| expire | |
| 3m | |
| save | |
| END | |
| - name: Export Keys | |
| if: ${{ steps.check.outputs.update == 'true' }} | |
| run: | | |
| rm ${{ needs.variables.outputs.enc-gpg }} ${{ needs.variables.outputs.pub-gpg }} | |
| gpg --armor --export-secret-key ${{ steps.check.outputs.keyId }} | openssl aes-256-cbc -a -salt -pbkdf2 -out ${{ needs.variables.outputs.enc-gpg }} -pass pass:${{ secrets.ENCRYPTION_KEY }} | |
| gpg --batch --output ${{ needs.variables.outputs.pub-gpg }} --armor --export ${{ steps.check.outputs.keyId }} | |
| - name: Push Changes | |
| if: ${{ steps.check.outputs.update == 'true' }} | |
| run: | | |
| git config --local user.email "github-actions[bot]@users.noreply.github.com" | |
| git config --local user.name "github-actions[bot]" | |
| git add ${{ needs.variables.outputs.enc-gpg }} ${{ needs.variables.outputs.pub-gpg }} | |
| git commit -m "Update GPG Key" | |
| git push -u origin master | |
| - name: Rebuild Repo | |
| if: ${{ steps.check.outputs.update == 'true' }} | |
| uses: dev-drprasad/delete-tag-and-release@v1.1 | |
| with: | |
| delete_release: true # default: false | |
| tag_name: repository | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| build-package: | |
| runs-on: ubuntu-latest | |
| if: ${{ needs.updateExpiry.outputs.rebuild == 'true' }} | |
| needs: | |
| - variables | |
| - updateExpiry | |
| strategy: | |
| matrix: | |
| package: ${{ fromJson(needs.variables.outputs.matrix) }} | |
| steps: | |
| - uses: actions/checkout@v6 | |
| with: | |
| submodules: recursive | |
| ref: master | |
| - name: Build ${{ matrix.package }} | |
| uses: ./.github/actions/archlinux | |
| env: | |
| PACKAGER: ${{ needs.variables.outputs.packager }} | |
| SECRET: ${{ secrets.ENCRYPTION_KEY }} | |
| GPGKEY: ${{ needs.variables.outputs.enc-gpg }} | |
| with: | |
| dir: ${{ matrix.package }} | |
| run: makepkg -sr --sign -C -c --noconfirm --noprogressbar | |
| - name: Upload new package ${{ matrix.package }} | |
| uses: svenstaro/upload-release-action@v2 | |
| with: | |
| repo_token: ${{ secrets.GITHUB_TOKEN }} | |
| tag: repository | |
| file: ${{ matrix.package }}/*.pkg.* | |
| file_glob: true | |
| overwrite: false | |
| build-repo: | |
| runs-on: "ubuntu-latest" | |
| if: ${{ needs.updateExpiry.outputs.rebuild == 'true' }} | |
| needs: | |
| - variables | |
| - build-package | |
| - updateExpiry | |
| steps: | |
| - uses: actions/checkout@v6 | |
| with: | |
| ref: master | |
| - name: Get current packages | |
| uses: robinraju/release-downloader@v1.12 | |
| with: | |
| latest: true | |
| fileName: '*.pkg.*' | |
| tarBall: false | |
| zipBall: false | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Build Repo | |
| uses: ./.github/actions/archlinux | |
| env: | |
| PACKAGER: ${{ needs.variables.outputs.packager }} | |
| SECRET: ${{ secrets.ENCRYPTION_KEY }} | |
| GPGKEY: ${{ needs.variables.outputs.enc-gpg }} | |
| with: | |
| run: repo-add -s -q --nocolor -n -R ${{ needs.variables.outputs.repo-name }}.db.tar.gz *.pkg.tar.zst | |
| - name: Upload new repo | |
| uses: svenstaro/upload-release-action@v2 | |
| with: | |
| repo_token: ${{ secrets.GITHUB_TOKEN }} | |
| tag: repository | |
| file: ${{ needs.variables.outputs.repo-name }}.db* | |
| file_glob: true | |
| overwrite: true |