File tree Expand file tree Collapse file tree
Expand file tree Collapse file tree Original file line number Diff line number Diff line change 2222 secrets :
2323 MINISIGN_SECRET_KEY :
2424 required : true
25+ REGISTRY_GPG_PRIVATE_KEY :
26+ required : true
27+ REGISTRY_GPG_PASSPHRASE :
28+ required : true
29+ REGISTRY_GPG_KEY_ID :
30+ required : true
2531
2632env :
2733 CARGO_TERM_COLOR : always
@@ -188,6 +194,27 @@ jobs:
188194 mkdir -p docs/public/registry
189195 cp -R dist/registry/* docs/public/registry/
190196
197+ - name : Configure signed registry commits
198+ env :
199+ REGISTRY_GPG_PRIVATE_KEY : ${{ secrets.REGISTRY_GPG_PRIVATE_KEY }}
200+ REGISTRY_GPG_PASSPHRASE : ${{ secrets.REGISTRY_GPG_PASSPHRASE }}
201+ REGISTRY_GPG_KEY_ID : ${{ secrets.REGISTRY_GPG_KEY_ID }}
202+ run : |
203+ mkdir -p ~/.gnupg
204+ chmod 700 ~/.gnupg
205+ echo "${REGISTRY_GPG_PRIVATE_KEY}" | gpg --batch --import
206+ key_id="${REGISTRY_GPG_KEY_ID}"
207+ cat > /tmp/gpg-wrapper.sh <<'EOF'
208+ #!/usr/bin/env bash
209+ exec gpg --batch --yes --pinentry-mode loopback --passphrase "${REGISTRY_GPG_PASSPHRASE}" "$@"
210+ EOF
211+ chmod +x /tmp/gpg-wrapper.sh
212+ git config user.name "StreamKit Registry Bot"
213+ git config user.email "registry-bot@streamkit.dev"
214+ git config user.signingkey "${key_id}"
215+ git config commit.gpgsign true
216+ git config gpg.program /tmp/gpg-wrapper.sh
217+
191218 - name : Create pull request
192219 uses : peter-evans/create-pull-request@v6
193220 with :
Original file line number Diff line number Diff line change @@ -63,6 +63,12 @@ and marketplace-only releases share the same reusable marketplace workflow
6363Ensure "Allow GitHub Actions to create and approve pull requests" is enabled
6464in repo settings so the registry PR can be opened automatically.
6565
66+ Registry PR commits are signed by the workflow. Add these secrets:
67+
68+ - ` REGISTRY_GPG_PRIVATE_KEY ` : ASCII-armored private key for the registry bot
69+ - ` REGISTRY_GPG_PASSPHRASE ` : passphrase for the private key
70+ - ` REGISTRY_GPG_KEY_ID ` : GPG key fingerprint for the registry bot
71+
6672### Verify outputs
6773
6874- GitHub Release includes ` *-bundle.tar.zst ` assets.
You can’t perform that action at this time.
0 commit comments