chore(ci): registry bot signing

streamer45 · streamer45 · commit 74b15fa10605 · 2026-01-27T09:19:12.000+01:00
diff --git a/.github/workflows/marketplace-build.yml b/.github/workflows/marketplace-build.yml
@@ -22,6 +22,12 @@ on:
     secrets:
       MINISIGN_SECRET_KEY:
         required: true
+      REGISTRY_GPG_PRIVATE_KEY:
+        required: true
+      REGISTRY_GPG_PASSPHRASE:
+        required: true
+      REGISTRY_GPG_KEY_ID:
+        required: true
 
 env:
   CARGO_TERM_COLOR: always
@@ -188,6 +194,27 @@ jobs:
           mkdir -p docs/public/registry
           cp -R dist/registry/* docs/public/registry/
 
+      - name: Configure signed registry commits
+        env:
+          REGISTRY_GPG_PRIVATE_KEY: ${{ secrets.REGISTRY_GPG_PRIVATE_KEY }}
+          REGISTRY_GPG_PASSPHRASE: ${{ secrets.REGISTRY_GPG_PASSPHRASE }}
+          REGISTRY_GPG_KEY_ID: ${{ secrets.REGISTRY_GPG_KEY_ID }}
+        run: |
+          mkdir -p ~/.gnupg
+          chmod 700 ~/.gnupg
+          echo "${REGISTRY_GPG_PRIVATE_KEY}" | gpg --batch --import
+          key_id="${REGISTRY_GPG_KEY_ID}"
+          cat > /tmp/gpg-wrapper.sh <<'EOF'
+          #!/usr/bin/env bash
+          exec gpg --batch --yes --pinentry-mode loopback --passphrase "${REGISTRY_GPG_PASSPHRASE}" "$@"
+          EOF
+          chmod +x /tmp/gpg-wrapper.sh
+          git config user.name "StreamKit Registry Bot"
+          git config user.email "registry-bot@streamkit.dev"
+          git config user.signingkey "${key_id}"
+          git config commit.gpgsign true
+          git config gpg.program /tmp/gpg-wrapper.sh
+
       - name: Create pull request
         uses: peter-evans/create-pull-request@v6
         with:
diff --git a/RELEASING.md b/RELEASING.md
@@ -63,6 +63,12 @@ and marketplace-only releases share the same reusable marketplace workflow
 Ensure "Allow GitHub Actions to create and approve pull requests" is enabled
 in repo settings so the registry PR can be opened automatically.
 
+Registry PR commits are signed by the workflow. Add these secrets:
+
+- `REGISTRY_GPG_PRIVATE_KEY`: ASCII-armored private key for the registry bot
+- `REGISTRY_GPG_PASSPHRASE`: passphrase for the private key
+- `REGISTRY_GPG_KEY_ID`: GPG key fingerprint for the registry bot
+
 ### Verify outputs
 
 - GitHub Release includes `*-bundle.tar.zst` assets.
