From d01fad2d9656f48a4f1a16810359bb538a5163ec Mon Sep 17 00:00:00 2001 From: strombetta <12155693+strombetta@users.noreply.github.com> Date: Mon, 2 Feb 2026 20:15:14 +0100 Subject: [PATCH] Change secrets --- .github/workflows/release.yml | 73 +++++++++++++++++++++++++++++++++++ 1 file changed, 73 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 1370033..50f67f5 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -113,6 +113,71 @@ jobs: echo "PRERELEASE=false" >> "$GITHUB_ENV" fi + - name: Install signing tools + run: | + sudo apt-get update + sudo apt-get install -y minisign gnupg + + - name: Generate SHA256SUMS and signatures + env: + MINISIGN_KEY: ${{ secrets.MINISIGN_KEY }} + MINISIGN_PUB: ${{ secrets.MINISIGN_PUB }} + GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }} + GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} + run: | + set -euo pipefail + + if [ -z "${MINISIGN_KEY:-}" ] || [ -z "${MINISIGN_PUB:-}" ]; then + echo "Missing minisign secrets (MINISIGN_KEY / MINISIGN_PUB)." >&2 + exit 1 + fi + if [ -z "${GPG_PRIVATE_KEY:-}" ]; then + echo "Missing GPG_PRIVATE_KEY secret." >&2 + exit 1 + fi + + mkdir -p out dist + printf '%s' "$MINISIGN_KEY" | base64 -d > out/minisign.key + printf '%s' "$MINISIGN_PUB" | base64 -d > out/minisign.pub + chmod 600 out/minisign.key + cp out/minisign.pub dist/minisign.pub + + export GNUPGHOME + GNUPGHOME="$(mktemp -d)" + trap 'rm -rf "$GNUPGHOME"' EXIT + printf '%s' "$GPG_PRIVATE_KEY" | gpg --batch --import + key_id="$(gpg --list-secret-keys --with-colons | awk -F: '$1=="sec" {print $5; exit}')" + if [ -z "$key_id" ]; then + echo "No GPG secret key imported." >&2 + exit 1 + fi + + mapfile -d '' files < <(find dist -name 'bugleos-toolchain-*.tar.gz' -print0 | sort -z) + if [ "${#files[@]}" -eq 0 ]; then + echo "No toolchain tarballs found under dist/." >&2 + exit 1 + fi + + sha256sum "${files[@]}" > dist/SHA256SUMS + + minisign -S -s out/minisign.key -p out/minisign.pub -m dist/SHA256SUMS + if [ -n "${GPG_PASSPHRASE:-}" ]; then + gpg --batch --yes --pinentry-mode loopback --passphrase "$GPG_PASSPHRASE" \ + --local-user "$key_id" --armor --detach-sign -o dist/SHA256SUMS.asc dist/SHA256SUMS + else + gpg --batch --yes --local-user "$key_id" --armor --detach-sign -o dist/SHA256SUMS.asc dist/SHA256SUMS + fi + + for f in "${files[@]}"; do + minisign -S -s out/minisign.key -p out/minisign.pub -m "$f" + if [ -n "${GPG_PASSPHRASE:-}" ]; then + gpg --batch --yes --pinentry-mode loopback --passphrase "$GPG_PASSPHRASE" \ + --local-user "$key_id" --armor --detach-sign -o "$f.asc" "$f" + else + gpg --batch --yes --local-user "$key_id" --armor --detach-sign -o "$f.asc" "$f" + fi + done + - name: Publish GitHub Release uses: softprops/action-gh-release@v2 with: @@ -129,3 +194,11 @@ jobs: files: | dist/**/bugleos-toolchain-${{ env.VERSION }}-x86_64.tar.gz dist/**/bugleos-toolchain-${{ env.VERSION }}-aarch64.tar.gz + dist/**/bugleos-toolchain-${{ env.VERSION }}-x86_64.tar.gz.minisig + dist/**/bugleos-toolchain-${{ env.VERSION }}-aarch64.tar.gz.minisig + dist/**/bugleos-toolchain-${{ env.VERSION }}-x86_64.tar.gz.asc + dist/**/bugleos-toolchain-${{ env.VERSION }}-aarch64.tar.gz.asc + dist/SHA256SUMS + dist/SHA256SUMS.minisig + dist/SHA256SUMS.asc + dist/minisign.pub