-
Notifications
You must be signed in to change notification settings - Fork 551
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #2033 from dmurphy18/fix_2032
Disabling signing of commits on release updates
- Loading branch information
Showing
2 changed files
with
135 additions
and
132 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -74,44 +74,45 @@ jobs: | |
python3 -m pip install -r requirements/release.txt | ||
pre-commit install --install-hooks | ||
- name: Setup GnuPG | ||
run: | | ||
sudo install -d -m 0700 -o "$(id -u)" -g "$(id -g)" /run/gpg | ||
GNUPGHOME="$(mktemp -d -p /run/gpg)" | ||
echo "GNUPGHOME=${GNUPGHOME}" >> "$GITHUB_ENV" | ||
cat <<EOF > "${GNUPGHOME}/gpg.conf" | ||
batch | ||
no-tty | ||
pinentry-mode loopback | ||
EOF | ||
- name: Get Secrets | ||
id: get-secrets | ||
env: | ||
SECRETS_KEY: ${{ secrets.SECRETS_KEY }} | ||
run: | | ||
SECRETS_KEY_FILE=$(mktemp /tmp/output.XXXXXXXXXX) | ||
echo "$SECRETS_KEY" > "$SECRETS_KEY_FILE" | ||
aws --region us-west-2 secretsmanager get-secret-value --secret-id /cmbu-saltstack/signing/repo-signing-keys-sha256-2023 \ | ||
--query SecretString --output text | jq .default_key -r | base64 -d \ | ||
| gpg --passphrase-file "${SECRETS_KEY_FILE}" -d - \ | ||
| gpg --import - | ||
sync | ||
aws --region us-west-2 secretsmanager get-secret-value --secret-id /cmbu-saltstack/signing/repo-signing-keys-sha256-2023 \ | ||
--query SecretString --output text| jq .default_passphrase -r | base64 -d \ | ||
| gpg --passphrase-file "${SECRETS_KEY_FILE}" -o "${GNUPGHOME}/passphrase" -d - | ||
sync | ||
rm "$SECRETS_KEY_FILE" | ||
echo "passphrase-file ${GNUPGHOME}/passphrase" >> "${GNUPGHOME}/gpg.conf" | ||
## - name: Setup GnuPG | ||
## run: | | ||
## sudo install -d -m 0700 -o "$(id -u)" -g "$(id -g)" /run/gpg | ||
## GNUPGHOME="$(mktemp -d -p /run/gpg)" | ||
## echo "GNUPGHOME=${GNUPGHOME}" >> "$GITHUB_ENV" | ||
## cat <<EOF > "${GNUPGHOME}/gpg.conf" | ||
## batch | ||
## no-tty | ||
## pinentry-mode loopback | ||
## EOF | ||
|
||
## - name: Get Secrets | ||
## id: get-secrets | ||
## env: | ||
## SECRETS_KEY: ${{ secrets.SECRETS_KEY }} | ||
## run: | | ||
## SECRETS_KEY_FILE=$(mktemp /tmp/output.XXXXXXXXXX) | ||
## echo "$SECRETS_KEY" > "$SECRETS_KEY_FILE" | ||
## aws --region us-west-2 secretsmanager get-secret-value --secret-id /cmbu-saltstack/signing/repo-signing-keys-sha256-2023 \ | ||
## --query SecretString --output text | jq .default_key -r | base64 -d \ | ||
## | gpg --passphrase-file "${SECRETS_KEY_FILE}" -d - \ | ||
## | gpg --import - | ||
## sync | ||
## aws --region us-west-2 secretsmanager get-secret-value --secret-id /cmbu-saltstack/signing/repo-signing-keys-sha256-2023 \ | ||
## --query SecretString --output text| jq .default_passphrase -r | base64 -d \ | ||
## | gpg --passphrase-file "${SECRETS_KEY_FILE}" -o "${GNUPGHOME}/passphrase" -d - | ||
## sync | ||
## rm "$SECRETS_KEY_FILE" | ||
## echo "passphrase-file ${GNUPGHOME}/passphrase" >> "${GNUPGHOME}/gpg.conf" | ||
|
||
- name: Configure Git | ||
shell: bash | ||
run: | | ||
git config --global --add safe.directory "$(pwd)" | ||
git config --global user.name "Salt Project Packaging" | ||
git config --global user.email [email protected] | ||
git config --global user.signingkey 64CBBC8173D76B3F | ||
git config --global commit.gpgsign true | ||
git config --global commit.gpgsign false | ||
## git config --global user.signingkey 64CBBC8173D76B3F | ||
## git config --global commit.gpgsign true | ||
- name: Update Repository | ||
id: update-repo | ||
|
@@ -166,44 +167,45 @@ jobs: | |
ssh-key: ${{ secrets.SALT_BOOTSTRAP_RELEASE_KEY }} | ||
fetch-depth: 0 | ||
|
||
- name: Setup GnuPG | ||
run: | | ||
sudo install -d -m 0700 -o "$(id -u)" -g "$(id -g)" /run/gpg | ||
GNUPGHOME="$(mktemp -d -p /run/gpg)" | ||
echo "GNUPGHOME=${GNUPGHOME}" >> "$GITHUB_ENV" | ||
cat <<EOF > "${GNUPGHOME}/gpg.conf" | ||
batch | ||
no-tty | ||
pinentry-mode loopback | ||
EOF | ||
- name: Get Secrets | ||
id: get-secrets | ||
env: | ||
SECRETS_KEY: ${{ secrets.SECRETS_KEY }} | ||
run: | | ||
SECRETS_KEY_FILE=$(mktemp /tmp/output.XXXXXXXXXX) | ||
echo "$SECRETS_KEY" > "$SECRETS_KEY_FILE" | ||
aws --region us-west-2 secretsmanager get-secret-value --secret-id /cmbu-saltstack/signing/repo-signing-keys-sha256-2023 \ | ||
--query SecretString --output text | jq .default_key -r | base64 -d \ | ||
| gpg --passphrase-file "${SECRETS_KEY_FILE}" -d - \ | ||
| gpg --import - | ||
sync | ||
aws --region us-west-2 secretsmanager get-secret-value --secret-id /cmbu-saltstack/signing/repo-signing-keys-sha256-2023 \ | ||
--query SecretString --output text| jq .default_passphrase -r | base64 -d \ | ||
| gpg --passphrase-file "${SECRETS_KEY_FILE}" -o "${GNUPGHOME}/passphrase" -d - | ||
sync | ||
rm "$SECRETS_KEY_FILE" | ||
echo "passphrase-file ${GNUPGHOME}/passphrase" >> "${GNUPGHOME}/gpg.conf" | ||
## - name: Setup GnuPG | ||
## run: | | ||
## sudo install -d -m 0700 -o "$(id -u)" -g "$(id -g)" /run/gpg | ||
## GNUPGHOME="$(mktemp -d -p /run/gpg)" | ||
## echo "GNUPGHOME=${GNUPGHOME}" >> "$GITHUB_ENV" | ||
## cat <<EOF > "${GNUPGHOME}/gpg.conf" | ||
## batch | ||
## no-tty | ||
## pinentry-mode loopback | ||
## EOF | ||
|
||
## - name: Get Secrets | ||
## id: get-secrets | ||
## env: | ||
## SECRETS_KEY: ${{ secrets.SECRETS_KEY }} | ||
## run: | | ||
## SECRETS_KEY_FILE=$(mktemp /tmp/output.XXXXXXXXXX) | ||
## echo "$SECRETS_KEY" > "$SECRETS_KEY_FILE" | ||
## aws --region us-west-2 secretsmanager get-secret-value --secret-id /cmbu-saltstack/signing/repo-signing-keys-sha256-2023 \ | ||
## --query SecretString --output text | jq .default_key -r | base64 -d \ | ||
## | gpg --passphrase-file "${SECRETS_KEY_FILE}" -d - \ | ||
## | gpg --import - | ||
## sync | ||
## aws --region us-west-2 secretsmanager get-secret-value --secret-id /cmbu-saltstack/signing/repo-signing-keys-sha256-2023 \ | ||
## --query SecretString --output text| jq .default_passphrase -r | base64 -d \ | ||
## | gpg --passphrase-file "${SECRETS_KEY_FILE}" -o "${GNUPGHOME}/passphrase" -d - | ||
## sync | ||
## rm "$SECRETS_KEY_FILE" | ||
## echo "passphrase-file ${GNUPGHOME}/passphrase" >> "${GNUPGHOME}/gpg.conf" | ||
|
||
- name: Configure Git | ||
shell: bash | ||
run: | | ||
git config --global --add safe.directory "$(pwd)" | ||
git config --global user.name "Salt Project Packaging" | ||
git config --global user.email [email protected] | ||
git config --global user.signingkey 64CBBC8173D76B3F | ||
git config --global commit.gpgsign true | ||
git config --global commit.gpgsign false | ||
## git config --global user.signingkey 64CBBC8173D76B3F | ||
## git config --global commit.gpgsign true | ||
- name: Download Release Details | ||
uses: actions/download-artifact@v4 | ||
|
@@ -317,43 +319,43 @@ jobs: | |
SPB_ENVIRONMENT=$(curl -sS -f -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/tags/instance/spb:environment) | ||
echo "SPB_ENVIRONMENT=$SPB_ENVIRONMENT" >> "$GITHUB_ENV" | ||
- name: Setup GnuPG | ||
run: | | ||
sudo install -d -m 0700 -o "$(id -u)" -g "$(id -g)" /run/gpg | ||
GNUPGHOME="$(mktemp -d -p /run/gpg)" | ||
echo "GNUPGHOME=${GNUPGHOME}" >> "$GITHUB_ENV" | ||
cat <<EOF > "${GNUPGHOME}/gpg.conf" | ||
batch | ||
no-tty | ||
pinentry-mode loopback | ||
EOF | ||
- name: Get Secrets | ||
id: get-secrets | ||
env: | ||
SECRETS_KEY: ${{ secrets.SECRETS_KEY }} | ||
run: | | ||
SECRETS_KEY_FILE=$(mktemp /tmp/output.XXXXXXXXXX) | ||
echo "$SECRETS_KEY" > "$SECRETS_KEY_FILE" | ||
aws --region us-west-2 secretsmanager get-secret-value --secret-id /cmbu-saltstack/signing/repo-signing-keys-sha256-2023 \ | ||
--query SecretString --output text | jq .default_key -r | base64 -d \ | ||
| gpg --passphrase-file "${SECRETS_KEY_FILE}" -d - \ | ||
| gpg --import - | ||
sync | ||
aws --region us-west-2 secretsmanager get-secret-value --secret-id /cmbu-saltstack/signing/repo-signing-keys-sha256-2023 \ | ||
--query SecretString --output text| jq .default_passphrase -r | base64 -d \ | ||
| gpg --passphrase-file "${SECRETS_KEY_FILE}" -o "${GNUPGHOME}/passphrase" -d - | ||
sync | ||
rm "$SECRETS_KEY_FILE" | ||
echo "passphrase-file ${GNUPGHOME}/passphrase" >> "${GNUPGHOME}/gpg.conf" | ||
- name: Install Requirements | ||
run: | | ||
python3 -m pip install -r requirements/release.txt | ||
- name: Upload Stable Release to S3 | ||
run: | | ||
tools release s3-publish --key-id 64CBBC8173D76B3F stable | ||
## - name: Setup GnuPG | ||
## run: | | ||
## sudo install -d -m 0700 -o "$(id -u)" -g "$(id -g)" /run/gpg | ||
## GNUPGHOME="$(mktemp -d -p /run/gpg)" | ||
## echo "GNUPGHOME=${GNUPGHOME}" >> "$GITHUB_ENV" | ||
## cat <<EOF > "${GNUPGHOME}/gpg.conf" | ||
## batch | ||
## no-tty | ||
## pinentry-mode loopback | ||
## EOF | ||
|
||
## - name: Get Secrets | ||
## id: get-secrets | ||
## env: | ||
## SECRETS_KEY: ${{ secrets.SECRETS_KEY }} | ||
## run: | | ||
## SECRETS_KEY_FILE=$(mktemp /tmp/output.XXXXXXXXXX) | ||
## echo "$SECRETS_KEY" > "$SECRETS_KEY_FILE" | ||
## aws --region us-west-2 secretsmanager get-secret-value --secret-id /cmbu-saltstack/signing/repo-signing-keys-sha256-2023 \ | ||
## --query SecretString --output text | jq .default_key -r | base64 -d \ | ||
## | gpg --passphrase-file "${SECRETS_KEY_FILE}" -d - \ | ||
## | gpg --import - | ||
## sync | ||
## aws --region us-west-2 secretsmanager get-secret-value --secret-id /cmbu-saltstack/signing/repo-signing-keys-sha256-2023 \ | ||
## --query SecretString --output text| jq .default_passphrase -r | base64 -d \ | ||
## | gpg --passphrase-file "${SECRETS_KEY_FILE}" -o "${GNUPGHOME}/passphrase" -d - | ||
## sync | ||
## rm "$SECRETS_KEY_FILE" | ||
## echo "passphrase-file ${GNUPGHOME}/passphrase" >> "${GNUPGHOME}/gpg.conf" | ||
|
||
## - name: Install Requirements | ||
## run: | | ||
## python3 -m pip install -r requirements/release.txt | ||
|
||
## - name: Upload Stable Release to S3 | ||
## run: | | ||
## tools release s3-publish --key-id 64CBBC8173D76B3F stable | ||
|
||
update-develop-checksums: | ||
name: Update Release Checksums on Develop | ||
|
@@ -386,44 +388,45 @@ jobs: | |
repository: ${{ github.repository }} | ||
ssh-key: ${{ secrets.SALT_BOOTSTRAP_RELEASE_KEY }} | ||
|
||
- name: Setup GnuPG | ||
run: | | ||
sudo install -d -m 0700 -o "$(id -u)" -g "$(id -g)" /run/gpg | ||
GNUPGHOME="$(mktemp -d -p /run/gpg)" | ||
echo "GNUPGHOME=${GNUPGHOME}" >> "$GITHUB_ENV" | ||
cat <<EOF > "${GNUPGHOME}/gpg.conf" | ||
batch | ||
no-tty | ||
pinentry-mode loopback | ||
EOF | ||
- name: Get Secrets | ||
id: get-secrets | ||
env: | ||
SECRETS_KEY: ${{ secrets.SECRETS_KEY }} | ||
run: | | ||
SECRETS_KEY_FILE=$(mktemp /tmp/output.XXXXXXXXXX) | ||
echo "$SECRETS_KEY" > "$SECRETS_KEY_FILE" | ||
aws --region us-west-2 secretsmanager get-secret-value --secret-id /cmbu-saltstack/signing/repo-signing-keys-sha256-2023 \ | ||
--query SecretString --output text | jq .default_key -r | base64 -d \ | ||
| gpg --passphrase-file "${SECRETS_KEY_FILE}" -d - \ | ||
| gpg --import - | ||
sync | ||
aws --region us-west-2 secretsmanager get-secret-value --secret-id /cmbu-saltstack/signing/repo-signing-keys-sha256-2023 \ | ||
--query SecretString --output text| jq .default_passphrase -r | base64 -d \ | ||
| gpg --passphrase-file "${SECRETS_KEY_FILE}" -o "${GNUPGHOME}/passphrase" -d - | ||
sync | ||
rm "$SECRETS_KEY_FILE" | ||
echo "passphrase-file ${GNUPGHOME}/passphrase" >> "${GNUPGHOME}/gpg.conf" | ||
## - name: Setup GnuPG | ||
## run: | | ||
## sudo install -d -m 0700 -o "$(id -u)" -g "$(id -g)" /run/gpg | ||
## GNUPGHOME="$(mktemp -d -p /run/gpg)" | ||
## echo "GNUPGHOME=${GNUPGHOME}" >> "$GITHUB_ENV" | ||
## cat <<EOF > "${GNUPGHOME}/gpg.conf" | ||
## batch | ||
## no-tty | ||
## pinentry-mode loopback | ||
## EOF | ||
|
||
## - name: Get Secrets | ||
## id: get-secrets | ||
## env: | ||
## SECRETS_KEY: ${{ secrets.SECRETS_KEY }} | ||
## run: | | ||
## SECRETS_KEY_FILE=$(mktemp /tmp/output.XXXXXXXXXX) | ||
## echo "$SECRETS_KEY" > "$SECRETS_KEY_FILE" | ||
## aws --region us-west-2 secretsmanager get-secret-value --secret-id /cmbu-saltstack/signing/repo-signing-keys-sha256-2023 \ | ||
## --query SecretString --output text | jq .default_key -r | base64 -d \ | ||
## | gpg --passphrase-file "${SECRETS_KEY_FILE}" -d - \ | ||
## | gpg --import - | ||
## sync | ||
## aws --region us-west-2 secretsmanager get-secret-value --secret-id /cmbu-saltstack/signing/repo-signing-keys-sha256-2023 \ | ||
## --query SecretString --output text| jq .default_passphrase -r | base64 -d \ | ||
## | gpg --passphrase-file "${SECRETS_KEY_FILE}" -o "${GNUPGHOME}/passphrase" -d - | ||
## sync | ||
## rm "$SECRETS_KEY_FILE" | ||
## echo "passphrase-file ${GNUPGHOME}/passphrase" >> "${GNUPGHOME}/gpg.conf" | ||
|
||
- name: Configure Git | ||
shell: bash | ||
run: | | ||
git config --global --add safe.directory "$(pwd)" | ||
git config --global user.name "Salt Project Packaging" | ||
git config --global user.email [email protected] | ||
git config --global user.signingkey 64CBBC8173D76B3F | ||
git config --global commit.gpgsign true | ||
git config --global commit.gpgsign false | ||
## git config --global user.signingkey 64CBBC8173D76B3F | ||
## git config --global commit.gpgsign true | ||
- name: Update Latest Release on README | ||
run: | | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters