feat: sign pre-built binary with GPG key #1935
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: ci-release | |
# Run this workflow on push events (i.e. PR merge) to main or release branches, | |
# push events for new semantic version tags, all PRs, and manual triggers. | |
on: | |
push: | |
branches: | |
- main | |
- "v[0-9]+.x" | |
tags: | |
- "v[0-9]+.[0-9]+.[0-9]+" | |
- "v[0-9]+.[0-9]+.[0-9]+-alpha.[0-9]+" | |
- "v[0-9]+.[0-9]+.[0-9]+-beta.[0-9]+" | |
- "v[0-9]+.[0-9]+.[0-9]+-rc[0-9]+" | |
pull_request: | |
workflow_dispatch: | |
# Inputs the workflow accepts. | |
inputs: | |
version: | |
# Friendly description to be shown in the UI instead of 'name' | |
description: "Semver type of new version (major / minor / patch)" | |
# Input has to be provided for the workflow to run | |
required: true | |
type: choice | |
options: | |
- patch | |
- minor | |
- major | |
jobs: | |
lint: | |
uses: ./.github/workflows/lint.yml | |
markdown-linter: | |
uses: ./.github/workflows/markdown-linter.yml | |
test: | |
uses: ./.github/workflows/test.yml | |
# If this was a workflow dispatch event, we need to generate and push a tag | |
# for goreleaser to grab | |
version_bump: | |
needs: [lint, markdown-linter, test] | |
runs-on: ubuntu-latest | |
permissions: "write-all" | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Bump version and push tag | |
# Placing the if condition here is a workaround for needing to block | |
# on this step during workflow dispatch events but the step not | |
# needing to run on tags. If we had the if condition on the full | |
# version_bump section, it would skip and not run, which would result | |
# in goreleaser not running either. | |
if: ${{ github.event_name == 'workflow_dispatch' }} | |
uses: mathieudutour/[email protected] | |
with: | |
github_token: ${{ secrets.GITHUB_TOKEN }} | |
default_bump: ${{ inputs.version }} | |
# Generate the release with goreleaser to include pre-built binaries | |
goreleaser: | |
needs: version_bump | |
runs-on: ubuntu-latest | |
if: | | |
github.event_name == 'workflow_dispatch' || | |
(github.event_name == 'push' && contains(github.ref, 'refs/tags/')) | |
permissions: "write-all" | |
steps: | |
- uses: actions/checkout@v4 | |
- run: git fetch --force --tags | |
- uses: actions/setup-go@v4 | |
with: | |
go-version: 1.21.1 | |
# Import the GPG key from Github secrets to sign the binaries | |
- name: Import GPG key | |
id: import_gpg | |
uses: crazy-max/ghaction-import-gpg@v4 | |
with: | |
gpg_private_key: ${{ secrets.GPG_SIGNING_KEY }} | |
passphrase: ${{ secrets.GPG_PASSPHRASE }} | |
# Generate the binaries, release, and sign the checksum | |
- uses: goreleaser/goreleaser-action@v4 | |
with: | |
distribution: goreleaser | |
version: latest | |
args: release --clean | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }} |