ci: sign commit when updating stable json file [skip ci]

Signed-off-by: Rado <[email protected]>
dhis2 · Dec 12, 2024 · fd81423 · fd81423
1 parent 8a2eabe
commit fd81423
Showing 1 changed file with 23 additions and 11 deletions.
diff --git a/jenkinsfiles/stable b/jenkinsfiles/stable
@@ -182,17 +182,29 @@ pipeline {
                             --json-file ./downloads/v1/versions/stable.json
                         """
 
-                        sh 'git config  user.email "$GITHUB_EMAIL"'
-                        sh 'git config  user.name "$GITHUB_USER"'
-
-                        releasesBranch = "add-release-${imageTag}"
-
-                        sh "git checkout -b $releasesBranch"
-                        sh 'git add ./downloads/v1/versions/stable.json'
-                        sh "git diff-index --quiet HEAD || git commit -m \"chore: add version $imageTag to stable.json\""
-                        sh "git push https://${GITHUB_TOKEN}@github.com/$DHIS2_RELEASES_REPO"
-
-                        sh "gh pr create --head $releasesBranch --fill-first --reviewer Philip-Larsen-Donnelly,dhis2/devops"
+                        withCredentials([
+                            file(credentialsId: 'github-private-signing-key', variable: 'SIGNING_PRIVATE_KEY_PATH'),
+                            file(credentialsId: 'github-public-signing-key', variable: 'SIGNING_PUBLIC_KEY_PATH')
+                        ]) {
+                            sh 'cp $SIGNING_PRIVATE_KEY_PATH ~/.ssh/signing_key'
+                            sh 'cp $SIGNING_PUBLIC_KEY_PATH ~/.ssh/signing_key.pub'
+                            sh 'chmod --changes 600 ~/.ssh/signing_key ~/.ssh/signing_key.pub'
+
+                            sh 'git config  user.email "$GITHUB_EMAIL"'
+                            sh 'git config  user.name "$GITHUB_USER"'
+                            sh 'git config user.signingkey ~/.ssh/signing_key.pub'
+                            sh 'git config commit.gpgSign true'
+                            sh 'git config gpg.format ssh'
+
+                            releasesBranch = "add-release-${imageTag}"
+
+                            sh "git checkout -b $releasesBranch"
+                            sh 'git add ./downloads/v1/versions/stable.json'
+                            sh "git diff-index --quiet HEAD || git commit -S -m \"chore: add version $imageTag to stable.json\""
+                            sh 'git push https://[email protected]/$DHIS2_RELEASES_REPO'
+
+                            sh "gh pr create --head $releasesBranch --fill-first --reviewer Philip-Larsen-Donnelly,dhis2/devops"
+                        }
                     }
                 }
             }