From fd8142381e94f2c265d4c04e0cf967153a7a9af9 Mon Sep 17 00:00:00 2001
From: Rado <radoslav@dhis2.org>
Date: Fri, 6 Dec 2024 18:49:05 +0200
Subject: [PATCH] ci: sign commit when updating stable json file [skip ci]

Signed-off-by: Rado <radoslav@dhis2.org>
---
 jenkinsfiles/stable | 34 +++++++++++++++++++++++-----------
 1 file changed, 23 insertions(+), 11 deletions(-)

diff --git a/jenkinsfiles/stable b/jenkinsfiles/stable
index 1c2ec4ea43a8..6aac1e3d8026 100644
--- a/jenkinsfiles/stable
+++ b/jenkinsfiles/stable
@@ -182,17 +182,29 @@ pipeline {
                             --json-file ./downloads/v1/versions/stable.json
                         """
 
-                        sh 'git config  user.email "$GITHUB_EMAIL"'
-                        sh 'git config  user.name "$GITHUB_USER"'
-
-                        releasesBranch = "add-release-${imageTag}"
-
-                        sh "git checkout -b $releasesBranch"
-                        sh 'git add ./downloads/v1/versions/stable.json'
-                        sh "git diff-index --quiet HEAD || git commit -m \"chore: add version $imageTag to stable.json\""
-                        sh "git push https://${GITHUB_TOKEN}@github.com/$DHIS2_RELEASES_REPO"
-
-                        sh "gh pr create --head $releasesBranch --fill-first --reviewer Philip-Larsen-Donnelly,dhis2/devops"
+                        withCredentials([
+                            file(credentialsId: 'github-private-signing-key', variable: 'SIGNING_PRIVATE_KEY_PATH'),
+                            file(credentialsId: 'github-public-signing-key', variable: 'SIGNING_PUBLIC_KEY_PATH')
+                        ]) {
+                            sh 'cp $SIGNING_PRIVATE_KEY_PATH ~/.ssh/signing_key'
+                            sh 'cp $SIGNING_PUBLIC_KEY_PATH ~/.ssh/signing_key.pub'
+                            sh 'chmod --changes 600 ~/.ssh/signing_key ~/.ssh/signing_key.pub'
+
+                            sh 'git config  user.email "$GITHUB_EMAIL"'
+                            sh 'git config  user.name "$GITHUB_USER"'
+                            sh 'git config user.signingkey ~/.ssh/signing_key.pub'
+                            sh 'git config commit.gpgSign true'
+                            sh 'git config gpg.format ssh'
+
+                            releasesBranch = "add-release-${imageTag}"
+
+                            sh "git checkout -b $releasesBranch"
+                            sh 'git add ./downloads/v1/versions/stable.json'
+                            sh "git diff-index --quiet HEAD || git commit -S -m \"chore: add version $imageTag to stable.json\""
+                            sh 'git push https://$GITHUB_TOKEN@github.com/$DHIS2_RELEASES_REPO'
+
+                            sh "gh pr create --head $releasesBranch --fill-first --reviewer Philip-Larsen-Donnelly,dhis2/devops"
+                        }
                     }
                 }
             }