Update workflow to sign our Debian packages

The `package-deb` artifact from our existing workflow contains not just the Debian package (the `.deb` file), but also all of the files needed to upload the package into a repository. But, the files aren't signed, and most repositories only want uploads that are signed by a trusted key. So, this new job does that! It takes the `package-deb` artifact, uses `debsign` to sign the appropriate files, and uploads everything to a new artifact, named `signed-deb`. This new artifact contains the `.deb` package files, so you should probably be using this artifact, when it is available. The workflow has a few requirements: * The variable `DEBSIGN_KEYID`, which contains the ID (short or long) of the PGP key used for signing. * The secret `KEY`, which is the armored PGP private key. * The environment `sign`, containing the secret and variable above. The job is set to run only on pushes to tags, and to the main branch.
stanford-rc · Apr 30, 2024 · d24c92e · d24c92e
1 parent fffb2e1
commit d24c92e
Showing 1 changed file with 54 additions and 0 deletions.
diff --git a/.github/workflows/package.yml b/.github/workflows/package.yml
@@ -61,3 +61,57 @@ jobs:
           path: docker-image-cleanup*
           if-no-files-found: error
         continue-on-error: false
+
+  Sign-Debian:
+    name: Sign Debian packages
+    if: github.event_name == 'push' && ( contains(github.ref, 'refs/tags/') || github.ref == 'refs/heads/main' )
+    needs:
+      - Package
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        shell: bash
+    environment: sign
+    steps:
+      - id: sysprep
+        name: Prep system for debsign work
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y build-essential devscripts gnupg
+        continue-on-error: false
+
+      - id: set-key
+        name: Install signing key
+        env:
+          PRIVATE_KEY: ${{ secrets.PRIVATE_KEY }}
+        run: |
+          gpg --import <<<"${PRIVATE_KEY}"
+          echo "Keys:"
+          gpg --list-secret-keys --keyid-format long
+        continue-on-error: false
+
+      - id: fetch
+        name: Fetch Debian artifact from this workflow
+        uses: actions/[email protected]
+        with:
+          name: package-deb
+          path: deb
+        continue-on-error: false
+
+      - id: sign
+        name: Run debsign
+        env:
+          DEBSIGN_KEYID: ${{ vars.KEY_ID }}
+        run: |
+          echo "Signing with key ${DEBSIGN_KEYID}"
+          debsign -k "${{ vars.KEY_ID }}" "$(find . -name *.changes)"
+        continue-on-error: false
+
+      - id: upload
+        name: Upload Signed Result as artifact
+        uses: actions/[email protected]
+        with:
+          name: signed-deb
+          path: docker-image-cleanup*
+          if-no-files-found: error
+        continue-on-error: false