Merge pull request #445 from greenbone/y0urself/pontos-sign-20.08

[20.08] Add signing to workflow ...
greenbone · Aug 3, 2021 · 7693c5a · 7693c5a
2 parents d23743a + aa858ef
commit 7693c5a
Showing 1 changed file with 21 additions and 1 deletion.
diff --git a/.github/workflows/release-pontos-patch.yml b/.github/workflows/release-pontos-patch.yml
@@ -11,6 +11,9 @@ jobs:
       GITHUB_USER: ${{ secrets.GREENBONE_BOT }}
       GITHUB_MAIL: ${{ secrets.GREENBONE_BOT_MAIL }}
       GITHUB_TOKEN: ${{ secrets.GREENBONE_BOT_TOKEN }}
+      GPG_KEY: ${{ secrets.GPG_KEY }}
+      GPG_FINGERPRINT: ${{ secrets.GPG_FINGERPRINT }}
+      GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
     name: Release patch with pontos
     # If the label 'make patch release' is set. If PR is closed because of an merge
     if: contains( github.event.pull_request.labels.*.name, 'make patch release') && github.event.pull_request.merged == true
@@ -35,6 +38,23 @@ jobs:
       # we always should've checked out the correct branch'
       run: echo "Current Branch is $GITHUB_BASE_REF"
     - name: Prepare patch release with pontos
-      run: poetry run pontos-release prepare --patch
+      run: |
+        poetry run pontos-release prepare --patch
+        echo "VERSION=$(pontos-version show)" >> $GITHUB_ENV
     - name: Release with pontos
       run: poetry run pontos-release release
+    - name: Import key from secrets
+      run: |
+        echo -e "${{ env.GPG_KEY }}" >> tmp.file
+        gpg                                        \
+          --pinentry-mode loopback                 \
+          --passphrase ${{ env.GPG_PASSPHRASE }}   \
+          --import tmp.file
+        rm tmp.file
+    - name: Sign with pontos-release sign
+      run: |
+        echo "Signing assets for ${{env.VERSION}}"
+        poetry run pontos-release sign             \
+          --signing-key ${{ env.GPG_FINGERPRINT }} \
+          --passphrase ${{ env.GPG_PASSPHRASE }}   \
+          --release-version ${{ env.VERSION }}