Skip to content

Commit 0b1b42b

Browse files
czoidoczoido
committed
wip
1 parent c1cf3d3 commit 0b1b42b

File tree

1 file changed

+23
-5
lines changed

1 file changed

+23
-5
lines changed

.github/workflows/draft-release.yml

Lines changed: 23 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,9 @@ on:
77
# - 'release/2.*'
88
- 'czoido/test-release' # remove after testing
99

10+
permissions:
11+
contents: read
12+
1013
jobs:
1114
prepare:
1215
name: Prepare Build
@@ -20,6 +23,7 @@ jobs:
2023

2124
- name: Extract version
2225
id: vars
26+
shell: bash
2327
run: |
2428
# Extract version from __init__.py
2529
VERSION=$(awk -F"'" '/__version__ =/ {print $2}' conan/__init__.py)
@@ -48,6 +52,7 @@ jobs:
4852
- name: Get Changelog
4953
env:
5054
GH_TOKEN: ${{ steps.generate_token.outputs.token }}
55+
shell: bash
5156
run: |
5257
pip install PyGithub
5358
python3 release-tools/release/get_changelog.py ${{ steps.vars.outputs.conan_version }} --format=md > release-notes-${{ steps.vars.outputs.conan_version }}.md 2>&1 || true
@@ -132,6 +137,8 @@ jobs:
132137
needs: [prepare, package]
133138
runs-on: ubuntu-latest
134139
# if: startsWith(github.ref_name, 'release/2.') # uncomment later, now for testing
140+
permissions:
141+
contents: write
135142
steps:
136143
- name: Generate Write-Access App Token
137144
id: generate_token
@@ -154,27 +161,38 @@ jobs:
154161
name: release-notes
155162

156163
- name: Setup GPG
164+
env:
165+
PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
166+
shell: bash
157167
run: |
158168
echo "${{ secrets.GPG_PRIVATE_KEY }}" | gpg --batch --import
159-
echo "${{ secrets.GPG_PASSPHRASE }}" | gpg --batch --yes --pinentry-mode loopback --passphrase-fd 0 --local-user "${{ secrets.GPG_KEY_ID }}" --armor --detach-sign -o /dev/null /dev/null
169+
printf '%s' "$PASSPHRASE" | gpg --batch --yes --pinentry-mode loopback --passphrase-fd 0 --local-user "${{ secrets.GPG_KEY_ID }}" --armor --detach-sign -o /dev/null /dev/null
160170
161171
- name: Generate and Sign Checksums
162172
id: checksum
173+
shell: bash
174+
env:
175+
PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
163176
run: |
164177
CHECKSUM_FILE="${{ needs.prepare.outputs.conan_version }}-SHA-256.txt"
165178
cd dist
166-
# Use find to avoid issues with too many arguments for sha256sum
167-
find . -type f -name 'conan-*' -exec sha256sum {} + > $CHECKSUM_FILE
168-
echo "${{ secrets.GPG_PASSPHRASE }}" | gpg --batch --yes --pinentry-mode loopback --passphrase-fd 0 --armor --detach-sign --local-user "${{ secrets.GPG_KEY_ID }}" $CHECKSUM_FILE
179+
find . -type f -name 'conan-*' -print0 | xargs -0 sha256sum > $CHECKSUM_FILE
180+
printf '%s' "$PASSPHRASE" | gpg --batch --yes --pinentry-mode loopback --passphrase-fd 0 --armor --detach-sign --local-user "${{ secrets.GPG_KEY_ID }}" $CHECKSUM_FILE
169181
cd ..
170182
echo "checksum_file_name=$CHECKSUM_FILE" >> $GITHUB_OUTPUT
171183
172184
- name: Verify Signed Checksums
185+
shell: bash
173186
run: |
174-
echo "Verifying GPG signature..."
175187
echo "${{ secrets.GPG_PUBLIC_KEY }}" | gpg --batch --import
176188
gpg --verify dist/${{ steps.checksum.outputs.checksum_file_name }}.asc dist/${{ steps.checksum.outputs.checksum_file_name }}
177189
190+
- name: Cleanup GPG keys
191+
shell: bash
192+
run: |
193+
gpg --batch --yes --delete-secret-keys "${{ secrets.GPG_KEY_ID }}"
194+
gpg --batch --yes --delete-keys "${{ secrets.GPG_KEY_ID }}"
195+
178196
- name: List downloaded files
179197
run: |
180198
ls

0 commit comments

Comments
 (0)