From c73aa49b5967c6e2fc91ad9761b338c4b06870ce Mon Sep 17 00:00:00 2001 From: Sebastian Stenzel Date: Wed, 30 Mar 2022 17:46:31 +0200 Subject: [PATCH 1/4] always run the tarball signature step (for testing `${{ github.ref_name }}`) --- .github/workflows/build.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index ba9c070ea..99472cc17 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -44,9 +44,8 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - name: Sign source tarball with key 615D449FE6E6A235 - if: startsWith(github.ref, 'refs/tags/') run: | - git archive --prefix="cryptomator-${{ github.ref }}/" -o "cryptomator-${{ github.ref }}.tar.gz" ${{ github.ref }} + git archive --prefix="cryptomator-${{ github.ref_name }}/" -o "cryptomator-${{ github.ref_name }}.tar.gz" ${{ github.ref }} echo "${GPG_PRIVATE_KEY}" | gpg --batch --quiet --import echo "${GPG_PASSPHRASE}" | gpg --batch --quiet --passphrase-fd 0 --pinentry-mode loopback -u 615D449FE6E6A235 --detach-sign -a "cryptomator-${{ github.ref }}.tar.gz" env: @@ -61,7 +60,7 @@ jobs: token: ${{ secrets.CRYPTOBOT_RELEASE_TOKEN }} generate_release_notes: true files: | - cryptomator-${{ github.ref }}.tar.gz.asc + cryptomator-*.tar.gz.asc body: |- :construction: Work in Progress From d2374fb8cd8ad7c9b62b417cd799ac85c1c3addc Mon Sep 17 00:00:00 2001 From: Sebastian Stenzel Date: Wed, 30 Mar 2022 17:50:45 +0200 Subject: [PATCH 2/4] deleted yet another use of github.ref --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 99472cc17..8f2c74841 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -47,7 +47,7 @@ jobs: run: | git archive --prefix="cryptomator-${{ github.ref_name }}/" -o "cryptomator-${{ github.ref_name }}.tar.gz" ${{ github.ref }} echo "${GPG_PRIVATE_KEY}" | gpg --batch --quiet --import - echo "${GPG_PASSPHRASE}" | gpg --batch --quiet --passphrase-fd 0 --pinentry-mode loopback -u 615D449FE6E6A235 --detach-sign -a "cryptomator-${{ github.ref }}.tar.gz" + echo "${GPG_PASSPHRASE}" | gpg --batch --quiet --passphrase-fd 0 --pinentry-mode loopback -u 615D449FE6E6A235 --detach-sign -a cryptomator-*.tar.gz env: GPG_PRIVATE_KEY: ${{ secrets.RELEASES_GPG_PRIVATE_KEY }} GPG_PASSPHRASE: ${{ secrets.RELEASES_GPG_PASSPHRASE }} From ddb5da1d79f4ff31314d55d71c69cb10ec47f250 Mon Sep 17 00:00:00 2001 From: Sebastian Stenzel Date: Wed, 30 Mar 2022 17:56:01 +0200 Subject: [PATCH 3/4] reintroduce condition for signing the tarball [ci skip] --- .github/workflows/build.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 8f2c74841..c72ae1f5d 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -44,6 +44,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - name: Sign source tarball with key 615D449FE6E6A235 + if: startsWith(github.ref, 'refs/tags/') run: | git archive --prefix="cryptomator-${{ github.ref_name }}/" -o "cryptomator-${{ github.ref_name }}.tar.gz" ${{ github.ref }} echo "${GPG_PRIVATE_KEY}" | gpg --batch --quiet --import From f8bcbda8d7a945cfb5320183b2b0c474e16524b5 Mon Sep 17 00:00:00 2001 From: Sebastian Stenzel Date: Wed, 30 Mar 2022 18:03:15 +0200 Subject: [PATCH 4/4] add safeguard to prevent release in case of missing signature --- .github/workflows/build.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index c72ae1f5d..5270365b3 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -62,6 +62,7 @@ jobs: generate_release_notes: true files: | cryptomator-*.tar.gz.asc + fail_on_unmatched_files: true body: |- :construction: Work in Progress