diff --git a/.github/workflows/OSBotify-private-key.asc.gpg b/.github/workflows/OSBotify-private-key.asc.gpg new file mode 100644 index 000000000000..165debeece1c Binary files /dev/null and b/.github/workflows/OSBotify-private-key.asc.gpg differ diff --git a/.github/workflows/cherryPick.yml b/.github/workflows/cherryPick.yml index 712d3304eb5a..8b9f604fca33 100644 --- a/.github/workflows/cherryPick.yml +++ b/.github/workflows/cherryPick.yml @@ -35,7 +35,7 @@ jobs: uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f with: ref: main - token: ${{ secrets.GITHUB_TOKEN }} + token: ${{ secrets.OS_BOTIFY_TOKEN }} - uses: softprops/turnstyle@8db075d65b19bf94e6e8687b504db69938dc3c65 with: @@ -67,7 +67,25 @@ jobs: uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f with: ref: staging - token: ${{ secrets.GITHUB_TOKEN }} + token: ${{ secrets.OS_BOTIFY_TOKEN }} + + - name: Decrypt Botify GPG key + if: github.actor == 'OSBotify' + run: cd .github/workflows && gpg --quiet --batch --yes --decrypt --passphrase="$LARGE_SECRET_PASSPHRASE" --output OSBotify-private-key.asc OSBotify-private-key.asc.gpg + env: + LARGE_SECRET_PASSPHRASE: ${{ secrets.LARGE_SECRET_PASSPHRASE }} + + - name: Import Botify GPG Key + if: github.actor == 'OSBotify' + run: cd .github/workflows && gpg --import OSBotify-private-key.asc + + - name: Set up git for Botify + if: github.actor == 'OSBotify' + run: | + git config user.signingkey DBF63700F60F5530 + git config commit.gpgsign true + git config user.name OSBotify + git config user.email infra+osbotify@expensify.com - name: Create branch for new pull request run: | diff --git a/.github/workflows/createNewVersion.yml b/.github/workflows/createNewVersion.yml index eaaafc56998c..1a5c979e990e 100644 --- a/.github/workflows/createNewVersion.yml +++ b/.github/workflows/createNewVersion.yml @@ -24,12 +24,23 @@ jobs: poll-interval-seconds: 10 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Decrypt GPG key + run: cd .github/workflows && gpg --quiet --batch --yes --decrypt --passphrase="$LARGE_SECRET_PASSPHRASE" --output OSBotify-private-key.asc OSBotify-private-key.asc.gpg + env: + LARGE_SECRET_PASSPHRASE: ${{ secrets.LARGE_SECRET_PASSPHRASE }} + + - name: Import the GPG Key + run: cd .github/workflows && gpg --import OSBotify-private-key.asc - name: Set up git run: | git fetch git checkout main + git config user.signingkey DBF63700F60F5530 + git config commit.gpgsign true git config user.name OSBotify + git config user.email infra+osbotify@expensify.com - name: Create new branch run: | diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 60165609e7e8..35f4107fa840 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -33,6 +33,22 @@ jobs: with: ref: staging token: ${{ secrets.OS_BOTIFY_TOKEN }} + + - name: Decrypt Botify GPG key + run: cd .github/workflows && gpg --quiet --batch --yes --decrypt --passphrase="$LARGE_SECRET_PASSPHRASE" --output OSBotify-private-key.asc OSBotify-private-key.asc.gpg + env: + LARGE_SECRET_PASSPHRASE: ${{ secrets.LARGE_SECRET_PASSPHRASE }} + + - name: Import Botify GPG Key + run: cd .github/workflows && gpg --import OSBotify-private-key.asc + + - name: Set up git for Botify + run: | + git config user.signingkey DBF63700F60F5530 + git config commit.gpgsign true + git config user.name OSBotify + git config user.email infra+osbotify@expensify.com + - name: Tag version run: git tag $(npm run print-version --silent) @@ -50,6 +66,22 @@ jobs: with: fetch-depth: 0 token: ${{ secrets.OS_BOTIFY_TOKEN }} + + - name: Decrypt Botify GPG key + run: cd .github/workflows && gpg --quiet --batch --yes --decrypt --passphrase="$LARGE_SECRET_PASSPHRASE" --output OSBotify-private-key.asc OSBotify-private-key.asc.gpg + env: + LARGE_SECRET_PASSPHRASE: ${{ secrets.LARGE_SECRET_PASSPHRASE }} + + - name: Import Botify GPG Key + run: cd .github/workflows && gpg --import OSBotify-private-key.asc + + - name: Set up git for Botify + run: | + git config user.signingkey DBF63700F60F5530 + git config commit.gpgsign true + git config user.name OSBotify + git config user.email infra+osbotify@expensify.com + - name: Checkout production branch run: git checkout production diff --git a/.github/workflows/updateProtectedBranch.yml b/.github/workflows/updateProtectedBranch.yml index fe4eb154855e..ca925478b44e 100644 --- a/.github/workflows/updateProtectedBranch.yml +++ b/.github/workflows/updateProtectedBranch.yml @@ -53,6 +53,21 @@ jobs: - name: Set New Version run: echo "NEW_VERSION=$(npm run print-version --silent)" >> $GITHUB_ENV + + - name: Decrypt Botify GPG key + run: cd .github/workflows && gpg --quiet --batch --yes --decrypt --passphrase="$LARGE_SECRET_PASSPHRASE" --output OSBotify-private-key.asc OSBotify-private-key.asc.gpg + env: + LARGE_SECRET_PASSPHRASE: ${{ secrets.LARGE_SECRET_PASSPHRASE }} + + - name: Import Botify GPG Key + run: cd .github/workflows && gpg --import OSBotify-private-key.asc + + - name: Set up git for Botify + run: | + git config user.signingkey DBF63700F60F5530 + git config commit.gpgsign true + git config user.name OSBotify + git config user.email infra+osbotify@expensify.com - name: Create temporary branch to resolve conflicts if: ${{ contains(fromJSON('["staging", "production"]'), github.event.inputs.TARGET_BRANCH) }}