From 358b71a60b3b88c3e1d3dcd243d73e47fde072dd Mon Sep 17 00:00:00 2001 From: "Hendry, Adam" Date: Sun, 23 Oct 2022 17:21:47 -0700 Subject: [PATCH 01/30] feat(action.yml): add `gpg` inputs Add input for GPG key and passphrase and whether or not to sign. --- action.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/action.yml b/action.yml index 87682af..33ee8f3 100644 --- a/action.yml +++ b/action.yml @@ -75,3 +75,10 @@ inputs: default: false description: "check consistency among versions defined in commitizen configuration and version_files" required: false + gpg_sign: + description: > + If true, use GPG to sign commits and tags (for git operations). Requires separate + setup of GPG key and passphrase in GitHub Actions (e.g. with the action + crazy-max/ghaction-import-gpg) + required: false + default: "false" From 8d419063a173f0f27905bbfb84a5b36fcefec682 Mon Sep 17 00:00:00 2001 From: "Hendry, Adam" Date: Mon, 24 Oct 2022 09:04:46 -0700 Subject: [PATCH 02/30] feat(entrypoing.sh): add `gpg` sign Add `-s` to `bump` command if `gpg_sign` is 'true'. --- entrypoint.sh | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/entrypoint.sh b/entrypoint.sh index fb5979e..464c433 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/bin/env bash set -e @@ -33,6 +33,9 @@ if [[ $INPUT_NO_RAISE ]]; then CZ_CMD+=('--no-raise' "$INPUT_NO_RAISE") fi CZ_CMD+=('bump' '--yes') +if [[ $INPUT_GPG_SIGN == 'true' ]]; then + CZ_CMD+=('--gpg-sign') +fi if [[ $INPUT_DRY_RUN == 'true' ]]; then CZ_CMD+=('--dry-run') fi From 0735f8b19c83c6723e22c0791973cacf9f979292 Mon Sep 17 00:00:00 2001 From: "Hendry, Adam" Date: Mon, 24 Oct 2022 12:20:05 -0700 Subject: [PATCH 03/30] fix(entrypoint.sh): set git config Set `gpg.program`, `commit.gpgsign`, and `tag.gpgsign`. --- entrypoint.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/entrypoint.sh b/entrypoint.sh index 464c433..2e0c08d 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -34,6 +34,9 @@ if [[ $INPUT_NO_RAISE ]]; then fi CZ_CMD+=('bump' '--yes') if [[ $INPUT_GPG_SIGN == 'true' ]]; then + git config --global gpg.program gpg + git config --global commit.gpgsign true + git config --global tag.gpgsign true CZ_CMD+=('--gpg-sign') fi if [[ $INPUT_DRY_RUN == 'true' ]]; then From fa64f0e3874ccc5a642240c056e30729d1d69ad2 Mon Sep 17 00:00:00 2001 From: "Hendry, Adam" Date: Mon, 24 Oct 2022 12:32:01 -0700 Subject: [PATCH 04/30] fix(gpg): add `signingkey` Git requires `signingkey` to sign commits and tags. --- action.yml | 6 ++++++ entrypoint.sh | 11 ++++++++--- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/action.yml b/action.yml index 33ee8f3..75d6cf3 100644 --- a/action.yml +++ b/action.yml @@ -82,3 +82,9 @@ inputs: crazy-max/ghaction-import-gpg) required: false default: "false" + gpg_private_key: + description: > + The GPG private key to sign commits and tags (for git operations). `gpg_sign` must + be set to true. + required: false + defaul: '' diff --git a/entrypoint.sh b/entrypoint.sh index 2e0c08d..b2d37ff 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -34,9 +34,14 @@ if [[ $INPUT_NO_RAISE ]]; then fi CZ_CMD+=('bump' '--yes') if [[ $INPUT_GPG_SIGN == 'true' ]]; then - git config --global gpg.program gpg - git config --global commit.gpgsign true - git config --global tag.gpgsign true + if [[ -z $INPUT_GPG_PRIVATE_KEY ]]; then + echo 'Missing input "gpg_private_key".' >&2 + exit 2 + fi + git config --local gpg.program gpg + git config --local commit.gpgsign true + git config --local tag.gpgsign true + git config --local user.signingkey "${INPUT_GPG_PRIVATE_KEY}" CZ_CMD+=('--gpg-sign') fi if [[ $INPUT_DRY_RUN == 'true' ]]; then From 2bae08e03fd57872549974bc961dd0c5061ac762 Mon Sep 17 00:00:00 2001 From: "Hendry, Adam" Date: Mon, 24 Oct 2022 12:50:48 -0700 Subject: [PATCH 05/30] feat(debug): add option for debug output --- action.yml | 5 ++++- entrypoint.sh | 24 ++++++++++++++++-------- 2 files changed, 20 insertions(+), 9 deletions(-) diff --git a/action.yml b/action.yml index 75d6cf3..71693ac 100644 --- a/action.yml +++ b/action.yml @@ -87,4 +87,7 @@ inputs: The GPG private key to sign commits and tags (for git operations). `gpg_sign` must be set to true. required: false - defaul: '' + debug: + description: "If true, prints debug output to GitHub Actions stdout." + required: false + default: "false" diff --git a/entrypoint.sh b/entrypoint.sh index b2d37ff..ef04d21 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -14,6 +14,19 @@ git config --local pull.rebase true echo "Git name: $(git config --get user.name)" echo "Git email: $(git config --get user.email)" +if [[ $INPUT_GPG_SIGN == 'true' ]]; then + if [[ -z $INPUT_GPG_PRIVATE_KEY ]]; then + echo 'Missing input "gpg_private_key".' >&2 + exit 2 + fi + echo "Configuring GPG for signing commits and tags..." + git config --local commit.gpgsign true + git config --local tag.gpgsign true + git config --local user.signingkey "${INPUT_GPG_PRIVATE_KEY}" + echo "Git sign commits?: $(git config --get commit.gpgsign)" + echo "Git sign tags?: $(git config --get tag.gpgsign)" +fi + PIP_CMD=('pip' 'install') if [[ $INPUT_COMMITIZEN_VERSION == 'latest' ]]; then PIP_CMD+=('commitizen') @@ -29,19 +42,14 @@ echo "Commitizen version: $(cz version)" PREV_REV="$(cz version --project)" CZ_CMD=('cz') +if [[ $INPUT_DEBUG == 'true' ]]; then + CZ_CMD+=('--debug') +fi if [[ $INPUT_NO_RAISE ]]; then CZ_CMD+=('--no-raise' "$INPUT_NO_RAISE") fi CZ_CMD+=('bump' '--yes') if [[ $INPUT_GPG_SIGN == 'true' ]]; then - if [[ -z $INPUT_GPG_PRIVATE_KEY ]]; then - echo 'Missing input "gpg_private_key".' >&2 - exit 2 - fi - git config --local gpg.program gpg - git config --local commit.gpgsign true - git config --local tag.gpgsign true - git config --local user.signingkey "${INPUT_GPG_PRIVATE_KEY}" CZ_CMD+=('--gpg-sign') fi if [[ $INPUT_DRY_RUN == 'true' ]]; then From d4f417159f602007188aa273aa97a0cbb416f6c5 Mon Sep 17 00:00:00 2001 From: "Hendry, Adam" Date: Mon, 24 Oct 2022 13:10:01 -0700 Subject: [PATCH 06/30] fix(signingkey): specify UID Git takes the UID for the signing key, not the key itself. --- action.yml | 7 +++---- entrypoint.sh | 6 +++--- 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/action.yml b/action.yml index 71693ac..fa99ec1 100644 --- a/action.yml +++ b/action.yml @@ -72,7 +72,7 @@ inputs: description: "Manually specify the desired increment" required: false check_consistency: - default: false + default: 'false' description: "check consistency among versions defined in commitizen configuration and version_files" required: false gpg_sign: @@ -82,10 +82,9 @@ inputs: crazy-max/ghaction-import-gpg) required: false default: "false" - gpg_private_key: + git_signingkey: description: > - The GPG private key to sign commits and tags (for git operations). `gpg_sign` must - be set to true. + The UID for the GPG key git will use to sign commits and tags (for git operations). `gpg_sign` must be set to true. required: false debug: description: "If true, prints debug output to GitHub Actions stdout." diff --git a/entrypoint.sh b/entrypoint.sh index ef04d21..c769dd4 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -15,14 +15,14 @@ echo "Git name: $(git config --get user.name)" echo "Git email: $(git config --get user.email)" if [[ $INPUT_GPG_SIGN == 'true' ]]; then - if [[ -z $INPUT_GPG_PRIVATE_KEY ]]; then - echo 'Missing input "gpg_private_key".' >&2 + if [[ -z $INPUT_GIT_SIGNINGKEY ]]; then + echo 'Missing input "git_signingkey".' >&2 exit 2 fi echo "Configuring GPG for signing commits and tags..." git config --local commit.gpgsign true git config --local tag.gpgsign true - git config --local user.signingkey "${INPUT_GPG_PRIVATE_KEY}" + git config --local user.signingkey "${INPUT_GIT_SIGNINGKEY}" echo "Git sign commits?: $(git config --get commit.gpgsign)" echo "Git sign tags?: $(git config --get tag.gpgsign)" fi From 94d316f243caa3b25c9e4c1ccca610729c73bde7 Mon Sep 17 00:00:00 2001 From: "Hendry, Adam" Date: Mon, 24 Oct 2022 13:20:43 -0700 Subject: [PATCH 07/30] fix(entrypoint.sh): add `gpg.program` Add `gpg.program` to Git config. --- entrypoint.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/entrypoint.sh b/entrypoint.sh index c769dd4..cdd9fd4 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -20,9 +20,11 @@ if [[ $INPUT_GPG_SIGN == 'true' ]]; then exit 2 fi echo "Configuring GPG for signing commits and tags..." + git config --local gpg.program gpg git config --local commit.gpgsign true git config --local tag.gpgsign true git config --local user.signingkey "${INPUT_GIT_SIGNINGKEY}" + echo "Git GPG program: $(git config --get gpg.program)" echo "Git sign commits?: $(git config --get commit.gpgsign)" echo "Git sign tags?: $(git config --get tag.gpgsign)" fi From a1c8571dd20b769447c039771b56dee3dfae28a5 Mon Sep 17 00:00:00 2001 From: "Hendry, Adam" Date: Mon, 24 Oct 2022 13:42:25 -0700 Subject: [PATCH 08/30] feat(entrypoint.sh): write `gpg` script Use bash script to configure the GPG agent, import keys, set the passphrase, and configure Git. --- action.yml | 10 +++++++-- entrypoint.sh | 59 +++++++++++++++++++++++++++++++++++++++++++++------ 2 files changed, 61 insertions(+), 8 deletions(-) diff --git a/action.yml b/action.yml index fa99ec1..3dbd97e 100644 --- a/action.yml +++ b/action.yml @@ -82,9 +82,15 @@ inputs: crazy-max/ghaction-import-gpg) required: false default: "false" - git_signingkey: + gpg_private_key: description: > - The UID for the GPG key git will use to sign commits and tags (for git operations). `gpg_sign` must be set to true. + The private gpg signing key for signing commits and tags (for git operations). + Requires `gpg_sign` to be 'true'. + required: false + gpg_passphrase: + description: | + The GPG passphrase for signing commits and tags (for git operations). + Requires `gpg_sign` to be 'true'. required: false debug: description: "If true, prints debug output to GitHub Actions stdout." diff --git a/entrypoint.sh b/entrypoint.sh index cdd9fd4..0bf5264 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -1,6 +1,7 @@ #!/usr/bin/env bash set -e +set +o posix if [[ -z $INPUT_GITHUB_TOKEN ]]; then echo 'Missing input "github_token: ${{ secrets.GITHUB_TOKEN }}".' >&2 @@ -15,16 +16,62 @@ echo "Git name: $(git config --get user.name)" echo "Git email: $(git config --get user.email)" if [[ $INPUT_GPG_SIGN == 'true' ]]; then - if [[ -z $INPUT_GIT_SIGNINGKEY ]]; then - echo 'Missing input "git_signingkey".' >&2 + if [[ -z $INPUT_GPG_PRIVATE_KEY ]]; then + echo 'Missing input "gpg_private_key".' >&2 exit 2 fi - echo "Configuring GPG for signing commits and tags..." - git config --local gpg.program gpg + if [[ -z $INPUT_GPG_PASSPHRASE ]]; then + echo 'Missing input "gpg_passphrase".' >&2 + exit 3 + fi + + echo "Configuring GPG agent..." + if [ -f /usr/lib/systemd/user/gpg-agent.service ]; then + mkdir ~/.gnupg + cat <> ~/.gnupg/gpg-agent.conf + allow-preset-passphrase + default-cache-ttl 60 + max-cache-ttl 50 +EOT + chmod 600 ~/.gnupg/* + chmod 700 ~/.gnupg + systemctl --user restart gpg-agent + else + gpg-agent --daemon --allow-preset-passphrase \ + --default-cache-ttl 60 --max-cache-ttl 60 + fi + + echo "Importing GPG key..." + echo -n "${INPUT_GPG_PRIVATE_KEY}" | base64 --decode \ + | gpg --pinentry-mode loopback \ + --passphrase-file <(echo "${INPUT_GPG_PASSPHRASE}") \ + --import + GPG_FINGERPRINT=$(gpg -K --with-fingerprint \ + | sed -n 4p | sed -e 's/ *//g') + echo "${GPG_FINGERPRINT}:6:" | gpg --import-ownertrust + + echo "Setting GPG passphrase..." + GPG_KEYGRIP=$(gpg --with-keygrip -K \ + | sed -n '/[S]/{n;p}' \ + | sed 's/Keygrip = //' \ + | sed 's/ *//g') + GPG_PASSPHRASE_HEX=$(echo -n "${INPUT_GPG_PASSPHRASE}" \ + | od -A n -t x1 \ + | tr -d ' ' | tr -d '\n') + echo "PRESET_PASSPHRASE $GPG_KEYGRIP -1 $GPG_PASSPHRASE_HEX" | gpg-connect-agent + + echo "Configuring Git for GPG..." + + export CI_SIGNINGKEY_UID=$( \ + gpg --list-signatures --with-colons \ + | grep 'sig' \ + | grep "${INPUT_GIT_EMAIL}" \ + | head -n 1 \ + | cut -d':' -f5 \ + ) git config --local commit.gpgsign true git config --local tag.gpgsign true - git config --local user.signingkey "${INPUT_GIT_SIGNINGKEY}" - echo "Git GPG program: $(git config --get gpg.program)" + git config --local user.signingkey "${CI_SIGNINGKEY_UID}" echo "Git sign commits?: $(git config --get commit.gpgsign)" echo "Git sign tags?: $(git config --get tag.gpgsign)" fi From 2cf68aae1018dd1f0a610e3d037e6639982bf22c Mon Sep 17 00:00:00 2001 From: "Hendry, Adam" Date: Mon, 24 Oct 2022 13:53:22 -0700 Subject: [PATCH 09/30] fix(entrypoint.sh): replace `systemctl` Use `service` as `systemctl` is not on GitHub Actions runners. --- entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/entrypoint.sh b/entrypoint.sh index 0bf5264..4525b7c 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -35,7 +35,7 @@ if [[ $INPUT_GPG_SIGN == 'true' ]]; then EOT chmod 600 ~/.gnupg/* chmod 700 ~/.gnupg - systemctl --user restart gpg-agent + sudo service gpg-agent restart else gpg-agent --daemon --allow-preset-passphrase \ --default-cache-ttl 60 --max-cache-ttl 60 From 6aa48628c6b19a5f0126108a104ca3956b6479a4 Mon Sep 17 00:00:00 2001 From: "Hendry, Adam" Date: Mon, 24 Oct 2022 13:56:12 -0700 Subject: [PATCH 10/30] fix(entrypoint.sh): remove `sudo` --- entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/entrypoint.sh b/entrypoint.sh index 4525b7c..6e869a8 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -35,7 +35,7 @@ if [[ $INPUT_GPG_SIGN == 'true' ]]; then EOT chmod 600 ~/.gnupg/* chmod 700 ~/.gnupg - sudo service gpg-agent restart + service gpg-agent restart else gpg-agent --daemon --allow-preset-passphrase \ --default-cache-ttl 60 --max-cache-ttl 60 From c4d392c514eac2c88a76660c76d5fd2f57c303b8 Mon Sep 17 00:00:00 2001 From: "Hendry, Adam" Date: Mon, 24 Oct 2022 14:08:44 -0700 Subject: [PATCH 11/30] Revert "fix(entrypoint.sh): replace `systemctl`" This reverts commit 2cf68aae1018dd1f0a610e3d037e6639982bf22c. --- entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/entrypoint.sh b/entrypoint.sh index 6e869a8..f7e330c 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -35,7 +35,7 @@ if [[ $INPUT_GPG_SIGN == 'true' ]]; then EOT chmod 600 ~/.gnupg/* chmod 700 ~/.gnupg - service gpg-agent restart + systemctl --user restart gpg-agentarent of 2cf68aa (fix(entrypoint.sh): replace `systemctl`) else gpg-agent --daemon --allow-preset-passphrase \ --default-cache-ttl 60 --max-cache-ttl 60 From 5f5106996c9e92745dd70a2152bd439006a788a5 Mon Sep 17 00:00:00 2001 From: "Hendry, Adam" Date: Mon, 24 Oct 2022 14:10:07 -0700 Subject: [PATCH 12/30] Revert "feat(entrypoint.sh): write `gpg` script" This reverts commit a1c8571dd20b769447c039771b56dee3dfae28a5. --- action.yml | 10 ++------- entrypoint.sh | 59 ++++++--------------------------------------------- 2 files changed, 8 insertions(+), 61 deletions(-) diff --git a/action.yml b/action.yml index 3dbd97e..fa99ec1 100644 --- a/action.yml +++ b/action.yml @@ -82,15 +82,9 @@ inputs: crazy-max/ghaction-import-gpg) required: false default: "false" - gpg_private_key: + git_signingkey: description: > - The private gpg signing key for signing commits and tags (for git operations). - Requires `gpg_sign` to be 'true'. - required: false - gpg_passphrase: - description: | - The GPG passphrase for signing commits and tags (for git operations). - Requires `gpg_sign` to be 'true'. + The UID for the GPG key git will use to sign commits and tags (for git operations). `gpg_sign` must be set to true. required: false debug: description: "If true, prints debug output to GitHub Actions stdout." diff --git a/entrypoint.sh b/entrypoint.sh index f7e330c..cdd9fd4 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -1,7 +1,6 @@ #!/usr/bin/env bash set -e -set +o posix if [[ -z $INPUT_GITHUB_TOKEN ]]; then echo 'Missing input "github_token: ${{ secrets.GITHUB_TOKEN }}".' >&2 @@ -16,62 +15,16 @@ echo "Git name: $(git config --get user.name)" echo "Git email: $(git config --get user.email)" if [[ $INPUT_GPG_SIGN == 'true' ]]; then - if [[ -z $INPUT_GPG_PRIVATE_KEY ]]; then - echo 'Missing input "gpg_private_key".' >&2 + if [[ -z $INPUT_GIT_SIGNINGKEY ]]; then + echo 'Missing input "git_signingkey".' >&2 exit 2 fi - if [[ -z $INPUT_GPG_PASSPHRASE ]]; then - echo 'Missing input "gpg_passphrase".' >&2 - exit 3 - fi - - echo "Configuring GPG agent..." - if [ -f /usr/lib/systemd/user/gpg-agent.service ]; then - mkdir ~/.gnupg - cat <> ~/.gnupg/gpg-agent.conf - allow-preset-passphrase - default-cache-ttl 60 - max-cache-ttl 50 -EOT - chmod 600 ~/.gnupg/* - chmod 700 ~/.gnupg - systemctl --user restart gpg-agentarent of 2cf68aa (fix(entrypoint.sh): replace `systemctl`) - else - gpg-agent --daemon --allow-preset-passphrase \ - --default-cache-ttl 60 --max-cache-ttl 60 - fi - - echo "Importing GPG key..." - echo -n "${INPUT_GPG_PRIVATE_KEY}" | base64 --decode \ - | gpg --pinentry-mode loopback \ - --passphrase-file <(echo "${INPUT_GPG_PASSPHRASE}") \ - --import - GPG_FINGERPRINT=$(gpg -K --with-fingerprint \ - | sed -n 4p | sed -e 's/ *//g') - echo "${GPG_FINGERPRINT}:6:" | gpg --import-ownertrust - - echo "Setting GPG passphrase..." - GPG_KEYGRIP=$(gpg --with-keygrip -K \ - | sed -n '/[S]/{n;p}' \ - | sed 's/Keygrip = //' \ - | sed 's/ *//g') - GPG_PASSPHRASE_HEX=$(echo -n "${INPUT_GPG_PASSPHRASE}" \ - | od -A n -t x1 \ - | tr -d ' ' | tr -d '\n') - echo "PRESET_PASSPHRASE $GPG_KEYGRIP -1 $GPG_PASSPHRASE_HEX" | gpg-connect-agent - - echo "Configuring Git for GPG..." - - export CI_SIGNINGKEY_UID=$( \ - gpg --list-signatures --with-colons \ - | grep 'sig' \ - | grep "${INPUT_GIT_EMAIL}" \ - | head -n 1 \ - | cut -d':' -f5 \ - ) + echo "Configuring GPG for signing commits and tags..." + git config --local gpg.program gpg git config --local commit.gpgsign true git config --local tag.gpgsign true - git config --local user.signingkey "${CI_SIGNINGKEY_UID}" + git config --local user.signingkey "${INPUT_GIT_SIGNINGKEY}" + echo "Git GPG program: $(git config --get gpg.program)" echo "Git sign commits?: $(git config --get commit.gpgsign)" echo "Git sign tags?: $(git config --get tag.gpgsign)" fi From 0d6bd3f7e33413a91a33fe4299c7be299ec8c6b7 Mon Sep 17 00:00:00 2001 From: "Hendry, Adam" Date: Mon, 24 Oct 2022 14:10:34 -0700 Subject: [PATCH 13/30] Revert "fix(entrypoint.sh): add `gpg.program`" This reverts commit 94d316f243caa3b25c9e4c1ccca610729c73bde7. --- entrypoint.sh | 2 -- 1 file changed, 2 deletions(-) diff --git a/entrypoint.sh b/entrypoint.sh index cdd9fd4..c769dd4 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -20,11 +20,9 @@ if [[ $INPUT_GPG_SIGN == 'true' ]]; then exit 2 fi echo "Configuring GPG for signing commits and tags..." - git config --local gpg.program gpg git config --local commit.gpgsign true git config --local tag.gpgsign true git config --local user.signingkey "${INPUT_GIT_SIGNINGKEY}" - echo "Git GPG program: $(git config --get gpg.program)" echo "Git sign commits?: $(git config --get commit.gpgsign)" echo "Git sign tags?: $(git config --get tag.gpgsign)" fi From a877e09ecf386dc9644a63a5b6c41740a7a1676b Mon Sep 17 00:00:00 2001 From: "Hendry, Adam" Date: Mon, 24 Oct 2022 14:35:09 -0700 Subject: [PATCH 14/30] fix(entrypoint.sh): remove signing commits Only sign tags. It may be that `commitizen` only supports signing tags. See: https://github.com/commitizen-tools/commitizen/discussions/616 --- entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/entrypoint.sh b/entrypoint.sh index c769dd4..b4b753d 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -20,7 +20,7 @@ if [[ $INPUT_GPG_SIGN == 'true' ]]; then exit 2 fi echo "Configuring GPG for signing commits and tags..." - git config --local commit.gpgsign true + git config --local commit.gpgsign false git config --local tag.gpgsign true git config --local user.signingkey "${INPUT_GIT_SIGNINGKEY}" echo "Git sign commits?: $(git config --get commit.gpgsign)" From 42dd53bdcd7faca7c427b2ed63a1c00ff79036e0 Mon Sep 17 00:00:00 2001 From: "Hendry, Adam" Date: Mon, 24 Oct 2022 14:39:58 -0700 Subject: [PATCH 15/30] fix(entrypoint.sh): remove signing configs Remove `tag.gpgsign` and `commit.gpgsign` from local Git config. --- entrypoint.sh | 4 ---- 1 file changed, 4 deletions(-) diff --git a/entrypoint.sh b/entrypoint.sh index b4b753d..ffb83b6 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -20,11 +20,7 @@ if [[ $INPUT_GPG_SIGN == 'true' ]]; then exit 2 fi echo "Configuring GPG for signing commits and tags..." - git config --local commit.gpgsign false - git config --local tag.gpgsign true git config --local user.signingkey "${INPUT_GIT_SIGNINGKEY}" - echo "Git sign commits?: $(git config --get commit.gpgsign)" - echo "Git sign tags?: $(git config --get tag.gpgsign)" fi PIP_CMD=('pip' 'install') From 643bfdc596f200d6d6bd0c6c7d2f68b4a0c53eda Mon Sep 17 00:00:00 2001 From: "Hendry, Adam" Date: Mon, 24 Oct 2022 14:48:40 -0700 Subject: [PATCH 16/30] fix(entrypoint.sh): remove `--gpg-sign` See if Git will sign for us instead of through `cz`. --- entrypoint.sh | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/entrypoint.sh b/entrypoint.sh index ffb83b6..86d0345 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -20,6 +20,8 @@ if [[ $INPUT_GPG_SIGN == 'true' ]]; then exit 2 fi echo "Configuring GPG for signing commits and tags..." + which gpg | git config --local gpg.program + git config --local tag.gpgsign true git config --local user.signingkey "${INPUT_GIT_SIGNINGKEY}" fi @@ -45,9 +47,6 @@ if [[ $INPUT_NO_RAISE ]]; then CZ_CMD+=('--no-raise' "$INPUT_NO_RAISE") fi CZ_CMD+=('bump' '--yes') -if [[ $INPUT_GPG_SIGN == 'true' ]]; then - CZ_CMD+=('--gpg-sign') -fi if [[ $INPUT_DRY_RUN == 'true' ]]; then CZ_CMD+=('--dry-run') fi From de4b095e6f8017e70b679db02389f9dbc9c13ee0 Mon Sep 17 00:00:00 2001 From: "Hendry, Adam" Date: Mon, 24 Oct 2022 14:51:47 -0700 Subject: [PATCH 17/30] fix(entrypoint.sh): add `commit.gpgsign` Remove specifying `gpg.program` and add `commit.gpgsign` back. --- entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/entrypoint.sh b/entrypoint.sh index 86d0345..41e65c6 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -20,7 +20,7 @@ if [[ $INPUT_GPG_SIGN == 'true' ]]; then exit 2 fi echo "Configuring GPG for signing commits and tags..." - which gpg | git config --local gpg.program + git config --local commit.gpgsign true git config --local tag.gpgsign true git config --local user.signingkey "${INPUT_GIT_SIGNINGKEY}" fi From e9c803c32bf9be6d7c20905ec3442c92558a1d9e Mon Sep 17 00:00:00 2001 From: "Hendry, Adam" Date: Mon, 24 Oct 2022 15:08:47 -0700 Subject: [PATCH 18/30] fix(entrypoint.sh): add `gpg-sign` back Add `--gpg-sign` back to `commitizen`. --- entrypoint.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/entrypoint.sh b/entrypoint.sh index 41e65c6..d5cb837 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -20,8 +20,6 @@ if [[ $INPUT_GPG_SIGN == 'true' ]]; then exit 2 fi echo "Configuring GPG for signing commits and tags..." - git config --local commit.gpgsign true - git config --local tag.gpgsign true git config --local user.signingkey "${INPUT_GIT_SIGNINGKEY}" fi @@ -43,6 +41,9 @@ CZ_CMD=('cz') if [[ $INPUT_DEBUG == 'true' ]]; then CZ_CMD+=('--debug') fi +if [[ $INPUT_GPG_SIGN == 'true' ]]; then + CZ_CMD+=('--gpg-sign') +fi if [[ $INPUT_NO_RAISE ]]; then CZ_CMD+=('--no-raise' "$INPUT_NO_RAISE") fi From dee95eaf95b956de5f3dacebdf2fac5b0b8f3d90 Mon Sep 17 00:00:00 2001 From: "Hendry, Adam" Date: Mon, 24 Oct 2022 15:12:02 -0700 Subject: [PATCH 19/30] fix(entrypoint.sh): move `--gpg-sign` after bump Switch `--gpg-sign` applies to `bump` subcommand. --- entrypoint.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/entrypoint.sh b/entrypoint.sh index d5cb837..ffb83b6 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -41,13 +41,13 @@ CZ_CMD=('cz') if [[ $INPUT_DEBUG == 'true' ]]; then CZ_CMD+=('--debug') fi -if [[ $INPUT_GPG_SIGN == 'true' ]]; then - CZ_CMD+=('--gpg-sign') -fi if [[ $INPUT_NO_RAISE ]]; then CZ_CMD+=('--no-raise' "$INPUT_NO_RAISE") fi CZ_CMD+=('bump' '--yes') +if [[ $INPUT_GPG_SIGN == 'true' ]]; then + CZ_CMD+=('--gpg-sign') +fi if [[ $INPUT_DRY_RUN == 'true' ]]; then CZ_CMD+=('--dry-run') fi From e543aff666e0c0cd9163023d9b1315d0ce6352f7 Mon Sep 17 00:00:00 2001 From: "Hendry, Adam" Date: Mon, 24 Oct 2022 15:14:19 -0700 Subject: [PATCH 20/30] fix(entrypoint.sh): move `--debug` Move `--debug` switch to after `bump` command. --- entrypoint.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/entrypoint.sh b/entrypoint.sh index ffb83b6..d3e9d02 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -38,9 +38,6 @@ echo "Commitizen version: $(cz version)" PREV_REV="$(cz version --project)" CZ_CMD=('cz') -if [[ $INPUT_DEBUG == 'true' ]]; then - CZ_CMD+=('--debug') -fi if [[ $INPUT_NO_RAISE ]]; then CZ_CMD+=('--no-raise' "$INPUT_NO_RAISE") fi @@ -66,6 +63,9 @@ fi if [[ $INPUT_CHECK_CONSISTENCY ]]; then CZ_CMD+=('--check-consistency') fi +if [[ $INPUT_DEBUG == 'true' ]]; then + CZ_CMD+=('--debug') +fi if [[ $INPUT_CHANGELOG_INCREMENT_FILENAME ]]; then CZ_CMD+=('--changelog-to-stdout') echo "${CZ_CMD[@]}" ">$INPUT_CHANGELOG_INCREMENT_FILENAME" From 6215295f736aff19fa2756d7d7c38c46fa9c1c75 Mon Sep 17 00:00:00 2001 From: "Hendry, Adam" Date: Mon, 24 Oct 2022 15:28:52 -0700 Subject: [PATCH 21/30] Revert "fix(entrypoint.sh): move `--debug`" This reverts commit e543aff666e0c0cd9163023d9b1315d0ce6352f7. --- entrypoint.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/entrypoint.sh b/entrypoint.sh index d3e9d02..ffb83b6 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -38,6 +38,9 @@ echo "Commitizen version: $(cz version)" PREV_REV="$(cz version --project)" CZ_CMD=('cz') +if [[ $INPUT_DEBUG == 'true' ]]; then + CZ_CMD+=('--debug') +fi if [[ $INPUT_NO_RAISE ]]; then CZ_CMD+=('--no-raise' "$INPUT_NO_RAISE") fi @@ -63,9 +66,6 @@ fi if [[ $INPUT_CHECK_CONSISTENCY ]]; then CZ_CMD+=('--check-consistency') fi -if [[ $INPUT_DEBUG == 'true' ]]; then - CZ_CMD+=('--debug') -fi if [[ $INPUT_CHANGELOG_INCREMENT_FILENAME ]]; then CZ_CMD+=('--changelog-to-stdout') echo "${CZ_CMD[@]}" ">$INPUT_CHANGELOG_INCREMENT_FILENAME" From 467d6caa605618467075661ffc962172df5d3f37 Mon Sep 17 00:00:00 2001 From: "Hendry, Adam" Date: Mon, 24 Oct 2022 16:47:00 -0700 Subject: [PATCH 22/30] fix(entrypoint.sh): add `commit.gpgsign` --- entrypoint.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/entrypoint.sh b/entrypoint.sh index ffb83b6..a180adb 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -20,6 +20,7 @@ if [[ $INPUT_GPG_SIGN == 'true' ]]; then exit 2 fi echo "Configuring GPG for signing commits and tags..." + git config --local commit.gpgsign true git config --local user.signingkey "${INPUT_GIT_SIGNINGKEY}" fi From 4a8d87fa2405581208ae23e493fc400e61199220 Mon Sep 17 00:00:00 2001 From: "Hendry, Adam" Date: Mon, 24 Oct 2022 16:49:20 -0700 Subject: [PATCH 23/30] ci(test): add `gpg -K` to stdout --- entrypoint.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/entrypoint.sh b/entrypoint.sh index a180adb..76cc321 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -20,6 +20,7 @@ if [[ $INPUT_GPG_SIGN == 'true' ]]; then exit 2 fi echo "Configuring GPG for signing commits and tags..." + gpg -K git config --local commit.gpgsign true git config --local user.signingkey "${INPUT_GIT_SIGNINGKEY}" fi From 4baddf4ce1967a6dc1d9ff8773a5786baf89a6af Mon Sep 17 00:00:00 2001 From: "Hendry, Adam" Date: Mon, 24 Oct 2022 16:51:55 -0700 Subject: [PATCH 24/30] ci(test): more printouts --- entrypoint.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/entrypoint.sh b/entrypoint.sh index 76cc321..355d38b 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -20,7 +20,9 @@ if [[ $INPUT_GPG_SIGN == 'true' ]]; then exit 2 fi echo "Configuring GPG for signing commits and tags..." + echo "gpg -K" gpg -K + echo "Git setup..." git config --local commit.gpgsign true git config --local user.signingkey "${INPUT_GIT_SIGNINGKEY}" fi From c50654a98c9aa73ea1f8f157235120775aeb240d Mon Sep 17 00:00:00 2001 From: "Hendry, Adam" Date: Mon, 24 Oct 2022 16:55:24 -0700 Subject: [PATCH 25/30] ci(test): even more printouts --- entrypoint.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/entrypoint.sh b/entrypoint.sh index 355d38b..7adf9f9 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -22,6 +22,7 @@ if [[ $INPUT_GPG_SIGN == 'true' ]]; then echo "Configuring GPG for signing commits and tags..." echo "gpg -K" gpg -K + gpg --list-secret-keys --keyid-format=LONG echo "Git setup..." git config --local commit.gpgsign true git config --local user.signingkey "${INPUT_GIT_SIGNINGKEY}" From 9c830e51e66a1249d3c6c1670f0c0c321c7956f0 Mon Sep 17 00:00:00 2001 From: "Hendry, Adam" Date: Mon, 24 Oct 2022 16:57:22 -0700 Subject: [PATCH 26/30] ci(test): print which `gpg` is running --- entrypoint.sh | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/entrypoint.sh b/entrypoint.sh index 7adf9f9..1824308 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -20,10 +20,8 @@ if [[ $INPUT_GPG_SIGN == 'true' ]]; then exit 2 fi echo "Configuring GPG for signing commits and tags..." - echo "gpg -K" - gpg -K - gpg --list-secret-keys --keyid-format=LONG - echo "Git setup..." + echo "which gpg" + which gpg git config --local commit.gpgsign true git config --local user.signingkey "${INPUT_GIT_SIGNINGKEY}" fi From b024f58ecfcb008dc85202a39804c30ab863334a Mon Sep 17 00:00:00 2001 From: "Hendry, Adam" Date: Mon, 24 Oct 2022 17:02:43 -0700 Subject: [PATCH 27/30] ci(test): let `import-gpg` setup `gpg` --- action.yml | 4 ---- entrypoint.sh | 12 ------------ 2 files changed, 16 deletions(-) diff --git a/action.yml b/action.yml index fa99ec1..521b253 100644 --- a/action.yml +++ b/action.yml @@ -82,10 +82,6 @@ inputs: crazy-max/ghaction-import-gpg) required: false default: "false" - git_signingkey: - description: > - The UID for the GPG key git will use to sign commits and tags (for git operations). `gpg_sign` must be set to true. - required: false debug: description: "If true, prints debug output to GitHub Actions stdout." required: false diff --git a/entrypoint.sh b/entrypoint.sh index 1824308..8ad8b8d 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -14,18 +14,6 @@ git config --local pull.rebase true echo "Git name: $(git config --get user.name)" echo "Git email: $(git config --get user.email)" -if [[ $INPUT_GPG_SIGN == 'true' ]]; then - if [[ -z $INPUT_GIT_SIGNINGKEY ]]; then - echo 'Missing input "git_signingkey".' >&2 - exit 2 - fi - echo "Configuring GPG for signing commits and tags..." - echo "which gpg" - which gpg - git config --local commit.gpgsign true - git config --local user.signingkey "${INPUT_GIT_SIGNINGKEY}" -fi - PIP_CMD=('pip' 'install') if [[ $INPUT_COMMITIZEN_VERSION == 'latest' ]]; then PIP_CMD+=('commitizen') From b67ce163bda145e16dba35a5ed77a785aec6fbac Mon Sep 17 00:00:00 2001 From: "Hendry, Adam" Date: Mon, 24 Oct 2022 17:36:58 -0700 Subject: [PATCH 28/30] ci(test): print `gpg --version` --- entrypoint.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/entrypoint.sh b/entrypoint.sh index 8ad8b8d..af63f3e 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -2,6 +2,8 @@ set -e +gpg --version + if [[ -z $INPUT_GITHUB_TOKEN ]]; then echo 'Missing input "github_token: ${{ secrets.GITHUB_TOKEN }}".' >&2 exit 1 From 3b2cae50c80c717c80aead2482b7cd48ddca06bd Mon Sep 17 00:00:00 2001 From: "Hendry, Adam" Date: Mon, 24 Oct 2022 17:54:33 -0700 Subject: [PATCH 29/30] feat(ci): run in docker container --- .github/workflows/test_action.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/test_action.yml b/.github/workflows/test_action.yml index b24f794..10d34ee 100644 --- a/.github/workflows/test_action.yml +++ b/.github/workflows/test_action.yml @@ -7,6 +7,8 @@ on: jobs: test: runs-on: ubuntu-latest + container: + image: commitizen/commitizen:latest steps: - uses: actions/checkout@v2 with: From aaea398cefe051a5ee3290153896e0bd1f5c9c1c Mon Sep 17 00:00:00 2001 From: "Hendry, Adam" Date: Mon, 24 Oct 2022 18:10:29 -0700 Subject: [PATCH 30/30] Revert "feat(ci): run in docker container" This reverts commit 3b2cae50c80c717c80aead2482b7cd48ddca06bd. --- .github/workflows/test_action.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/test_action.yml b/.github/workflows/test_action.yml index 10d34ee..b24f794 100644 --- a/.github/workflows/test_action.yml +++ b/.github/workflows/test_action.yml @@ -7,8 +7,6 @@ on: jobs: test: runs-on: ubuntu-latest - container: - image: commitizen/commitizen:latest steps: - uses: actions/checkout@v2 with: