automate release with Exoscale Tooling GPG key

exoscale · Sep 11, 2023 · 1261668 · 1261668
1 parent 5dc3fd5
commit 1261668
Show file tree

Hide file tree

Showing 3 changed files with 38 additions and 2 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -0,0 +1,36 @@
+---
+name: release
+
+on:
+ push:
+ tags:
+ - 'v[0-9]+\.[0-9]+\.[0-9]+'
+
+jobs:
+ goreleaser:
+ runs-on: ubuntu-latest
+
+ permissions:
+ contents: write
+
+ steps:
+ - uses: actions/checkout@v3
+ with:
+ fetch-depth: 0
+
+ - run: git submodule update --init --recursive go.mk
+ shell: bash
+
+ - name: Import GPG key
+ # This is a third-party GitHub action and we trust it with our GPG key.
+ # To be on the safer side, we should always pin to the commit SHA.
+ # It's not a perfect mitigation, but we should always do some due diligence before upgrading.
+ # The author seems trustworthy, as the author is part of the docker and goreleaser organizations on GitHub.
+ uses: crazy-max/ghaction-import-gpg@72b6676b71ab476b77e676928516f6982eef7a41
+ with:
+ gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
+ passphrase: ${{ secrets.GPG_PASSPHRASE }}
+
+ - uses: ./go.mk/.github/actions/release
+ with:
+ release_github_token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -28,7 +28,7 @@ checksum:
 
 signs:
  - cmd: gpg
- args: ["--default-key", "B2DB6B250321137D9DB7210281426F034A3D05F7", "--detach-sign", "${artifact}"]
+ args: ["--default-key", "7100E8BFD6199CE0374CB7F003686F8CDE378D41", "--detach-sign", "${artifact}"]
  artifacts: all
 
 release:

diff --git a/go.mk b/go.mk