feat: add GPG tag signing (#43)

This commit gives users the ability to sign tags using a GPG key.

Dockerfile

@@ -1,7 +1,10 @@
 FROM alpine:3.18
 
-RUN apk --no-cache add git git-lfs && \
-    rm -rf /var/lib/apt/lists/*
+RUN apk --no-cache add \
+    git \
+    git-lfs \
+    gnupg && \
+    rm -rf /var/cache/apk/*
 
 COPY entrypoint.sh /entrypoint.sh
 

README.md

@@ -53,7 +53,9 @@ A boolean specifying whether the tag already exists.
 
 A boolean specifying whether the tag already exists.
 
-## Example usage
+## Example Usage
+
+### General example
 
 ```yml
 name: Create/update tag
@@ -75,14 +77,82 @@ jobs:
           message: "Latest release"
 
       # Print result using the env variable.
-      -  run: |
-          echo "Tag already present: ${{ env.TAG_EXISTS }}"
+      - run: |
+        echo "Tag already present: ${{ env.TAG_EXISTS }}"
+
+      # Print result using the action output.
+      - run: |
+        echo "Tag already present: ${{ steps.tag_create.outputs.tag_exists }}"
+```
+
+### Signing Tags with GPG
+
+To sign tags with GPG, follow these steps:
+
+#### 1. Generate a GPG Key
+
+First, [generate a GPG key](https://docs.github.com/en/github/authenticating-to-github/generating-a-new-gpg-key). Once generated, export the GPG private key in ASCII armored format to your clipboard using one of the following commands based on your operating system:
+
+- **macOS:**
+
+  ```shell
+  gpg --armor --export-secret-key joe@foo.bar | pbcopy
+  ```
+
+- **Ubuntu (GNU base64):**
+
+  ```shell
+  gpg --armor --export-secret-key joe@foo.bar -w0 | xclip -selection clipboard
+  ```
+
+- **Arch:**
+
+  ```shell
+  gpg --armor --export-secret-key joe@foo.bar | xclip -selection clipboard -i
+  ```
+
+- **FreeBSD (BSD base64):**
+
+  ```shell
+  gpg --armor --export-s[.github/workflows/update_semver.yml](.github/workflows/update_semver.yml)e your GPG passphrase.
+  ```
+
+#### 3. Update Workflow YAML
+
+Modify your workflow YAML file to include the GPG private key and passphrase in the `gpg_private_key` and `gpg_passphrase` inputs:
+
+```yaml
+name: Create/update tag
+on:
+  push:
+    branch: "main"
+jobs:
+  create-tag:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - uses: rickstaa/action-create-tag@v1
+        id: "tag_create"
+        with:
+          tag: "latest"
+          tag_exists_error: false
+          message: "Latest release"
+          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
+          gpg_passphrase: ${{ secrets.PASSPHRASE }}
+
+      # Print result using the env variable.
+      - run: |
+        echo "Tag already present: ${{ env.TAG_EXISTS }}"
 
       # Print result using the action output.
       - run: |
-          echo "Tag already present: ${{ steps.tag_create.outputs.tag_exists }}"
+        echo "Tag already present: ${{ steps.tag_create.outputs.tag_exists }}"
 ```
 
+This workflow will now sign tags using the specified GPG key during tag creation.
+
 ## Contributing
 
 Feel free to open an issue if you have ideas on how to make this GitHub action better or if you want to report a bug! All contributions are welcome. :rocket: Please consult the [contribution guidelines](CONTRIBUTING.md) for more information.

action.yml

@@ -26,6 +26,12 @@ inputs:
     description: "Optional. Skips verifying when pushing the tag. Defaults to 'false'."
     required: false
     default: "false"
+  gpg_private_key:
+    description: "Optional. GPG key to sign the tag with."
+    required: false
+  gpg_passphrase:
+    description: "Optional. GPG key passphrase."
+    required: false
 outputs:
   tag_exists:
     description: "Whether the tag already existed."

entrypoint.sh

@@ -20,9 +20,39 @@ FORCE_TAG="${INPUT_FORCE_PUSH_TAG:-false}"
 TAG_EXISTS_ERROR="${INPUT_TAG_EXISTS_ERROR:-true}"
 NO_VERIFY="${INPUT_NO_VERIFY_TAG:-false}"
 SHA=${INPUT_COMMIT_SHA:-${GITHUB_SHA}}
+GPG_PRIVATE_KEY="${INPUT_GPG_PRIVATE_KEY:-}"
+GPG_PASSPHRASE="${INPUT_GPG_PASSPHRASE:-}"
 
-git config user.name "${GITHUB_ACTOR}"
-git config user.email "${GITHUB_ACTOR}@users.noreply.github.com"
+# Configure git and gpg if GPG key is provided.
+if [ -n "${GPG_PRIVATE_KEY}" ]; then
+  # Import the GPG key.
+  echo "[action-update-semver] Importing GPG key."
+  echo "${GPG_PRIVATE_KEY}" | gpg --batch --yes --import
+
+  # If GPG_PASSPHRASE is set, unlock the key.
+  if [ -n "${GPG_PASSPHRASE}" ]; then
+    echo "[action-update-semver] Unlocking GPG key."
+    echo "${GPG_PASSPHRASE}" | gpg --batch --yes --pinentry-mode loopback --passphrase-fd 0 --output /dev/null --sign
+  fi
+
+  # Retrieve GPG key information.
+  public_key_id=$(gpg --list-secret-keys --keyid-format=long | grep sec | awk '{print $2}' | cut -d'/' -f2)
+  signing_key_email=$(gpg --list-keys --keyid-format=long "${public_key_id}" | grep uid | sed 's/.*<\(.*\)>.*/\1/')
+  signing_key_username=$(gpg --list-keys --keyid-format=long "${public_key_id}" | grep uid | sed 's/uid\s*\[\s*.*\]\s*//; s/\s*(.*//')
+
+  # Setup git user name, email, and signingkey.
+  echo "[action-update-semver] Setup git user name, email, and signingkey."
+  git config --global user.name "${signing_key_username}"
+  git config --global user.email "${signing_key_email}"
+  git config --global user.signingkey "${public_key_id}"
+  git config --global commit.gpgsign true
+  git config --global tag.gpgSign true
+else
+  # Setup git user name and email.
+  echo "[action-update-semver] Setup git user name and email."
+  git config --global user.name "${GITHUB_ACTOR}"
+  git config --global user.email "${GITHUB_ACTOR}@users.noreply.github.com"
+fi
 
 # Check if tag already exists.
 if [ "$(git tag -l "${TAG}")"  ]; then tag_exists=true; else tag_exists=false; fi
@@ -50,7 +80,7 @@ else
   fi
 fi
 
-# Set up remote url for checkout@v1 action.
+# Set up remote URL for checkout@v1 action.
 if [ -n "${INPUT_GITHUB_TOKEN}" ]; then
   git remote set-url origin "https://${GITHUB_ACTOR}:${INPUT_GITHUB_TOKEN}@github.com/${GITHUB_REPOSITORY}.git"
 fi