fix release to wait ci, removed secrets

Author: ndbroadbent

.github/workflows/release.yml

@@ -9,8 +9,59 @@ permissions:
   contents: write
 
 jobs:
+  wait_ci:
+    name: Wait for CI success on tag
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Determine tag and SHA
+        id: ref
+        shell: bash
+        run: |
+          TAG="${{ github.ref_type == 'tag' && github.ref_name || '' }}"
+          if [[ -z "$TAG" ]]; then
+            echo "Error: no tag in event" >&2
+            exit 1
+          fi
+          SHA="${{ github.sha }}"
+          echo "tag=$TAG" >> $GITHUB_OUTPUT
+          echo "sha=$SHA" >> $GITHUB_OUTPUT
+      - name: Install jq
+        run: sudo apt-get update && sudo apt-get install -y jq
+      - name: Wait for CI workflow
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        shell: bash
+        run: |
+          SHA="${{ steps.ref.outputs.sha }}"
+          echo "Waiting for CI to succeed for $SHA ..."
+          ATTEMPTS=120
+          SLEEP=10
+          for i in $(seq 1 $ATTEMPTS); do
+            RESP=$(curl -s -H "Authorization: Bearer $GH_TOKEN" -H "Accept: application/vnd.github+json" \
+              "https://api.github.com/repos/${{ github.repository }}/actions/runs?per_page=50&head_sha=$SHA")
+            STATUS=$(echo "$RESP" | jq -r '.workflow_runs[] | select(.name=="CI") | .status' | head -n1)
+            CONCLUSION=$(echo "$RESP" | jq -r '.workflow_runs[] | select(.name=="CI") | .conclusion' | head -n1)
+            if [[ "$STATUS" == "completed" ]]; then
+              if [[ "$CONCLUSION" == "success" ]]; then
+                echo "CI succeeded."
+                exit 0
+              else
+                echo "CI completed with conclusion: $CONCLUSION"
+                exit 1
+              fi
+            fi
+            echo "CI status: ${STATUS:-not found}; waiting... ($i/$ATTEMPTS)"
+            sleep $SLEEP
+          done
+          echo "Timed out waiting for CI to complete."
+          exit 1
+
   release:
     runs-on: ubuntu-latest
+    needs: wait_ci
     steps:
       - uses: actions/checkout@v4
         with:
@@ -19,23 +70,24 @@ jobs:
         with:
           go-version: '1.22'
       - name: Import GPG private key (for checksum signing)
-        if: ${{ secrets.GPG_PRIVATE_KEY != '' }}
         env:
           GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
           GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
         run: |
+          if [ -z "${GPG_PRIVATE_KEY:-}" ]; then
+            echo "No GPG_PRIVATE_KEY secret set; skipping key import."
+            exit 0
+          fi
           mkdir -p ~/.gnupg
           chmod 700 ~/.gnupg
           echo "Importing GPG key"
           echo "$GPG_PRIVATE_KEY" | gpg --batch --import
-          # If the key has a passphrase, enable loopback so non-interactive signing can work
-          if [ -n "$GPG_PASSPHRASE" ]; then
+          if [ -n "${GPG_PASSPHRASE:-}" ]; then
             echo 'pinentry-mode loopback' >> ~/.gnupg/gpg.conf
             echo 'allow-loopback-pinentry' >> ~/.gnupg/gpg-agent.conf
             gpg-connect-agent reloadagent /bye
           fi
-          echo "GPG keys:"
-          gpg --list-secret-keys --keyid-format LONG
+          gpg --list-secret-keys --keyid-format LONG || true
       - name: Build
         run: go build ./...
       - name: GoReleaser
@@ -45,6 +97,4 @@ jobs:
           args: release --clean
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          # If your key has a passphrase, gpg will read it via loopback pinentry
-          # GPG_TTY helps avoid certain agent warnings
           GPG_TTY: ${{ runner.env.SSH_AUTH_SOCK }}