From d59c647ccad979a2df9f602d9924a9e0f9e3cf62 Mon Sep 17 00:00:00 2001 From: Suresh Krishnan V Date: Tue, 16 Sep 2025 11:19:33 +0530 Subject: [PATCH 1/4] (change) Configure GoReleaser to sign the releases Signed-off-by: Suresh Krishnan V --- .github/workflows/release.yml | 9 +++++++++ .goreleaser.yaml | 13 +++++++++++++ 2 files changed, 22 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 10ae86404a4..fc9af5695e8 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -131,6 +131,10 @@ jobs: DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }} run: | echo "${DOCKER_PASSWORD}" | docker login --username "${DOCKER_USERNAME}" --password-stdin + + - name: Import GPG key + run: | + echo "${{ secrets.GPG_PRIVATE_KEY }}" | gpg --batch --import - name: Run GoReleaser uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0 @@ -140,6 +144,11 @@ jobs: args: release --clean --timeout 60m env: GITHUB_TOKEN: ${{ secrets.PERSONAL_GITHUB_TOKEN }} + GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }} + GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} + GPG_KEY_ID: ${{ secrets.GPG_KEY_ID }} + + is-not-beta-release: name: check if release is a beta release diff --git a/.goreleaser.yaml b/.goreleaser.yaml index bafca0c1271..8e40ae47b2e 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -775,3 +775,16 @@ scoops: snapshot: version_template: "{{ incpatch .Version }}-next" + +signs: + - artifacts: checksum + cmd: gpg + args: [ + "--batch", + "--yes", + "--pinentry-mode", "loopback", + "--passphrase", "{{ .Env.GPG_PASSPHRASE }}", + "--local-user", "{{ .Env.GPG_KEY_ID }}", + "--output", "${signature}", + "--detach-sign", "${artifact}" + ] From d2ac0f75ecae8d17c6beffa955842dc2dac29588 Mon Sep 17 00:00:00 2001 From: Suresh Krishnan V Date: Tue, 16 Sep 2025 11:36:28 +0530 Subject: [PATCH 2/4] ci: Configure GoReleaser to sign the releases Signed-off-by: Suresh Krishnan V --- .github/workflows/release.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index fc9af5695e8..0bb5b097a67 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -133,8 +133,10 @@ jobs: echo "${DOCKER_PASSWORD}" | docker login --username "${DOCKER_USERNAME}" --password-stdin - name: Import GPG key + env: + GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }} run: | - echo "${{ secrets.GPG_PRIVATE_KEY }}" | gpg --batch --import + echo "$GPG_PRIVATE_KEY" | gpg --batch --import - name: Run GoReleaser uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0 From d09f7d449804eba0aab04840d53c6f19f08b7ad2 Mon Sep 17 00:00:00 2001 From: Suresh Krishnan V Date: Wed, 8 Oct 2025 10:55:39 +0530 Subject: [PATCH 3/4] Update .github/workflows/release.yml Co-authored-by: Thomas Poignant --- .github/workflows/release.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 0bb5b097a67..27a0eb524b4 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -146,9 +146,9 @@ jobs: args: release --clean --timeout 60m env: GITHUB_TOKEN: ${{ secrets.PERSONAL_GITHUB_TOKEN }} - GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }} - GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} - GPG_KEY_ID: ${{ secrets.GPG_KEY_ID }} + SIGN_RELEASE_GPG_PRIVATE_KEY: ${{ secrets.SIGN_RELEASE_GPG_PRIVATE_KEY }} + SIGN_RELEASE_GPG_PASSPHRASE: ${{ secrets.SIGN_RELEASE_GPG_PASSPHRASE }} + SIGN_RELEASE_GPG_KEY_ID: ${{ secrets.SIGN_RELEASE_GPG_KEY_ID }} From b94403c2a36a49fe421ee6ca1a639d9ebb1f1a7a Mon Sep 17 00:00:00 2001 From: Suresh Krishnan V Date: Wed, 8 Oct 2025 11:17:16 +0530 Subject: [PATCH 4/4] chore: Update GPG key import method and add armor option for signing --- .github/workflows/release.yml | 12 ++++++------ .goreleaser.yaml | 5 +++-- 2 files changed, 9 insertions(+), 8 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 27a0eb524b4..906fc45f273 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -131,12 +131,12 @@ jobs: DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }} run: | echo "${DOCKER_PASSWORD}" | docker login --username "${DOCKER_USERNAME}" --password-stdin - + - name: Import GPG key - env: - GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }} - run: | - echo "$GPG_PRIVATE_KEY" | gpg --batch --import + uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v6.3.0 + with: + gpg_private_key: ${{ secrets.GPG_SIGNING_KEY }} + passphrase: ${{ secrets.GPG_SIGNING_KEY_PASSWORD }} - name: Run GoReleaser uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0 @@ -148,7 +148,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.PERSONAL_GITHUB_TOKEN }} SIGN_RELEASE_GPG_PRIVATE_KEY: ${{ secrets.SIGN_RELEASE_GPG_PRIVATE_KEY }} SIGN_RELEASE_GPG_PASSPHRASE: ${{ secrets.SIGN_RELEASE_GPG_PASSPHRASE }} - SIGN_RELEASE_GPG_KEY_ID: ${{ secrets.SIGN_RELEASE_GPG_KEY_ID }} + SIGN_RELEASE_GPG_KEY_ID: 4AEE18F83AFDEB23 diff --git a/.goreleaser.yaml b/.goreleaser.yaml index 8e40ae47b2e..5014d7082b7 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -782,9 +782,10 @@ signs: args: [ "--batch", "--yes", + "--armor", "--pinentry-mode", "loopback", - "--passphrase", "{{ .Env.GPG_PASSPHRASE }}", - "--local-user", "{{ .Env.GPG_KEY_ID }}", + "--passphrase", "{{ .Env.SIGN_RELEASE_GPG_PASSPHRASE }}", + "--local-user", "{{ .Env.SIGN_RELEASE_GPG_KEY_ID }}", "--output", "${signature}", "--detach-sign", "${artifact}" ]