- Generate a
GPGkey (see here)
gpg --full-generate-key-
Save the
GPGpassphrase to secrets asGPG_KEY_PASSPHRASE -
Save the
GPGkey ID (ex.3AA5C34371567BD2)
gpg --list-secret-keys --keyid-format=long
/Users/hubot/.gnupg/secring.gpg
------------------------------------
sec 4096R/3AA5C34371567BD2 2016-03-10 [expires: 2017-03-10]
uid Michael West (GitHub GPG key) <michael.west@example.com>
ssb 4096R/42B317FD4BA89E7A 2016-03-10to secrets as GPG_KEY_ID
-
Save the name (ex.
Michael West) to secrets asGIT_COMMITTER_NAME -
Save the email (ex.
michael.west@example.com) to secrets asGIT_COMMITTER_EMAIL -
Save the
GPGkey (base64)
gpg --export-secret-keys 3AA5C34371567BD2 | base64to secrets as GPG_KEY
- Add the following (preliminary) steps
steps:
- name: Import GPG key
run: echo $GPG_KEY | base64 --decode | gpg --batch --import
env:
GPG_KEY: ${{ secrets.GPG_KEY }}
- name: Add the custom gpg siging program that passes the passphrase to the gpg CLI
run: |
rm -rf /tmp/gpg.sh
echo '#!/bin/bash' >> /tmp/gpg.sh
echo 'gpg --batch --pinentry-mode=loopback --passphrase $GPG_KEY_PASSPHRASE $@' >> /tmp/gpg.sh
chmod +x /tmp/gpg.sh
- name: Setup git
run: |
git config commit.gpgsign true
git config user.signingkey $GPG_KEY_ID
git config gpg.program /tmp/gpg.sh
env:
GPG_KEY_ID: ${{ secrets.GPG_KEY_ID }}steps:
- name: Test sign
run: |
echo 'Something' >> test.md
git add test.md
git commit -m "test commit"
git verify-commit $( git rev-parse HEAD )
env:
GPG_KEY_PASSPHRASE: ${{ secrets.GPG_KEY_PASSPHRASE }}
GIT_COMMITTER_NAME: ${{ secrets.GIT_COMMITTER_NAME }}
GIT_COMMITTER_EMAIL: ${{ secrets.GIT_COMMITTER_EMAIL }}
GIT_AUTHOR_NAME: SomeBot
GIT_AUTHOR_EMAIL: somebot@example.com