-
Notifications
You must be signed in to change notification settings - Fork 3
122 lines (99 loc) · 4.02 KB
/
sign_missing.yml
File metadata and controls
122 lines (99 loc) · 4.02 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
name: Sign Missing Packages in Releases
on:
workflow_dispatch:
inputs:
dry_run:
description: "Only log what would happen (true/false)"
required: false
default: "true"
jobs:
sign:
runs-on: ubuntu-latest
env:
KEY_ID: 7E7B7BC98F96272B619AD8D7E6CA536875E45798
KEY_FPR_SHORT: E6CA536875E45798
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
steps:
- name: Checkout self
uses: actions/checkout@v4
- name: Install GPG
run: sudo apt-get install -y gnupg
- name: Import signing key
run: |
mkdir -p ~/.gnupg
chmod 700 ~/.gnupg
echo "${{ secrets.GPG_PRIVATE_KEY }}" | gpg --batch --import
gpg --list-keys
- name: Check GitHub CLI version (optional sanity check)
run: gh --version
- name: List releases
id: list_releases
run: |
gh api -H "Accept: application/vnd.github+json" \
repos/envolution/aur/releases \
--paginate > releases.json
- name: Process releases
run: |
DRY_RUN="${{ github.event.inputs.dry_run }}"
echo "Dry-run: $DRY_RUN"
mkdir -p work
jq -c '.[]' releases.json | while read -r release; do
tag_name=$(echo "$release" | jq -r .tag_name)
release_id=$(echo "$release" | jq -r .id)
echo "::group::Processing release: $tag_name"
gh api -H "Accept: application/vnd.github+json" \
repos/envolution/aur/releases/$release_id/assets \
> "work/assets-${tag_name}.json"
missing_sigs=()
zst_files=()
while IFS= read -r asset; do
name=$(echo "$asset" | jq -r .name)
url=$(echo "$asset" | jq -r .url)
if [[ "$name" == *.pkg.tar.zst ]]; then
zst_files+=("$name")
sig_name="$name.sig"
if ! jq -r '.[].name' "work/assets-${tag_name}.json" | grep -q "^${sig_name}$"; then
missing_sigs+=("$name")
fi
fi
done < <(jq -c '.[]' "work/assets-${tag_name}.json")
for zst in "${missing_sigs[@]}"; do
echo "Missing sig for $zst"
download_url="https://github.com/envolution/aur/releases/download/${tag_name}/${zst}"
curl -L "$download_url" -o "work/${zst}"
if [[ "$DRY_RUN" == "true" ]]; then
echo "[DRY-RUN] Would sign $zst and upload ${zst}.sig"
continue
fi
echo "Signing $zst..."
gpg --batch --yes --detach-sign -u "$KEY_ID" "work/${zst}"
echo "Uploading ${zst}.sig..."
gh release upload "$tag_name" "work/${zst}.sig" --clobber
echo "Re-uploading $zst (ensuring signature validity)..."
gh release upload "$tag_name" "work/${zst}" --clobber
echo "Updating release notes..."
body_lines=(
"To install - first load GPG keys to the pacman keyring:"
'```bash'
" sudo pacman-key --recv-keys $KEY_FPR_SHORT --keyserver keyserver.ubuntu.com"
" sudo pacman-key --lsign-key $KEY_FPR_SHORT"
'```'
""
"And then:"
'```bash'
)
# Loop over all .zst files, excluding *-debug.pkg.tar.zst
for zst in "${zst_files[@]}"; do
if [[ "$zst" != *-debug*.pkg.tar.zst ]]; then
body_lines+=(" sudo pacman -U https://github.com/envolution/aur/releases/download/${tag_name}/${zst}")
fi
done
body_lines+=('```')
release_body=$(printf "%s\n" "${body_lines[@]}")
gh api --method PATCH -H "Accept: application/vnd.github+json" \
/repos/envolution/aur/releases/$release_id \
-f body="$release_body"
rm work/*
done
echo "::endgroup::"
done