Skip to content

Commit

Permalink
Merge pull request #2033 from dmurphy18/fix_2032
Browse files Browse the repository at this point in the history 
Disabling signing of commits on release updates
  • Loading branch information
@dmurphy18
dmurphy18 authored Nov 7, 2024
2 parents aaa123a + 2a4e6a3 commit 8cdedfb
Show file tree
Hide file tree
Showing 2 changed files with 135 additions and 132 deletions.
263 changes: 133 additions & 130 deletions .github/workflows/release.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -74,44 +74,45 @@ jobs:
python3 -m pip install -r requirements/release.txt
pre-commit install --install-hooks
- name: Setup GnuPG
run: |
sudo install -d -m 0700 -o "$(id -u)" -g "$(id -g)" /run/gpg
GNUPGHOME="$(mktemp -d -p /run/gpg)"
echo "GNUPGHOME=${GNUPGHOME}" >> "$GITHUB_ENV"
cat <<EOF > "${GNUPGHOME}/gpg.conf"
batch
no-tty
pinentry-mode loopback
EOF
- name: Get Secrets
id: get-secrets
env:
SECRETS_KEY: ${{ secrets.SECRETS_KEY }}
run: |
SECRETS_KEY_FILE=$(mktemp /tmp/output.XXXXXXXXXX)
echo "$SECRETS_KEY" > "$SECRETS_KEY_FILE"
aws --region us-west-2 secretsmanager get-secret-value --secret-id /cmbu-saltstack/signing/repo-signing-keys-sha256-2023 \
--query SecretString --output text | jq .default_key -r | base64 -d \
| gpg --passphrase-file "${SECRETS_KEY_FILE}" -d - \
| gpg --import -
sync
aws --region us-west-2 secretsmanager get-secret-value --secret-id /cmbu-saltstack/signing/repo-signing-keys-sha256-2023 \
--query SecretString --output text| jq .default_passphrase -r | base64 -d \
| gpg --passphrase-file "${SECRETS_KEY_FILE}" -o "${GNUPGHOME}/passphrase" -d -
sync
rm "$SECRETS_KEY_FILE"
echo "passphrase-file ${GNUPGHOME}/passphrase" >> "${GNUPGHOME}/gpg.conf"
## - name: Setup GnuPG
## run: |
## sudo install -d -m 0700 -o "$(id -u)" -g "$(id -g)" /run/gpg
## GNUPGHOME="$(mktemp -d -p /run/gpg)"
## echo "GNUPGHOME=${GNUPGHOME}" >> "$GITHUB_ENV"
## cat <<EOF > "${GNUPGHOME}/gpg.conf"
## batch
## no-tty
## pinentry-mode loopback
## EOF

## - name: Get Secrets
## id: get-secrets
## env:
## SECRETS_KEY: ${{ secrets.SECRETS_KEY }}
## run: |
## SECRETS_KEY_FILE=$(mktemp /tmp/output.XXXXXXXXXX)
## echo "$SECRETS_KEY" > "$SECRETS_KEY_FILE"
## aws --region us-west-2 secretsmanager get-secret-value --secret-id /cmbu-saltstack/signing/repo-signing-keys-sha256-2023 \
## --query SecretString --output text | jq .default_key -r | base64 -d \
## | gpg --passphrase-file "${SECRETS_KEY_FILE}" -d - \
## | gpg --import -
## sync
## aws --region us-west-2 secretsmanager get-secret-value --secret-id /cmbu-saltstack/signing/repo-signing-keys-sha256-2023 \
## --query SecretString --output text| jq .default_passphrase -r | base64 -d \
## | gpg --passphrase-file "${SECRETS_KEY_FILE}" -o "${GNUPGHOME}/passphrase" -d -
## sync
## rm "$SECRETS_KEY_FILE"
## echo "passphrase-file ${GNUPGHOME}/passphrase" >> "${GNUPGHOME}/gpg.conf"

- name: Configure Git
shell: bash
run: |
git config --global --add safe.directory "$(pwd)"
git config --global user.name "Salt Project Packaging"
git config --global user.email [email protected]
git config --global user.signingkey 64CBBC8173D76B3F
git config --global commit.gpgsign true
git config --global commit.gpgsign false
## git config --global user.signingkey 64CBBC8173D76B3F
## git config --global commit.gpgsign true
- name: Update Repository
id: update-repo
Expand Down Expand Up @@ -166,44 +167,45 @@ jobs:
ssh-key: ${{ secrets.SALT_BOOTSTRAP_RELEASE_KEY }}
fetch-depth: 0

- name: Setup GnuPG
run: |
sudo install -d -m 0700 -o "$(id -u)" -g "$(id -g)" /run/gpg
GNUPGHOME="$(mktemp -d -p /run/gpg)"
echo "GNUPGHOME=${GNUPGHOME}" >> "$GITHUB_ENV"
cat <<EOF > "${GNUPGHOME}/gpg.conf"
batch
no-tty
pinentry-mode loopback
EOF
- name: Get Secrets
id: get-secrets
env:
SECRETS_KEY: ${{ secrets.SECRETS_KEY }}
run: |
SECRETS_KEY_FILE=$(mktemp /tmp/output.XXXXXXXXXX)
echo "$SECRETS_KEY" > "$SECRETS_KEY_FILE"
aws --region us-west-2 secretsmanager get-secret-value --secret-id /cmbu-saltstack/signing/repo-signing-keys-sha256-2023 \
--query SecretString --output text | jq .default_key -r | base64 -d \
| gpg --passphrase-file "${SECRETS_KEY_FILE}" -d - \
| gpg --import -
sync
aws --region us-west-2 secretsmanager get-secret-value --secret-id /cmbu-saltstack/signing/repo-signing-keys-sha256-2023 \
--query SecretString --output text| jq .default_passphrase -r | base64 -d \
| gpg --passphrase-file "${SECRETS_KEY_FILE}" -o "${GNUPGHOME}/passphrase" -d -
sync
rm "$SECRETS_KEY_FILE"
echo "passphrase-file ${GNUPGHOME}/passphrase" >> "${GNUPGHOME}/gpg.conf"
## - name: Setup GnuPG
## run: |
## sudo install -d -m 0700 -o "$(id -u)" -g "$(id -g)" /run/gpg
## GNUPGHOME="$(mktemp -d -p /run/gpg)"
## echo "GNUPGHOME=${GNUPGHOME}" >> "$GITHUB_ENV"
## cat <<EOF > "${GNUPGHOME}/gpg.conf"
## batch
## no-tty
## pinentry-mode loopback
## EOF

## - name: Get Secrets
## id: get-secrets
## env:
## SECRETS_KEY: ${{ secrets.SECRETS_KEY }}
## run: |
## SECRETS_KEY_FILE=$(mktemp /tmp/output.XXXXXXXXXX)
## echo "$SECRETS_KEY" > "$SECRETS_KEY_FILE"
## aws --region us-west-2 secretsmanager get-secret-value --secret-id /cmbu-saltstack/signing/repo-signing-keys-sha256-2023 \
## --query SecretString --output text | jq .default_key -r | base64 -d \
## | gpg --passphrase-file "${SECRETS_KEY_FILE}" -d - \
## | gpg --import -
## sync
## aws --region us-west-2 secretsmanager get-secret-value --secret-id /cmbu-saltstack/signing/repo-signing-keys-sha256-2023 \
## --query SecretString --output text| jq .default_passphrase -r | base64 -d \
## | gpg --passphrase-file "${SECRETS_KEY_FILE}" -o "${GNUPGHOME}/passphrase" -d -
## sync
## rm "$SECRETS_KEY_FILE"
## echo "passphrase-file ${GNUPGHOME}/passphrase" >> "${GNUPGHOME}/gpg.conf"

- name: Configure Git
shell: bash
run: |
git config --global --add safe.directory "$(pwd)"
git config --global user.name "Salt Project Packaging"
git config --global user.email [email protected]
git config --global user.signingkey 64CBBC8173D76B3F
git config --global commit.gpgsign true
git config --global commit.gpgsign false
## git config --global user.signingkey 64CBBC8173D76B3F
## git config --global commit.gpgsign true
- name: Download Release Details
uses: actions/download-artifact@v4
Expand Down Expand Up @@ -317,43 +319,43 @@ jobs:
SPB_ENVIRONMENT=$(curl -sS -f -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/tags/instance/spb:environment)
echo "SPB_ENVIRONMENT=$SPB_ENVIRONMENT" >> "$GITHUB_ENV"
- name: Setup GnuPG
run: |
sudo install -d -m 0700 -o "$(id -u)" -g "$(id -g)" /run/gpg
GNUPGHOME="$(mktemp -d -p /run/gpg)"
echo "GNUPGHOME=${GNUPGHOME}" >> "$GITHUB_ENV"
cat <<EOF > "${GNUPGHOME}/gpg.conf"
batch
no-tty
pinentry-mode loopback
EOF
- name: Get Secrets
id: get-secrets
env:
SECRETS_KEY: ${{ secrets.SECRETS_KEY }}
run: |
SECRETS_KEY_FILE=$(mktemp /tmp/output.XXXXXXXXXX)
echo "$SECRETS_KEY" > "$SECRETS_KEY_FILE"
aws --region us-west-2 secretsmanager get-secret-value --secret-id /cmbu-saltstack/signing/repo-signing-keys-sha256-2023 \
--query SecretString --output text | jq .default_key -r | base64 -d \
| gpg --passphrase-file "${SECRETS_KEY_FILE}" -d - \
| gpg --import -
sync
aws --region us-west-2 secretsmanager get-secret-value --secret-id /cmbu-saltstack/signing/repo-signing-keys-sha256-2023 \
--query SecretString --output text| jq .default_passphrase -r | base64 -d \
| gpg --passphrase-file "${SECRETS_KEY_FILE}" -o "${GNUPGHOME}/passphrase" -d -
sync
rm "$SECRETS_KEY_FILE"
echo "passphrase-file ${GNUPGHOME}/passphrase" >> "${GNUPGHOME}/gpg.conf"
- name: Install Requirements
run: |
python3 -m pip install -r requirements/release.txt
- name: Upload Stable Release to S3
run: |
tools release s3-publish --key-id 64CBBC8173D76B3F stable
## - name: Setup GnuPG
## run: |
## sudo install -d -m 0700 -o "$(id -u)" -g "$(id -g)" /run/gpg
## GNUPGHOME="$(mktemp -d -p /run/gpg)"
## echo "GNUPGHOME=${GNUPGHOME}" >> "$GITHUB_ENV"
## cat <<EOF > "${GNUPGHOME}/gpg.conf"
## batch
## no-tty
## pinentry-mode loopback
## EOF

## - name: Get Secrets
## id: get-secrets
## env:
## SECRETS_KEY: ${{ secrets.SECRETS_KEY }}
## run: |
## SECRETS_KEY_FILE=$(mktemp /tmp/output.XXXXXXXXXX)
## echo "$SECRETS_KEY" > "$SECRETS_KEY_FILE"
## aws --region us-west-2 secretsmanager get-secret-value --secret-id /cmbu-saltstack/signing/repo-signing-keys-sha256-2023 \
## --query SecretString --output text | jq .default_key -r | base64 -d \
## | gpg --passphrase-file "${SECRETS_KEY_FILE}" -d - \
## | gpg --import -
## sync
## aws --region us-west-2 secretsmanager get-secret-value --secret-id /cmbu-saltstack/signing/repo-signing-keys-sha256-2023 \
## --query SecretString --output text| jq .default_passphrase -r | base64 -d \
## | gpg --passphrase-file "${SECRETS_KEY_FILE}" -o "${GNUPGHOME}/passphrase" -d -
## sync
## rm "$SECRETS_KEY_FILE"
## echo "passphrase-file ${GNUPGHOME}/passphrase" >> "${GNUPGHOME}/gpg.conf"

## - name: Install Requirements
## run: |
## python3 -m pip install -r requirements/release.txt

## - name: Upload Stable Release to S3
## run: |
## tools release s3-publish --key-id 64CBBC8173D76B3F stable

update-develop-checksums:
name: Update Release Checksums on Develop
Expand Down Expand Up @@ -386,44 +388,45 @@ jobs:
repository: ${{ github.repository }}
ssh-key: ${{ secrets.SALT_BOOTSTRAP_RELEASE_KEY }}

- name: Setup GnuPG
run: |
sudo install -d -m 0700 -o "$(id -u)" -g "$(id -g)" /run/gpg
GNUPGHOME="$(mktemp -d -p /run/gpg)"
echo "GNUPGHOME=${GNUPGHOME}" >> "$GITHUB_ENV"
cat <<EOF > "${GNUPGHOME}/gpg.conf"
batch
no-tty
pinentry-mode loopback
EOF
- name: Get Secrets
id: get-secrets
env:
SECRETS_KEY: ${{ secrets.SECRETS_KEY }}
run: |
SECRETS_KEY_FILE=$(mktemp /tmp/output.XXXXXXXXXX)
echo "$SECRETS_KEY" > "$SECRETS_KEY_FILE"
aws --region us-west-2 secretsmanager get-secret-value --secret-id /cmbu-saltstack/signing/repo-signing-keys-sha256-2023 \
--query SecretString --output text | jq .default_key -r | base64 -d \
| gpg --passphrase-file "${SECRETS_KEY_FILE}" -d - \
| gpg --import -
sync
aws --region us-west-2 secretsmanager get-secret-value --secret-id /cmbu-saltstack/signing/repo-signing-keys-sha256-2023 \
--query SecretString --output text| jq .default_passphrase -r | base64 -d \
| gpg --passphrase-file "${SECRETS_KEY_FILE}" -o "${GNUPGHOME}/passphrase" -d -
sync
rm "$SECRETS_KEY_FILE"
echo "passphrase-file ${GNUPGHOME}/passphrase" >> "${GNUPGHOME}/gpg.conf"
## - name: Setup GnuPG
## run: |
## sudo install -d -m 0700 -o "$(id -u)" -g "$(id -g)" /run/gpg
## GNUPGHOME="$(mktemp -d -p /run/gpg)"
## echo "GNUPGHOME=${GNUPGHOME}" >> "$GITHUB_ENV"
## cat <<EOF > "${GNUPGHOME}/gpg.conf"
## batch
## no-tty
## pinentry-mode loopback
## EOF

## - name: Get Secrets
## id: get-secrets
## env:
## SECRETS_KEY: ${{ secrets.SECRETS_KEY }}
## run: |
## SECRETS_KEY_FILE=$(mktemp /tmp/output.XXXXXXXXXX)
## echo "$SECRETS_KEY" > "$SECRETS_KEY_FILE"
## aws --region us-west-2 secretsmanager get-secret-value --secret-id /cmbu-saltstack/signing/repo-signing-keys-sha256-2023 \
## --query SecretString --output text | jq .default_key -r | base64 -d \
## | gpg --passphrase-file "${SECRETS_KEY_FILE}" -d - \
## | gpg --import -
## sync
## aws --region us-west-2 secretsmanager get-secret-value --secret-id /cmbu-saltstack/signing/repo-signing-keys-sha256-2023 \
## --query SecretString --output text| jq .default_passphrase -r | base64 -d \
## | gpg --passphrase-file "${SECRETS_KEY_FILE}" -o "${GNUPGHOME}/passphrase" -d -
## sync
## rm "$SECRETS_KEY_FILE"
## echo "passphrase-file ${GNUPGHOME}/passphrase" >> "${GNUPGHOME}/gpg.conf"

- name: Configure Git
shell: bash
run: |
git config --global --add safe.directory "$(pwd)"
git config --global user.name "Salt Project Packaging"
git config --global user.email [email protected]
git config --global user.signingkey 64CBBC8173D76B3F
git config --global commit.gpgsign true
git config --global commit.gpgsign false
## git config --global user.signingkey 64CBBC8173D76B3F
## git config --global commit.gpgsign true
- name: Update Latest Release on README
run: |
Expand Down
4 changes: 2 additions & 2 deletions bootstrap-salt.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -657,7 +657,7 @@ elif [ "$ITYPE" = "stable" ]; then
ITYPE="onedir"
shift
else
echo "Unknown stable version: $1 (valid: 3006, 3007, latest)"
echo "Unknown stable version: $1 (valid: 3006, 3007, latest), versions older than 3006 are not available"
exit 1
fi
fi
Expand All @@ -676,7 +676,7 @@ elif [ "$ITYPE" = "onedir" ]; then
STABLE_REV="$1"
shift
else
echo "Unknown onedir version: $1 (valid: 3006, 3007, latest.)"
echo "Unknown onedir version: $1 (valid: 3006, 3007, latest), versions older than 3006 are not available"
exit 1
fi
fi
Expand Down

0 comments on commit 8cdedfb

Please sign in to comment.