From 870d9c9922492970fa40a2e6517eeb848e609b3d Mon Sep 17 00:00:00 2001 From: Ryan Scott Date: Thu, 19 May 2022 10:54:26 -0400 Subject: [PATCH 1/3] CI: Always sign binary artifacts, not just for releases Fixes #1355. --- .github/ci.sh | 4 ++++ .github/workflows/ci.yml | 5 ++--- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/.github/ci.sh b/.github/ci.sh index 5a19e2749..5ceb09052 100755 --- a/.github/ci.sh +++ b/.github/ci.sh @@ -109,10 +109,14 @@ bundle_files() { } sign() { + # This is surrounded with `set +x; ...; set -x` to disable printing out + # statements that could leak GPG-related secrets. + set +x gpg --batch --import <(echo "$SIGNING_KEY") fingerprint="$(gpg --list-keys | grep galois -a1 | head -n1 | awk '{$1=$1};1')" echo "$fingerprint:6" | gpg --import-ownertrust gpg --yes --no-tty --batch --pinentry-mode loopback --default-key "$fingerprint" --detach-sign -o "$1".sig --passphrase-file <(echo "$SIGNING_PASSPHRASE") "$1" + set -x } zip_dist() { diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 30ebd531e..92a793f95 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -158,7 +158,7 @@ jobs: - if: runner.os == 'Windows' run: .github/wix.ps1 - - if: needs.config.outputs.release == 'true' && runner.os == 'Windows' + - if: runner.os == 'Windows' shell: bash env: SIGNING_PASSPHRASE: ${{ secrets.SIGNING_PASSPHRASE }} @@ -181,8 +181,7 @@ jobs: env: OS_TAG: ${{ matrix.os }} - - if: needs.config.outputs.release == 'true' - shell: bash + - shell: bash env: SIGNING_PASSPHRASE: ${{ secrets.SIGNING_PASSPHRASE }} SIGNING_KEY: ${{ secrets.SIGNING_KEY }} From fff6520e9b912cbb24b6a5ecf68190588679452d Mon Sep 17 00:00:00 2001 From: Ryan Scott Date: Thu, 19 May 2022 10:57:58 -0400 Subject: [PATCH 2/3] CI: Trigger full release after `git tag --push` This fixes the regex used to detect tagged releases and runs the `build-push-image` job for tagged releases. Fixes #1351. --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 92a793f95..7a19bab63 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,7 +1,7 @@ name: Cryptol on: push: - tags: ["?[0-9]+.[0-9]+(.[0-9]+)?"] + tags: ["[0-9]+.[0-9]+(.[0-9]+)?"] branches: [master, "release-**"] pull_request: schedule: @@ -311,7 +311,7 @@ jobs: build-push-image: runs-on: ubuntu-20.04 needs: [config] - if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' + if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' || needs.config.outputs.release == 'true' strategy: fail-fast: false matrix: From e630fbe95a107359656549ba1eeabfc4471e3c77 Mon Sep 17 00:00:00 2001 From: Ryan Scott Date: Thu, 19 May 2022 11:22:27 -0400 Subject: [PATCH 3/3] CI: Use modern GPG keys Most of the changes are in GitHub's secret values. The only thing that must change in the code is the name of the key we search for. Fixes #1354. --- .github/ci.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/ci.sh b/.github/ci.sh index 5ceb09052..dc536f6a4 100755 --- a/.github/ci.sh +++ b/.github/ci.sh @@ -113,7 +113,7 @@ sign() { # statements that could leak GPG-related secrets. set +x gpg --batch --import <(echo "$SIGNING_KEY") - fingerprint="$(gpg --list-keys | grep galois -a1 | head -n1 | awk '{$1=$1};1')" + fingerprint="$(gpg --list-keys | grep Galois -a1 | head -n1 | awk '{$1=$1};1')" echo "$fingerprint:6" | gpg --import-ownertrust gpg --yes --no-tty --batch --pinentry-mode loopback --default-key "$fingerprint" --detach-sign -o "$1".sig --passphrase-file <(echo "$SIGNING_PASSPHRASE") "$1" set -x