diff --git a/.github/ci.sh b/.github/ci.sh index 5a19e2749..5ceb09052 100755 --- a/.github/ci.sh +++ b/.github/ci.sh @@ -109,10 +109,14 @@ bundle_files() { } sign() { + # This is surrounded with `set +x; ...; set -x` to disable printing out + # statements that could leak GPG-related secrets. + set +x gpg --batch --import <(echo "$SIGNING_KEY") fingerprint="$(gpg --list-keys | grep galois -a1 | head -n1 | awk '{$1=$1};1')" echo "$fingerprint:6" | gpg --import-ownertrust gpg --yes --no-tty --batch --pinentry-mode loopback --default-key "$fingerprint" --detach-sign -o "$1".sig --passphrase-file <(echo "$SIGNING_PASSPHRASE") "$1" + set -x } zip_dist() { diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 30ebd531e..92a793f95 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -158,7 +158,7 @@ jobs: - if: runner.os == 'Windows' run: .github/wix.ps1 - - if: needs.config.outputs.release == 'true' && runner.os == 'Windows' + - if: runner.os == 'Windows' shell: bash env: SIGNING_PASSPHRASE: ${{ secrets.SIGNING_PASSPHRASE }} @@ -181,8 +181,7 @@ jobs: env: OS_TAG: ${{ matrix.os }} - - if: needs.config.outputs.release == 'true' - shell: bash + - shell: bash env: SIGNING_PASSPHRASE: ${{ secrets.SIGNING_PASSPHRASE }} SIGNING_KEY: ${{ secrets.SIGNING_KEY }}