diff --git a/.github/workflows/reusable-release.yaml b/.github/workflows/reusable-release.yaml index 7233f0a53746..4058311b257d 100644 --- a/.github/workflows/reusable-release.yaml +++ b/.github/workflows/reusable-release.yaml @@ -75,6 +75,12 @@ jobs: args: mod -licenses -json -output bom.json version: ^v1 + - name: "save gpg key" + env: + GPG_KEY: ${{ secrets.GPG_KEY }} + run: | + echo "$GPG_KEY" > gpg.key + - name: GoReleaser uses: goreleaser/goreleaser-action@v4 with: @@ -82,6 +88,12 @@ jobs: args: release -f=${{ inputs.goreleaser_config}} ${{ inputs.goreleaser_options}} env: GITHUB_TOKEN: ${{ secrets.ORG_REPO_TOKEN }} + NFPM_DEFAULT_RPM_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} + GPG_FILE: "gpg.key" + + - name: "remove gpg key" + run: | + rm gpg.key # Push images to registries (only for canary build) # The custom Dockerfile.canary is necessary diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 43f770d60696..39edef0294eb 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -134,4 +134,5 @@ jobs: with: version: v1.16.2 args: release --skip-sign --snapshot --clean --skip-publish --timeout 90m - + env: + GPG_FILE: "nogpg.key" diff --git a/docs/getting-started/installation.md b/docs/getting-started/installation.md index 05f2c84a68aa..e7a1f72e6864 100644 --- a/docs/getting-started/installation.md +++ b/docs/getting-started/installation.md @@ -15,8 +15,9 @@ In this section you will find an aggregation of the different ways to install Tr [trivy] name=Trivy repository baseurl=https://aquasecurity.github.io/trivy-repo/rpm/releases/$RELEASE_VERSION/\$basearch/ - gpgcheck=0 + gpgcheck=1 enabled=1 + gpgkey=https://aquasecurity.github.io/trivy-repo/rpm/public.key EOF sudo yum -y update sudo yum -y install trivy diff --git a/goreleaser.yml b/goreleaser.yml index afbf9be9c75c..a4c36f3715a1 100644 --- a/goreleaser.yml +++ b/goreleaser.yml @@ -74,6 +74,9 @@ nfpms: contents: - src: contrib/*.tpl dst: /usr/local/share/trivy/templates + rpm: + signature: + key_file: '{{ .Env.GPG_FILE }}' archives: -