-
Notifications
You must be signed in to change notification settings - Fork 294
109 lines (94 loc) · 5.08 KB
/
reusable_sign_packages.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
name: Signe Debian package
on:
workflow_call:
inputs:
_VOLUME_MOUNT:
required: True
type: string
_IMAGE_TYPE:
required: True
type: string
_BRANCH_NAME:
required: True
type: string
_PACKAGE_NAME:
required: True
type: string
jobs:
sign_package_deb:
if: inputs._IMAGE_TYPE == 'debian11' || inputs._IMAGE_TYPE == 'debian12'
runs-on: packetfence-perl-package-build
container:
image: debian:11.0
volumes:
- ${{ github.workspace }}/addons/packetfence-perl/:/root
steps:
- name: Download artifactory ${{ inputs._IMAGE_TYPE }}
uses: actions/download-artifact@v4.1.7
with:
name: ${{ env.ARTIFACTORY_NAME }}
path: /mnt
env:
ARTIFACTORY_NAME: ${{ inputs._IMAGE_TYPE == 'rhel8' && 'package-rpm8' || inputs._IMAGE_TYPE == 'debian11' && 'package-deb11' || inputs._IMAGE_TYPE == 'debian12' && 'package-deb12' }}
- name: Install Debian dependencies ${{ inputs._IMAGE_TYPE }}
run: apt -qq update && apt -qq -y install gpg dpkg-sig python3 python3-pip && python3 -m pip install -q -U pip && pip install -q pynacl requests
- name: Import private key ${{ inputs._IMAGE_TYPE }}
run: |
set -e && python3 /root/psono.py --api_key_id=${{ secrets.PSONO_API_KEY_ID }} --api_key_secret_key=${{ secrets.PSONO_API_KEY_SECRET_KEY }} --secret_id=${{ vars.PSONO_GPG_PRIVATE_KEY_SECRET_ID }} --return_value=password_notes | gpg --pinentry-mode loopback --import
- name: Sign the package ${{ inputs._IMAGE_TYPE }}
run: dpkg-sig -k B022C48D3D6373D7FC256A8CCB2D3A2AA0030E2C --sign builder /mnt/${{ inputs._PACKAGE_NAME }}*.deb
- name: Verify ${{ inputs._IMAGE_TYPE }} Package
run: |
gpg --verify /mnt/${{ inputs._PACKAGE_NAME }}*.deb
dpkg-sig --list /mnt/${{ inputs._PACKAGE_NAME }}*.deb
- name: Upload the package to artifactory ${{inputs._IMAGE_TYPE}}
uses: actions/upload-artifact@v3
with:
name: ${{ env.ARTIFACTORY_NAME }}
path: /mnt/${{ env.PACKAGE_NAME }}
env:
PACKAGE_NAME: ${{ inputs._IMAGE_TYPE == 'rhel8' && env.RPM_FORMAT_PACKAGE_NAME || env.DEB_FORMAT_PACKAGE_NAME }}
ARTIFACTORY_NAME: ${{ inputs._IMAGE_TYPE == 'rhel8' && 'package-rpm8' || inputs._IMAGE_TYPE == 'debian11' && 'package-deb11' || inputs._IMAGE_TYPE == 'debian12' && 'package-deb12' }}
DEB_FORMAT_PACKAGE_NAME: "${{ inputs._PACKAGE_NAME }}*.deb"
RPM_FORMAT_PACKAGE_NAME: "${{ inputs._PACKAGE_NAME }}*.rpm"
sign_package_rpm:
runs-on: packetfence-perl-package-build
if: inputs._IMAGE_TYPE == 'rhel8'
container:
image: rockylinux:8.8
volumes:
- ${{ github.workspace }}/addons/packetfence-perl/:/root
steps:
- name: Download artifactory ${{ inputs._IMAGE_TYPE }}
uses: actions/download-artifact@v4.1.7
with:
name: ${{ env.ARTIFACTORY_NAME }}
path: /mnt
env:
ARTIFACTORY_NAME: ${{ inputs._IMAGE_TYPE == 'rhel8' && 'package-rpm8' || inputs._IMAGE_TYPE == 'debian11' && 'package-deb11' || inputs._IMAGE_TYPE == 'debian12' && 'package-deb12' }}
- name: Install RHEL dependencies ${{ inputs._IMAGE_TYPE }}
run: dnf -y install rpm-sign python39 && python3.9 -m pip install -q -U pip && pip install -q pynacl requests
- name: Import private key ${{ inputs._IMAGE_TYPE }}
run: |
set -e && python3 /root/psono.py --api_key_id=${{ secrets.PSONO_API_KEY_ID }} --api_key_secret_key=${{ secrets.PSONO_API_KEY_SECRET_KEY }} --secret_id=${{ vars.PSONO_GPG_PRIVATE_KEY_SECRET_ID }} --return_value=password_notes | gpg --pinentry-mode loopback --import
- name: Check if the key was imported ${{ inputs._IMAGE_TYPE }}
run: |
rpm -q gpg-pubkey --qf '%{name}-%{version}-%{release} --> %{summary}\n'
gpg --list-keys
- name: Sign the package ${{ inputs._IMAGE_TYPE }}
run: rpm --define "_gpg_name support@inverse.ca" --define '_signature gpg' --addsign /mnt/${{ inputs._PACKAGE_NAME }}*.rpm
- name: Verify ${{ inputs._IMAGE_TYPE }} Package Signature
run: |
gpg --batch --yes --output /tmp/pubkey.pub --armor --export support@inverse.ca && rpm --import /tmp/pubkey.pub
rpm -qpi /mnt/${{ inputs._PACKAGE_NAME }}**.rpm
rpm --checksig /mnt/${{ inputs._PACKAGE_NAME }}**.rpm
- name: Upload the package to artifactory ${{inputs._IMAGE_TYPE}}
uses: actions/upload-artifact@v3
with:
name: ${{ env.ARTIFACTORY_NAME }}
path: /mnt/${{ env.PACKAGE_NAME }}
env:
PACKAGE_NAME: ${{ inputs._IMAGE_TYPE == 'rhel8' && env.RPM_FORMAT_PACKAGE_NAME || env.DEB_FORMAT_PACKAGE_NAME }}
ARTIFACTORY_NAME: ${{ inputs._IMAGE_TYPE == 'rhel8' && 'package-rpm8' || inputs._IMAGE_TYPE == 'debian11' && 'package-deb11' || inputs._IMAGE_TYPE == 'debian12' && 'package-deb12' }}
DEB_FORMAT_PACKAGE_NAME: "${{ inputs._PACKAGE_NAME }}*.deb"
RPM_FORMAT_PACKAGE_NAME: "${{ inputs._PACKAGE_NAME }}*.rpm"