ci(workflows): sign annotated tags in release workflow

- https://httgp.com/signing-commits-in-github-actions - https://docs.github.com/authentication/managing-commit-signature-verification/signing-tags - https://stackoverflow.com/questions/4404172/how-to-tag-an-older-commit-in-git/21759466/#21759466 Signed-off-by: Lexus Drumgold <unicornware@flexdevelopment.llc>
flex-development · Aug 15, 2022 · 5aaa8b7 · 5aaa8b7
1 parent 8a6b019
commit 5aaa8b7
Showing 1 changed file with 24 additions and 27 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -11,6 +11,7 @@
 # - https://github.com/actions/checkout
 # - https://github.com/actions/github-script
 # - https://github.com/bdougie/close-issues-based-on-label
+# - https://github.com/crazy-max/ghaction-import-gpg
 # - https://github.com/dawidd6/action-delete-branch
 
 ---
@@ -89,7 +90,19 @@ jobs:
         uses: actions/checkout@v3.0.2
         with:
           fetch-depth: 0
+          persist-credentials: false
           ref: ${{ env.REF }}
+      - id: import-gpg
+        name: Import GPG key
+        uses: crazy-max/ghaction-import-gpg@v5.1.0
+        with:
+          git_commit_gpgsign: true
+          git_committer_name: ${{ format('{0}[bot]', github.repository_owner) }}
+          git_config_global: true
+          git_push_gpgsign: true
+          git_tag_gpgsign: true
+          git_user_signingkey: true
+          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
       - id: yarn
         name: Install dependencies
         run: yarn
@@ -111,34 +124,18 @@ jobs:
           TS_NODE_PROJECT: ./tsconfig.tsnode.json
       - id: tag
         name: Create annotated tag
-        uses: actions/github-script@v6.1.1
+        run: |
+          GIT_COMMITTER_DATE=\"$(git show --format=%aD | head -1)\" git tag -asf $TAG -m "$MESSAGE"
+          git tag -v $TAG
+          git push origin --tags
         env:
-          VERSION: ${{ needs.metadata.outputs.version }}
-        with:
-          script: |
-            const commit = await github.request('GET /repos/{owner}/{repo}/commits/{ref}', {
-              ...context.repo,
-              ref: context.payload.inputs?.ref ?? context.payload.pull_request.merge_commit_sha
-            })
-
-            console.log('commit', commit.data)
-
-            const tag = await github.rest.git.createTag({
-              ...context.repo,
-              message: `release: @${context.payload.repository.full_name}@${process.env.VERSION}`,
-              object: commit.data.sha,
-              tag: process.env.TAG,
-              tagger: commit.data.commit.committer,
-              type: 'commit'
-            })
-
-            console.log('tag', tag.data)
-
-            await github.rest.git.createRef({
-              ...context.repo,
-              ref: `refs/tags/${process.env.TAG}`,
-              sha: tag.data.sha
-            })
+          GIT_COMMITTER_NAME: ${{ steps.import-gpg.outputs.name }}
+          GIT_COMMITTER_EMAIL: ${{ steps.import-gpg.outputs.email }}
+          GIT_AUTHOR_NAME: ${{ steps.import-gpg.outputs.name }}
+          GIT_AUTHOR_EMAIL: ${{ steps.import-gpg.outputs.email }}
+          GITHUB_TOKEN: ${{ secrets.PAT_ADMIN }}
+          MESSAGE: |
+            ${{ format('release: @{0}@{1}', github.repository, needs.metadata.outputs.version) }}
       - id: publish
         name: Publish release
         run: gh release create $TAG *.tgz -t=$TAG -F=$NOTES_FILE -p=$PRERELEASE