ci: configure signed commits for conventional versioning

tscpp · Jun 24, 2024 · 76251a1 · 76251a1
1 parent 42d3519
commit 76251a1
Show file tree

Hide file tree

Showing 3 changed files with 40 additions and 10 deletions.
diff --git a/.github/scripts/configure-git.js b/.github/scripts/configure-git.js
@@ -0,0 +1,32 @@
+import { $ } from "execa";
+import { appendFile } from "node:fs/promises";
+
+const email = "928067+conventional-versioning[bot]@users.noreply.github.com";
+const name = "Conventional Versioning";
+
+const { GITHUB_TOKEN, GPG_KEY_ID, GPG_PRIVATE_KEY, GPG_PASSPHRASE } =
+  process.env;
+
+// Configure credentials
+await $`git config --global user.email ${email}`;
+await $`git config --global user.name ${name}`;
+
+// Add token to git credentials
+await $`git config --global credential.helper store`;
+await appendFile(
+  "~/.git-credentials",
+  `https://x-access-token:${GITHUB_TOKEN}@github.com\n`,
+  { flag: "a+" },
+);
+
+// Setup GPG
+await $`echo ${GPG_PRIVATE_KEY} | gpg --import`;
+await $`echo "default-key ${GPG_KEY_ID}" >> ~/.gnupg/gpg.conf`;
+await $`echo "use-agent" >> ~/.gnupg/gpg.conf`;
+await $`echo "pinentry-mode loopback" >> ~/.gnupg/gpg.conf`;
+await $`echo "allow-loopback-pinentry" >> ~/.gnupg/gpg-agent.conf`;
+await $`gpg --batch --yes --passphrase ${GPG_PASSPHRASE} --quick-set-expire ${GPG_KEY_ID} 1y`;
+
+// Configure commit signing
+await $`git config --global user.signingkey ${GPG_KEY_ID}`;
+await $`git config --global commit.gpgSign true`;
diff --git a/.github/scripts/setup-git-user.js b/.github/scripts/setup-git-user.js
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -51,9 +51,6 @@ jobs:
       - name: Publish packages
         run: pnpm nx release publish
 
-      - name: Setup Git User
-        run: node .github/scripts/setup-git-user.js
-
       - name: Generate JWT and Get Installation Access Token
         id: auth
         run: |
@@ -71,6 +68,14 @@ jobs:
 
           echo "TOKEN=${INSTALLATION_TOKEN}" >> $GITHUB_ENV
 
+      - name: Configure Git
+        run: node .github/scripts/configure-git.js
+        env:
+          GITHUB_TOKEN: ${{ env.TOKEN }}
+          GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
+          GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
+          GPG_KEY_ID: ${{ vars.GPG_KEY_ID }}
+
       - name: Create Release Pull Request
         run: node .github/scripts/create-versioning-pull-request.js
         env: