feat(ci): sign archlinux packages with GPG for pacman verification

Pacman verifies individual package signatures (.sig files). Add GPG
setup and detach-sign step for archlinux packages in the os-package
job. The .sig is uploaded alongside the package to S3.
This commit is contained in:
kolaente 2026-04-14 19:35:23 +02:00
parent c970f87e89
commit 0b45cff583
No known key found for this signature in database
GPG Key ID: F40E70337AB24C9B
1 changed files with 15 additions and 0 deletions

View File

@ -179,6 +179,12 @@ jobs:
- name: Write GPG key for nfpm
if: matrix.package == 'rpm'
run: echo -n "${{ secrets.RELEASE_GPG_SIGN_KEY }}" > /tmp/nfpm-signing-key.gpg
- name: GPG setup for package signing
if: matrix.package == 'archlinux'
uses: kolaente/action-gpg@main
with:
gpg-passphrase: "${{ secrets.RELEASE_GPG_PASSPHRASE }}"
gpg-sign-key: "${{ secrets.RELEASE_GPG_SIGN_KEY }}"
- name: Prepare
env:
RELEASE_VERSION: ${{ steps.ghd.outputs.describe }}
@ -199,6 +205,15 @@ jobs:
env:
NFPM_GPG_KEY_FILE: ${{ (matrix.package == 'rpm') && '/tmp/nfpm-signing-key.gpg' || '' }}
NFPM_PASSPHRASE: ${{ (matrix.package == 'rpm') && secrets.RELEASE_GPG_PASSPHRASE || '' }}
- name: Sign package
if: matrix.package == 'archlinux'
run: |
gpg --default-key 7D061A4AA61436B40713D42EFF054DACD908493A \
--batch --yes \
--passphrase "${{ secrets.RELEASE_GPG_PASSPHRASE }}" \
--pinentry-mode loopback \
--detach-sign \
./dist/os-packages/vikunja-${{ github.ref_type == 'tag' && steps.ghd.outputs.describe || 'unstable' }}-${{ matrix.arch.pkg }}.${{ matrix.package }}
- name: Upload
uses: kolaente/s3-action@main
with: