Skip to content

Release Signing

Release Signing #4

Workflow file for this run

name: Release Signing
on:
workflow_dispatch:
inputs:
environment:
required: true
type: environment
version:
required: true
jobs:
release-gpg-test:
runs-on: ubuntu-latest
environment:
name: ${{ inputs.environment }}
steps:
- name: Import GPG
id: import_gpg
uses: crazy-max/ghaction-import-gpg@01dd5d3ca463c7f10f7f4f7b4f177225ac661ee4
with:
gpg_private_key: ${{ secrets.GPG_RELEASE_KEY }}
passphrase: ${{ secrets.GPG_PASSPHRASE }}
- name: Downloading the release
run: |
wget https://github.com/yarnpkg/yarn/releases/download/v${{ inputs.version }}/yarn-v${{ inputs.version }}.tar.gz
wget https://github.com/yarnpkg/yarn/releases/download/v${{ inputs.version }}/yarn-${{ inputs.version }}.js
wget https://github.com/yarnpkg/yarn/releases/download/v${{ inputs.version }}/yarn-legacy-${{ inputs.version }}.js
- name: GPG sign file
run: |
gpg -u ${{ vars.GPG_RELEASE_KEY_ID }} --armor --output yarn-v${{ inputs.version }}.tar.gz.asc --detach-sign yarn-v${{ inputs.version }}.tar.gz
gpg -u ${{ vars.GPG_RELEASE_KEY_ID }} --armor --output yarn-${{ inputs.version }}.js.asc --detach-sign yarn-${{ inputs.version }}.js
gpg -u ${{ vars.GPG_RELEASE_KEY_ID }} --armor --output yarn-legacy-${{ inputs.version }}.js.asc --detach-sign yarn-legacy-${{ inputs.version }}.js
- name: Store signature as artifact
uses: actions/upload-artifact@v3
with:
name: signed
path: |
yarn-v${{ inputs.version }}.tar.gz
yarn-v${{ inputs.version }}.tar.gz.asc
yarn-v${{ inputs.version }}.js
yarn-v${{ inputs.version }}.js.asc
yarn-legacy-${{ inputs.version }}.js
yarn-legacy-${{ inputs.version }}.js.asc