mirror of
https://github.com/arsvendg/Stirling-PDF.git
synced 2026-07-14 10:34:06 +02:00
ci(tauri): skip Linux GPG signing when secret is missing (#6263)
This commit is contained in:
@@ -188,6 +188,7 @@ jobs:
|
|||||||
env:
|
env:
|
||||||
SM_API_KEY: ${{ secrets.SM_API_KEY }}
|
SM_API_KEY: ${{ secrets.SM_API_KEY }}
|
||||||
WINDOWS_CERTIFICATE: ${{ secrets.WINDOWS_CERTIFICATE }}
|
WINDOWS_CERTIFICATE: ${{ secrets.WINDOWS_CERTIFICATE }}
|
||||||
|
RELEASE_GPG_PRIVATE_KEY: ${{ secrets.RELEASE_GPG_PRIVATE_KEY }}
|
||||||
steps:
|
steps:
|
||||||
- name: Harden Runner
|
- name: Harden Runner
|
||||||
uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.15.1
|
uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.15.1
|
||||||
@@ -409,9 +410,7 @@ jobs:
|
|||||||
sed "s/${KEYPAIR_ALIAS}/***/g" ./frontend/src-tauri/tauri.windows.conf.json
|
sed "s/${KEYPAIR_ALIAS}/***/g" ./frontend/src-tauri/tauri.windows.conf.json
|
||||||
|
|
||||||
- name: Import release GPG signing key (Linux)
|
- name: Import release GPG signing key (Linux)
|
||||||
if: matrix.platform == 'ubuntu-22.04'
|
if: matrix.platform == 'ubuntu-22.04' && env.RELEASE_GPG_PRIVATE_KEY != '' && (github.event_name == 'release' || (github.event_name == 'workflow_dispatch' && github.event.inputs.sign != 'false') || github.ref == 'refs/heads/V2-master')
|
||||||
env:
|
|
||||||
RELEASE_GPG_PRIVATE_KEY: ${{ secrets.RELEASE_GPG_PRIVATE_KEY }}
|
|
||||||
run: |
|
run: |
|
||||||
echo "$RELEASE_GPG_PRIVATE_KEY" | gpg --batch --import
|
echo "$RELEASE_GPG_PRIVATE_KEY" | gpg --batch --import
|
||||||
gpg --list-secret-keys --keyid-format=long
|
gpg --list-secret-keys --keyid-format=long
|
||||||
@@ -443,7 +442,8 @@ jobs:
|
|||||||
# APPIMAGETOOL_SIGN_PASSPHRASE appimagetool uses this to unlock the GPG key non-interactively
|
# APPIMAGETOOL_SIGN_PASSPHRASE appimagetool uses this to unlock the GPG key non-interactively
|
||||||
# SIGN_KEY appimagetool picks the key matching this fingerprint
|
# SIGN_KEY appimagetool picks the key matching this fingerprint
|
||||||
# Without SIGN=1, the other two are ignored and the AppImage is built unsigned even if a key is present.
|
# Without SIGN=1, the other two are ignored and the AppImage is built unsigned even if a key is present.
|
||||||
SIGN: "1"
|
# Mirror the Windows/macOS gate: only sign on a real release/dispatch+sign or V2-master, when secret is present.
|
||||||
|
SIGN: ${{ (env.RELEASE_GPG_PRIVATE_KEY != '' && (github.event_name == 'release' || (github.event_name == 'workflow_dispatch' && github.event.inputs.sign != 'false') || github.ref == 'refs/heads/V2-master')) && '1' || '0' }}
|
||||||
APPIMAGETOOL_SIGN_PASSPHRASE: ${{ secrets.RELEASE_GPG_PASSPHRASE }}
|
APPIMAGETOOL_SIGN_PASSPHRASE: ${{ secrets.RELEASE_GPG_PASSPHRASE }}
|
||||||
SIGN_KEY: ${{ vars.RELEASE_GPG_FINGERPRINT }}
|
SIGN_KEY: ${{ vars.RELEASE_GPG_FINGERPRINT }}
|
||||||
TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }}
|
TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }}
|
||||||
@@ -460,7 +460,7 @@ jobs:
|
|||||||
args: ${{ matrix.args }}
|
args: ${{ matrix.args }}
|
||||||
|
|
||||||
- name: Clear release GPG key from runner keyring (Linux)
|
- name: Clear release GPG key from runner keyring (Linux)
|
||||||
if: always() && matrix.platform == 'ubuntu-22.04'
|
if: always() && matrix.platform == 'ubuntu-22.04' && env.RELEASE_GPG_PRIVATE_KEY != '' && (github.event_name == 'release' || (github.event_name == 'workflow_dispatch' && github.event.inputs.sign != 'false') || github.ref == 'refs/heads/V2-master')
|
||||||
env:
|
env:
|
||||||
RELEASE_GPG_FINGERPRINT: ${{ vars.RELEASE_GPG_FINGERPRINT }}
|
RELEASE_GPG_FINGERPRINT: ${{ vars.RELEASE_GPG_FINGERPRINT }}
|
||||||
run: |
|
run: |
|
||||||
|
|||||||
@@ -89,6 +89,7 @@ jobs:
|
|||||||
SM_API_KEY: ${{ secrets.SM_API_KEY }}
|
SM_API_KEY: ${{ secrets.SM_API_KEY }}
|
||||||
WINDOWS_CERTIFICATE: ${{ secrets.WINDOWS_CERTIFICATE }}
|
WINDOWS_CERTIFICATE: ${{ secrets.WINDOWS_CERTIFICATE }}
|
||||||
APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
|
APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
|
||||||
|
RELEASE_GPG_PRIVATE_KEY: ${{ secrets.RELEASE_GPG_PRIVATE_KEY }}
|
||||||
steps:
|
steps:
|
||||||
- name: Harden Runner
|
- name: Harden Runner
|
||||||
uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.15.1
|
uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.15.1
|
||||||
@@ -293,9 +294,7 @@ jobs:
|
|||||||
EOF
|
EOF
|
||||||
|
|
||||||
- name: Import release GPG signing key (Linux)
|
- name: Import release GPG signing key (Linux)
|
||||||
if: matrix.platform == 'ubuntu-22.04'
|
if: matrix.platform == 'ubuntu-22.04' && env.RELEASE_GPG_PRIVATE_KEY != '' && github.ref == 'refs/heads/main'
|
||||||
env:
|
|
||||||
RELEASE_GPG_PRIVATE_KEY: ${{ secrets.RELEASE_GPG_PRIVATE_KEY }}
|
|
||||||
run: |
|
run: |
|
||||||
echo "$RELEASE_GPG_PRIVATE_KEY" | gpg --batch --import
|
echo "$RELEASE_GPG_PRIVATE_KEY" | gpg --batch --import
|
||||||
gpg --list-secret-keys --keyid-format=long
|
gpg --list-secret-keys --keyid-format=long
|
||||||
@@ -327,7 +326,8 @@ jobs:
|
|||||||
# APPIMAGETOOL_SIGN_PASSPHRASE appimagetool uses this to unlock the GPG key non-interactively
|
# APPIMAGETOOL_SIGN_PASSPHRASE appimagetool uses this to unlock the GPG key non-interactively
|
||||||
# SIGN_KEY appimagetool picks the key matching this fingerprint
|
# SIGN_KEY appimagetool picks the key matching this fingerprint
|
||||||
# Without SIGN=1, the other two are ignored and the AppImage is built unsigned even if a key is present.
|
# Without SIGN=1, the other two are ignored and the AppImage is built unsigned even if a key is present.
|
||||||
SIGN: "1"
|
# Mirror the Windows/macOS gate: only sign when secret is present AND ref is main (skips PRs from forks/Dependabot).
|
||||||
|
SIGN: ${{ (env.RELEASE_GPG_PRIVATE_KEY != '' && github.ref == 'refs/heads/main') && '1' || '0' }}
|
||||||
APPIMAGETOOL_SIGN_PASSPHRASE: ${{ secrets.RELEASE_GPG_PASSPHRASE }}
|
APPIMAGETOOL_SIGN_PASSPHRASE: ${{ secrets.RELEASE_GPG_PASSPHRASE }}
|
||||||
SIGN_KEY: ${{ vars.RELEASE_GPG_FINGERPRINT }}
|
SIGN_KEY: ${{ vars.RELEASE_GPG_FINGERPRINT }}
|
||||||
TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }}
|
TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }}
|
||||||
@@ -343,7 +343,7 @@ jobs:
|
|||||||
args: ${{ matrix.args }}
|
args: ${{ matrix.args }}
|
||||||
|
|
||||||
- name: Clear release GPG key from runner keyring (Linux)
|
- name: Clear release GPG key from runner keyring (Linux)
|
||||||
if: always() && matrix.platform == 'ubuntu-22.04'
|
if: always() && matrix.platform == 'ubuntu-22.04' && env.RELEASE_GPG_PRIVATE_KEY != '' && github.ref == 'refs/heads/main'
|
||||||
env:
|
env:
|
||||||
RELEASE_GPG_FINGERPRINT: ${{ vars.RELEASE_GPG_FINGERPRINT }}
|
RELEASE_GPG_FINGERPRINT: ${{ vars.RELEASE_GPG_FINGERPRINT }}
|
||||||
run: |
|
run: |
|
||||||
|
|||||||
Reference in New Issue
Block a user