From 44dc3c27aacb9fcd8869b5295ebcea47bc05951c Mon Sep 17 00:00:00 2001 From: Jordi Boggiano Date: Tue, 27 Oct 2020 15:55:21 +0100 Subject: [PATCH] Try and sign phars on releases, refs #5155 --- .github/workflows/release.yml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 7255735d8..8f0ba92ae 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -57,6 +57,27 @@ jobs: asset_name: composer.phar asset_content_type: application/octet-stream + - name: Configure GPG key and sign phar + run: | + mkdir -p ~/.gnupg/ + chmod 0700 ~/.gnupg/ + echo "$GPG_SIGNING_KEY" > ~/.gnupg/private.key + gpg --import ~/.gnupg/private.key + gpg -u contact@packagist.com --detach-sign --output composer.phar.asc composer.phar + env: + GPG_SIGNING_KEY: | + ${{ secrets.GPG_KEY_161DFBE342889F01DDAC4E61CBB3D576F2A0946F }} + + - name: Upload phar signature + uses: actions/upload-release-asset@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ steps.create_release.outputs.upload_url }} + asset_path: ./composer.phar.asc + asset_name: composer.phar.asc + asset_content_type: application/octet-stream + # This step requires a secret token with `pull` access to composer/docker. The default # secrets.GITHUB_TOKEN is scoped to this repository only which is not sufficient. - name: "Open issue @ Docker repository"