pass the secrets

demergent-labs · Oct 14, 2024 · e22e703 · e22e703
1 parent 3752ced
commit e22e703
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 8 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -19,6 +19,7 @@ jobs:
 
     get-test-infos:
         needs: determine-should-release
+        # Only run this job if it's a release branch. This job will run instead of run-tests and will automatically publish another commit which will be tested
         if: ${{ startsWith(github.head_ref, 'release--') && needs.determine-should-release.outputs.should-release }}
         name: Get test infos
         runs-on: ubuntu-latest
@@ -57,3 +58,6 @@ jobs:
             - get-test-infos
 
         uses: ./.github/workflows/release_parallel.yml
+        secrets:
+            GPG_SIGNING_KEY: ${{ secrets.GPG_SIGNING_KEY }} # All commits must be verified
+            GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/release_parallel.yml b/.github/workflows/release_parallel.yml
@@ -1,11 +1,19 @@
 name: Parallel Release
 on:
     workflow_call:
+        secrets:
+            GPG_SIGNING_KEY:
+                required: true
+            GH_TOKEN:
+                required: true
 
 jobs:
     prepare-release:
         name: Prepare Release
         runs-on: ubuntu-latest
+        env:
+            GPG_SIGNING_KEY: ${{ secrets.GPG_SIGNING_KEY }} # All commits must be verified
+            GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         outputs:
             release-version: ${{ steps.get-version.outputs.release-version }}
             test-infos: ${{ steps.get-test-infos.outputs.test-infos }}
@@ -53,6 +61,16 @@ jobs:
               run: |
                   AZLE_VERBOSE=true npx azle install-global-dependencies --rust --wasi2ic
 
+            # TODO we should use some Action-specific bot account
+            - name: Configure git for publishing release
+              run: |
+                  git config --global user.name 'Jordan Last'
+                  git config --global user.email 'jordan.michael.last@gmail.com'
+                  git config --global commit.gpgsign true
+                  echo -n "$GPG_SIGNING_KEY" | base64 --decode | gpg --import
+                  git config --global user.signingkey C8B77BCBE16CD2B94B43F9C8757397B82D4ED7B0
+                  git -k
+
             - name: Update version and build templates
               run: |
                   VERSION=${{ steps.get-version.outputs.release-version }}
@@ -65,14 +83,6 @@ jobs:
                   echo "We are about to template --experimental"
                   npx azle template --experimental
 
-            - name: Commit and push changes
-              run: |
-                  git config --global user.name 'Jordan Last'
-                  git config --global user.email 'jordan.michael.last@gmail.com'
-                  git add --all
-                  git commit -m "Prepare release ${{ steps.get-version.outputs.release-version }}"
-                  git push origin "${{ github.event.pull_request.head.ref || github.ref_name }}"
-
             - name: Publish to npm
               run: |
                   if [[ "${{ steps.get-version.outputs.release-version }}" == *"-rc."* ]]; then