Build and sign an RPM from the current directory (using rake pkg:single)
A Github action to build and sign an RPM using pkg:single from simp-core
Note that this requires the secret (private) GPG signing key as input; understand the security implications of this before using the action.
- Pulls down SIMP build container
- Prepares build and signing environment
- Copies local build directory into build container
- Ensures simp-core is checked out to a specific ref for building
- Adds GPG signing key to build container (without touching any
filesystems)
- IMPORTANT: see SECURITY IMPLICATIONS
- Configured GPG signing key to sign non-interactively
- Builds and signs RPM inside a SIMP build docker container
- Runs
rake pkg:singleto build the RPM - Signs RPM with GPG signing key using
rpmsign
- Runs
- Outputs RPM and cleans up
- Copies new RPM file back to local filesystem
- Ensures container is stopped and removed
- Returns information about new RPM file as output variables
To safely execute during a pull_request_target event, try something like the
following (using a previous contributor-permissions job to determine if
the Pull Request submitter is trusted):
test_action:
name: Test build & sign pupmod RPM
runs-on: ubuntu-18.04
steps:
- uses: actions/checkout@v2
with:
fetch-depth: 0
clean: true
- uses: simp/github-action-build-and-sign-pkg-single-rpm@v2
name: 'Build & sign RPM(s)'
id: build-and-sign-rpm
with:
gpg_signing_key: ${{ secrets.SIMP_DEV_GPG_SIGNING_KEY }}
gpg_signing_key_id: ${{ secrets.SIMP_DEV_GPG_SIGNING_KEY_ID }}
gpg_signing_key_passphrase: ${{ secrets.SIMP_DEV_GPG_SIGNING_KEY_PASSPHRASE }}
- name: 'Check basic results'
env:
rpm_file_paths: ${{ steps.build-and-sign-rpm.outputs.rpm_file_paths }}
rpm_gpg_file: ${{ steps.build-and-sign-rpm.outputs.rpm_gpg_file }}
expected_rpm_count: ${{ matrix.build.expected_rpm_count }}
run: |
[ -z "$rpm_file_paths" ] && { echo '::error ::$rpm_file_paths cannot be empty!'; exit 88; }
files=(${rpm_file_paths})
[ "${#files[@]}" -eq "$expected_rpm_count" ] || \
{ echo "::error ::Expected ${expected_rpm_count} RPM files, got ${#files[@]}"; exit 88; }
echo "Found expected number of files ($expected_rpm_count)"
if [ ! -f "$rpm_gpg_file" ]; then
printf '::error ::No file found at $rpm_gpg_file (got "%s")!\n' "$rpm_gpg_file"
exit 88
fi
echo "Found GPG public key file: $rpm_gpg_file"| Input | Required | Description |
|---|---|---|
gpg_signing_key |
Yes | ASCII-armored content of the GPG signing key's secret/private key |
gpg_signing_key_id |
Yes | GPG signing key's GPG ID (name) |
gpg_signing_key_passphrase |
Yes | Passphrase to use the GPG signing key |
path_to_build |
No | Path to directory to build Default: ${{ github.workspace }} |
simp_builder_docker_image |
No | SIMP build container image to stage build. So far, the action has only been tested with (and probably only works with) the EL8 build image'
Default: docker.io/simpproject/simp_build_centos8:latest |
simp_core_ref_for_building_rpms |
No | A ref (usually tagged release) in simp-core that is stable enough to build RPMs Default: 6.5.0-1 |
verbose |
No | If "yes", enables verbose logging while building the RPM Default: yes |
| Output | Description |
|---|---|
rpm_file_paths |
Local absolute paths to new RPM(s) |
rpm_gpg_file |
Local absolute path to public GPG signing key |
rpm_dist_dir |
Local absolute path to RPM `dist/` dir |
To sign RPMs, the action requires the secret (aka private) key of your GPG signing key and the passphrase to decrypt and use it. This inherently poses security risks that you should be aware of and understand.
The action does what it can to prevent exposure of the private signing key and its passphrase:
- secrets are piped directly into the GPG keyring in the container
- raw secrets never touch the filesystem on the runner or build container
- the secrets are handled as environment variables in a way that should not expose them to the action logs.
However, make sure to:
- protect your GPG signing key and passphrase as encrypted GitHub secrets, and only provide them directly to the action's inputs.
- use a GPG signing key that you are comfortable storing and using within GitHub's infrastructure.
This is an open source project open to anyone. This project welcomes contributions and suggestions!
If you discover an issue, please report it on our Jira at https://simp-project.atlassian.net/
Apache 2.0, See LICENSE for more information.