chore: fix verify-key-signature workflow (#54)
#21
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Verify commit signature on key files | |
| on: | |
| pull_request: | |
| types: [opened, synchronize, reopened, ready_for_review] | |
| paths: | |
| - .github/workflows/verify-key-signature.yml | |
| - keys/** | |
| push: | |
| branches: | |
| - main | |
| paths: | |
| - .github/workflows/verify-key-signature.yml | |
| - keys/** | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} | |
| cancel-in-progress: true | |
| permissions: | |
| contents: read | |
| jobs: | |
| verify-signature: | |
| if: github.event.pull_request.draft == false | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | |
| with: | |
| fetch-depth: 0 # We need all the commits to be sure to find the specific one with the signature. | |
| persist-credentials: false | |
| - name: Validate PGP signature on key files | |
| shell: bash # See https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference, we want the pipefail option. | |
| run: | | |
| git diff ${{ github.event_name == 'pull_request' && 'HEAD^' || github.event.before }} --name-only --diff-filter=d -- keys/ | while read -r KEY_FILE; do | |
| export GNUPGHOME=$(mktemp -d) | |
| chmod 700 "$GNUPGHOME" | |
| gpg --import "$KEY_FILE" | |
| git verify-commit "$(git log -1 --format=%H -- "$KEY_FILE")" | |
| rm -r "$GNUPGHOME" | |
| done |