Skip to content

chore: fix verify-key-signature workflow (#54) #21

chore: fix verify-key-signature workflow (#54)

chore: fix verify-key-signature workflow (#54) #21

name: Verify commit signature on key files
on:
pull_request:
types: [opened, synchronize, reopened, ready_for_review]
paths:
- .github/workflows/verify-key-signature.yml
- keys/**
push:
branches:
- main
paths:
- .github/workflows/verify-key-signature.yml
- keys/**
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
cancel-in-progress: true
permissions:
contents: read
jobs:
verify-signature:
if: github.event.pull_request.draft == false
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
fetch-depth: 0 # We need all the commits to be sure to find the specific one with the signature.
persist-credentials: false
- name: Validate PGP signature on key files
shell: bash # See https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference, we want the pipefail option.
run: |
git diff ${{ github.event_name == 'pull_request' && 'HEAD^' || github.event.before }} --name-only --diff-filter=d -- keys/ | while read -r KEY_FILE; do
export GNUPGHOME=$(mktemp -d)
chmod 700 "$GNUPGHOME"
gpg --import "$KEY_FILE"
git verify-commit "$(git log -1 --format=%H -- "$KEY_FILE")"
rm -r "$GNUPGHOME"
done