Merge pull request #6629 from Expensify/andrew-sign-v2

Expensify · Dec 8, 2021 · e9ba4e8 · e9ba4e8
2 parents 3e5c62d + da402c5
commit e9ba4e8
Show file tree

Hide file tree

Showing 5 changed files with 78 additions and 2 deletions.
diff --git a/.github/workflows/OSBotify-private-key.asc.gpg b/.github/workflows/OSBotify-private-key.asc.gpg
diff --git a/.github/workflows/cherryPick.yml b/.github/workflows/cherryPick.yml
@@ -35,7 +35,7 @@ jobs:
         uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
         with:
           ref: main
-          token: ${{ secrets.GITHUB_TOKEN }}
+          token: ${{ secrets.OS_BOTIFY_TOKEN }}
 
       - uses: softprops/turnstyle@8db075d65b19bf94e6e8687b504db69938dc3c65
         with:
@@ -67,7 +67,25 @@ jobs:
         uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
         with:
           ref: staging
-          token: ${{ secrets.GITHUB_TOKEN }}
+          token: ${{ secrets.OS_BOTIFY_TOKEN }}
+
+      - name: Decrypt Botify GPG key
+        if: github.actor == 'OSBotify'
+        run: cd .github/workflows && gpg --quiet --batch --yes --decrypt --passphrase="$LARGE_SECRET_PASSPHRASE" --output OSBotify-private-key.asc OSBotify-private-key.asc.gpg
+        env:
+          LARGE_SECRET_PASSPHRASE: ${{ secrets.LARGE_SECRET_PASSPHRASE }}
+
+      - name: Import Botify GPG Key
+        if: github.actor == 'OSBotify'
+        run: cd .github/workflows && gpg --import OSBotify-private-key.asc
+
+      - name: Set up git for Botify
+        if: github.actor == 'OSBotify'
+        run: |
+          git config user.signingkey DBF63700F60F5530
+          git config commit.gpgsign true
+          git config user.name OSBotify
+          git config user.email infra+osbotify@expensify.com
 
       - name: Create branch for new pull request
         run: |

diff --git a/.github/workflows/createNewVersion.yml b/.github/workflows/createNewVersion.yml
@@ -24,12 +24,23 @@ jobs:
           poll-interval-seconds: 10
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Decrypt GPG key
+        run: cd .github/workflows && gpg --quiet --batch --yes --decrypt --passphrase="$LARGE_SECRET_PASSPHRASE" --output OSBotify-private-key.asc OSBotify-private-key.asc.gpg
+        env:
+          LARGE_SECRET_PASSPHRASE: ${{ secrets.LARGE_SECRET_PASSPHRASE }}
+
+      - name: Import the GPG Key
+        run: cd .github/workflows && gpg --import OSBotify-private-key.asc
 
       - name: Set up git
         run: |
           git fetch
           git checkout main
+          git config user.signingkey DBF63700F60F5530
+          git config commit.gpgsign true
           git config user.name OSBotify
+          git config user.email infra+osbotify@expensify.com
 
       - name: Create new branch
         run: |

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -33,6 +33,22 @@ jobs:
         with:
           ref: staging
           token: ${{ secrets.OS_BOTIFY_TOKEN }}
+
+      - name: Decrypt Botify GPG key
+        run: cd .github/workflows && gpg --quiet --batch --yes --decrypt --passphrase="$LARGE_SECRET_PASSPHRASE" --output OSBotify-private-key.asc OSBotify-private-key.asc.gpg
+        env:
+          LARGE_SECRET_PASSPHRASE: ${{ secrets.LARGE_SECRET_PASSPHRASE }}
+
+      - name: Import Botify GPG Key
+        run: cd .github/workflows && gpg --import OSBotify-private-key.asc
+
+      - name: Set up git for Botify
+        run: |
+          git config user.signingkey DBF63700F60F5530
+          git config commit.gpgsign true
+          git config user.name OSBotify
+          git config user.email infra+osbotify@expensify.com
+
 
       - name: Tag version
         run: git tag $(npm run print-version --silent)
@@ -50,6 +66,22 @@ jobs:
         with:
           fetch-depth: 0
           token: ${{ secrets.OS_BOTIFY_TOKEN }}
+
+      - name: Decrypt Botify GPG key
+        run: cd .github/workflows && gpg --quiet --batch --yes --decrypt --passphrase="$LARGE_SECRET_PASSPHRASE" --output OSBotify-private-key.asc OSBotify-private-key.asc.gpg
+        env:
+          LARGE_SECRET_PASSPHRASE: ${{ secrets.LARGE_SECRET_PASSPHRASE }}
+
+      - name: Import Botify GPG Key
+        run: cd .github/workflows && gpg --import OSBotify-private-key.asc
+
+      - name: Set up git for Botify
+        run: |
+          git config user.signingkey DBF63700F60F5530
+          git config commit.gpgsign true
+          git config user.name OSBotify
+          git config user.email infra+osbotify@expensify.com
+
 
       - name: Checkout production branch
         run: git checkout production

diff --git a/.github/workflows/updateProtectedBranch.yml b/.github/workflows/updateProtectedBranch.yml
@@ -53,6 +53,21 @@ jobs:
 
       - name: Set New Version
         run: echo "NEW_VERSION=$(npm run print-version --silent)" >> $GITHUB_ENV
+
+      - name: Decrypt Botify GPG key
+        run: cd .github/workflows && gpg --quiet --batch --yes --decrypt --passphrase="$LARGE_SECRET_PASSPHRASE" --output OSBotify-private-key.asc OSBotify-private-key.asc.gpg
+        env:
+          LARGE_SECRET_PASSPHRASE: ${{ secrets.LARGE_SECRET_PASSPHRASE }}
+
+      - name: Import Botify GPG Key
+        run: cd .github/workflows && gpg --import OSBotify-private-key.asc
+
+      - name: Set up git for Botify
+        run: |
+          git config user.signingkey DBF63700F60F5530
+          git config commit.gpgsign true
+          git config user.name OSBotify
+          git config user.email infra+osbotify@expensify.com
 
       - name: Create temporary branch to resolve conflicts
         if: ${{ contains(fromJSON('["staging", "production"]'), github.event.inputs.TARGET_BRANCH) }}