Skip to content

Commit

Permalink
Correcting file path.
Browse files Browse the repository at this point in the history
  • Loading branch information
@pvinh-spike
pvinh-spike committed Oct 28, 2024
1 parent fc8ac1b commit 7738963
Show file tree
Hide file tree
Showing 2 changed files with 91 additions and 181 deletions.
142 changes: 0 additions & 142 deletions action.yaml
View file

This file was deleted.

130 changes: 91 additions & 39 deletions devops/setup-gpg/action.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,89 +1,141 @@
name: 'Setup GPG'
description: 'Configures this action to run gpg with a given key and pass'
inputs:
gpg-private-key: # id of input
gpg-private-key:
description: 'GPG private key exported as an ASCII armored version or its base64 encoding'
required: true
gpg-key-pass: # id of input
gpg-key-pass:
description: 'Passphrase of the GPG private key'
required: true
gpg-key-name: # id of input
required: true
default: "Aerospike"
gpg-public-key:
description: 'GPG public key exported as an ASCII armored version or its base64 encoding'
required: true
gpg-key-name:
description: 'GPG key name'
required: true
default: 'aerospike-inc'
gpg-trust-level:
description: 'Set key trust level'
required: false
default: 5
runs:
using: "composite"
steps:
- name: "check if private key is not empty"
- name: "check if private key is empty"
env:
PRIVATE_KEY: ${{ inputs.gpg-private-key }}
if: ${{ env.PRIVATE_KEY == '' }}
GPG_PRIVATE_KEY: ${{ inputs.gpg-private-key }}
if: ${{ env.GPG_PRIVATE_KEY == '' }}
run: |
echo "the gpg-private-key was empty"
echo "The gpg-private-key was empty"
exit 1
shell: bash
- name: "check if key name is not empty"
env:
KEY_NAME: ${{ inputs.gpg-key-name }}
if: ${{ env.KEY_NAME == '' }}
- name: "check if public key is empty"
env:
GPG_PUBLIC_KEY: ${{ inputs.gpg-public-key }}
if: ${{ env.GPG_PUBLIC_KEY == '' }}
run: |
echo "the gpg-key-name was empty"
echo "The gpg-public-key was empty"
exit 1
shell: bash
- name: "check if key pass is not empty"
- name: "check if key name is empty"
env:
KEY_PASS: ${{ inputs.gpg-key-pass }}
if: ${{ env.KEY_PASS == '' }}
GPG_ID: ${{ inputs.gpg-key-name }}
if: ${{ env.GPG_ID == '' }}
run: |
echo "the secret gpg-key-pass was empty"
echo "The gpg-key-name was empty"
exit 1
shell: bash
- name: "check if public key pass is empty"
- name: "check if key pass is empty"
env:
PUBLIC_KEY: ${{ inputs.gpg-public-key }}
if: ${{ env.PUBLIC_KEY == '' }}
GPG_PASS: ${{ inputs.gpg-key-pass }}
if: ${{ env.GPG_PASS == '' }}
run: |
echo "the secret gpg-public-pass was empty"
echo "The secret gpg-key-pass was empty"
exit 1
shell: bash
- name: install tools
run: |
sudo apt-get update && sudo apt-get install ca-certificates gnupg dpkg-dev dpkg-sig rpm -y
sudo apt-get update && sudo apt-get install ca-certificates gnupg dpkg-dev rpm dpkg-sig expect -y
shell: bash
- name: Set up GPG
env:
GPG_PRIVATE_KEY: ${{ inputs.gpg-private-key }}
GPG_KEY_PASS: ${{ inputs.gpg-key-pass }}
GPG_PASS: ${{ inputs.gpg-key-pass }}
GPG_ID: ${{ inputs.gpg-key-name }}
GPG_PUBLIC_KEY: ${{ inputs.gpg-public-key }}
GPG_TRUST_LEVEL: ${{ inputs.gpg-trust-level }}
RPM_MACROS: |
%_signature gpg
%_gpg_path ~/.gnupg
%_gpg_name Aerospike
%__gpg_check_password_cmd /bin/true
%_gpgbin /usr/bin/gpg
%__gpg /usr/bin/gpg
%__gpg_sign_cmd %{__gpg} \
gpg \
--pinentry-mode loopback \
--batch \
--verbose \
--no-armor \
--no-secmem-warning \
--passphrase-file /home/runner/.gnupg/.pass \
--digest-algo sha256 \
-u "%{_gpg_name}" \
-sbo %{__signature_filename} %{__plaintext_filename}
SET_TRUST_LEVEL: |
#!/bin/bash
# Set the key ID and the desired trust level
KEY_ID=$1 # Pass the key ID or fingerprint as an argument
TRUST_LEVEL=$2 # Pass the trust level as an argument (1-5)
# Check if both arguments are provided
if [ -z "$KEY_ID" ] || [ -z "$TRUST_LEVEL" ]; then
echo "Usage: $0 <key-id> <trust-level>"
echo "Trust levels: 1 = I don't trust, 2 = I do NOT trust, 3 = I trust marginally, 4 = I trust fully, 5 = I trust ultimately"
exit 1
fi
# Check if the provided trust level is valid
if [[ "$TRUST_LEVEL" -lt 1 || "$TRUST_LEVEL" -gt 5 ]]; then
echo "Invalid trust level. Trust levels: 1-5"
exit 1
fi
# Use 'expect' to automate gpg trust level interaction
expect << EOF
spawn gpg --edit-key $KEY_ID
expect "gpg>"
send "trust\r"
expect "Your decision?"
send "$TRUST_LEVEL\r"
expect "Do you really want to set this key to ultimate trust? (y/N)"
send "y\r"
expect "gpg>"
send "save\r"
expect eof
EOF
run: |
# Setup gpg
mkdir -p ~/.gnupg
chmod 700 ~/.gnupg
echo "$GPG_PRIVATE_KEY" | gpg --import --batch --yes
echo "$GPG_KEY_PASS"
echo "$GPG_PASS"
echo -e "$SET_TRUST_LEVEL" > ~/set-gpg-trust.sh
chmod a+x ~/set-gpg-trust.sh
~/set-gpg-trust.sh "$GPG_ID" "$GPG_TRUST_LEVEL"
# configure for non-interactive use
export GPG_TTY=no-tty
echo -e "pinentry-mode loopback\nuse-agent" >> ~/.gnupg/gpg.conf
echo -e "allow-loopback-pinentry" >> ~/.gnupg/gpg-agent.conf
# configure rpm's
echo -e "$GPG_KEY_PASS" >> ~/pass
echo -e "%_signature gpg" >> ~/.rpmmacros
echo -e "%_gpg_path ~/.gnupg" >> ~/.rpmmacros
echo -e "%_gpg_name $GPG_ID" >> ~/.rpmmacros
echo -e "%_gpgbin /usr/bin/gpg" >> ~/.rpmmacros
echo -e "%__gpg /usr/bin/gpg" >> ~/.rpmmacros
echo -e "%__gpg_sign_cmd %{__gpg} \\" >> ~/.rpmmacros
echo -e "gpg --no-verbose --batch --no-tty --passphrase-file /home/runner/pass --pinentry-mode loopback \\" >> ~/.rpmmacros
echo -e " %{?_gpg_digest_algo:--digest-algo %{_gpg_digest_algo}} \\" >> ~/.rpmmacros
echo -e " --no-secmem-warning \\" >> ~/.rpmmacros
echo -e " -u '%{_gpg_name}' -sbo %{__signature_filename} %{__plaintext_filename}" >> ~/.rpmmacros
# public key for verification
echo -e "$GPG_PASS" >> ~/.gnupg/.pass
echo -e "$GPG_PUBLIC_KEY" >> ~/.gnupg/.public_key.asc
rpm --import ~/.gnupg/.public_key.asc
echo -e "$RPM_MACROS" > ~/.rpmmacros
#cp setup-gpg/.rpmmacros ~/.rpmmacros
rpm --import ~/.gnupg/.public_key.asc
# reload agent
gpg-connect-agent reloadagent /bye
Expand Down

0 comments on commit 7738963

Please sign in to comment.