Foundation laying (#15)

* refactor!: move and more explicitly name the existing workflow and action

* docs: update README.md

* chore: repo management, linting, editor integrations

* chore: update linteres, update from trunk fmt: tabs are better than spaces

* chore: update trunk actions

* docs: add trunk commands to README

* docs: update versioning guidelines

* build: add commitlint, move prettierrc so editors read it

* build: improve test workflows to test explicit ubuntu versions

* build!: remove dpkg-[sig,dev]. not available in ubuntu-24

* fix: s/deb-sigs/debsigs

* test: add non-expiring testing key

* ci: fails with local keys, test with real ones

* test: remove 24.04 from all workflows

* test: remove debug 'exit 1'. oops. still hangs with local key

* test: explicitly pass the gpg no-tty arg to dpkg-sig

* test: add an actrc for local testing

* fix: action and workflow fixes to make deb signing work again, keep rpm & file working

* ci: act and gha runners differe on access to /root: don't use /root

* ci: more safely reload the gpg agent

Author: logikal

.actrc

@@ -0,0 +1,2 @@
+--container-architecture=linux/amd64
+--action-offline-mode

.editorconfig

@@ -0,0 +1,11 @@
+# EditorConfig is awesome: https://EditorConfig.org
+
+# top-most EditorConfig file
+root = true
+
+[*]
+indent_style = space
+end_of_line = lf
+charset = utf-8
+trim_trailing_whitespace = false
+insert_final_newline = true

devops/setup-gpg/README.md renamed to .github/actions/setup-gpg/README.md

@@ -3,6 +3,7 @@
 This composite action will setup your github action to use a supplied gpg key.
 
 ## Supported Platforms
+
 - GPG
 - rpmsign/rpm
 - debsign
@@ -28,7 +29,8 @@ jobs:
           gpg-key-name: "Aerospike"
 ```
 
-### Example RPM and GPG useage
+### Example RPM and GPG usage
+
 ```yaml
 name: GPG sign rpm
 on: workflow_dispatch

.github/actions/setup-gpg/action.yaml

@@ -0,0 +1,126 @@
+name: Setup GPG
+description: Configures this action to run gpg with a given key and pass
+inputs:
+  gpg-private-key:
+    description: GPG private key exported as an ASCII armored version or its base64 encoding
+    required: true
+  gpg-key-pass:
+    description: GPG key pass
+    required: true
+  gpg-public-key:
+    description: GPG public key exported as an ASCII armored version or its base64 encoding
+    required: true
+runs:
+  using: composite
+  steps:
+    - name: Check Ubuntu version
+      shell: bash
+      run: |
+        if [[ "$(cat /etc/os-release | grep VERSION_ID)" != *"22.04"* ]]; then
+          echo "This action only supports Ubuntu 22.04"
+          exit 1
+        fi
+
+    - name: check if private key is not empty
+      shell: bash
+      env:
+        PRIVATE_KEY: ${{ inputs.gpg-private-key }}
+      if: ${{ env.PRIVATE_KEY == '' }}
+      run: |
+        echo "the gpg-private-key was empty"
+        exit 1
+
+    - name: check if key pass is not empty
+      shell: bash
+      env:
+        KEY_PASS: ${{ inputs.gpg-key-pass }}
+      if: ${{ env.KEY_PASS == '' }}
+      run: |
+        echo "the secret gpg-key-pass was empty"
+        exit 1
+
+    - name: check if public key pass is empty
+      shell: bash
+      env:
+        PUBLIC_KEY: ${{ inputs.gpg-public-key }}
+      if: ${{ env.PUBLIC_KEY == '' }}
+      run: |
+        echo "the secret gpg-public-pass was empty"
+        exit 1
+
+    - name: install tools
+      shell: bash
+      run: |
+        sudo apt-get update && sudo apt-get install ca-certificates gnupg rpm pinentry-tty -y
+
+    - name: Set up GPG
+      shell: bash
+      env:
+        GPG_PRIVATE_KEY: ${{ inputs.gpg-private-key }}
+        GPG_KEY_PASS: ${{ inputs.gpg-key-pass }}
+        GPG_PUBLIC_KEY: ${{ inputs.gpg-public-key }}
+        HOME: /home/runner
+        GNUPGHOME: /home/runner/.gnupg
+      run: |
+        # Ensure environment variables are exported
+        export HOME="${HOME}"
+        export GNUPGHOME="${GNUPGHOME}"
+
+        # Setup gpg with consistent path
+        mkdir -p "$GNUPGHOME"
+        chmod 700 "$GNUPGHOME"
+
+        # Import the private key
+        gpg --import --batch --yes <<< "$GPG_PRIVATE_KEY"
+
+        # Get the key fingerprint and name from the imported key
+        KEY_FP=$(gpg --list-secret-keys --with-colons | awk -F: '/^fpr:/ { print $10 }' | head -n1)
+        KEY_NAME=$(gpg --list-secret-keys --with-colons | awk -F: '/^uid:/ { print $10 }' | head -n1)
+
+        # Set default key
+        echo "default-key $KEY_FP" >> "$GNUPGHOME/gpg.conf"
+
+        # Configure passphrase handling
+        echo "allow-preset-passphrase" >> "$GNUPGHOME/gpg-agent.conf"
+        echo "allow-loopback-pinentry" >> "$GNUPGHOME/gpg-agent.conf"
+
+        # Configure GPG for non-interactive use
+        echo "use-agent" >> "$GNUPGHOME/gpg.conf"
+        echo "pinentry-mode loopback" >> "$GNUPGHOME/gpg.conf"
+        echo "batch" >> "$GNUPGHOME/gpg.conf"
+        echo "no-tty" >> "$GNUPGHOME/gpg.conf"
+        echo "passphrase-file $GNUPGHOME/passphrase" >> "$GNUPGHOME/gpg.conf"
+
+        # Create passphrase file
+        echo "$GPG_KEY_PASS" > "$GNUPGHOME/passphrase"
+        chmod 600 "$GNUPGHOME/passphrase"
+
+        # Set permissions on specific files we know exist
+        for file in "$GNUPGHOME/gpg.conf" "$GNUPGHOME/gpg-agent.conf" "$GNUPGHOME/passphrase"; do
+          if [ -f "$file" ]; then
+            chmod 600 "$file"
+          fi
+        done
+
+        # Create symlink for gpg2 (required for rpm signing)
+        sudo ln -sf $(which gpg) /usr/bin/gpg2
+
+        # Configure rpm macros line by line
+        {
+          echo "%_signature gpg"
+          echo "%_gpg_path $GNUPGHOME"
+          echo "%_gpg_name $KEY_FP"
+          echo "%_gpgbin /usr/bin/gpg2"
+          echo "%__gpg /usr/bin/gpg2"
+          echo "%__gpg_sign_cmd %{__gpg} --batch --pinentry-mode loopback --passphrase-file $GNUPGHOME/passphrase --no-armor --no-secmem-warning --no-tty -u \"%{_gpg_name}\" -sbo %{__signature_filename} %{__plaintext_filename}"
+        } > "$HOME/.rpmmacros"
+        chmod 600 "$HOME/.rpmmacros"
+
+        # Import public key for verification
+        echo -e "$GPG_PUBLIC_KEY" > "$GNUPGHOME/public.key"
+        chmod 600 "$GNUPGHOME/public.key"
+        gpg --import "$GNUPGHOME/public.key"
+        rpm --import "$GNUPGHOME/public.key"
+
+        # Reload gpg-agent configuration
+        gpg-connect-agent reloadagent /bye

.github/dependabot.yml

@@ -0,0 +1,7 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directories:
+      - /
+    schedule:
+      interval: daily

.github/workflows/sign-deb-example.yaml

@@ -0,0 +1,49 @@
+name: GPG sign DEB
+on:
+  workflow_dispatch:
+  pull_request:
+    branches:
+      - main
+permissions: read-all
+jobs:
+  sign-deb:
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        os:
+          - ubuntu-22.04
+          #- ubuntu-24.04
+    steps:
+      - uses: actions/checkout@v4
+      - name: Check Ubuntu version
+        # This action only supports Ubuntu 22.04. 24.04 has removed dpkg-sig
+        run: |
+          if [[ "$(cat /etc/lsb-release | grep DISTRIB_RELEASE)" != *"22.04"* ]]; then
+            echo "This action only supports Ubuntu 22.04 due to the removal of dpkg-sig in 24.04"
+            exit 1
+          fi
+        shell: bash
+      - name: install dpkg-sig
+        run: |
+          sudo apt-get update && sudo apt-get install dpkg-sig dpkg-dev -y
+      - name: setup GPG
+        uses: ./.github/actions/setup-gpg/
+        with:
+          gpg-private-key: ${{ secrets.GPG_SECRET_KEY }}
+          gpg-public-key: ${{ secrets.GPG_PUBLIC_KEY }}
+          gpg-key-pass: ${{ secrets.GPG_PASS }}
+
+      - name: GPG sign deb # gpg sign and verify deb packages
+        env:
+          GPG_TTY: /dev/null
+          HOME: /home/runner
+          GNUPGHOME: /home/runner/.gnupg
+        run: |
+          # Ensure environment variables are exported
+          export HOME="${HOME}"
+          export GNUPGHOME="${GNUPGHOME}"
+
+          # Sign the package
+          dpkg-sig --sign builder --gpg-options "--batch --pinentry-mode loopback --passphrase-file $GNUPGHOME/passphrase" tests/*.deb
+          # Verify the signature
+          dpkg-sig --verify tests/*.deb

.github/workflows/sign-deb-test.yaml

@@ -0,0 +1,39 @@
+name: GPG sign file
+on:
+  workflow_dispatch:
+  pull_request:
+    branches:
+      - main
+permissions: read-all
+jobs:
+  sign-file:
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        os:
+          - ubuntu-22.04
+          # - ubuntu-24.04
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: setup GPG
+        uses: ./.github/actions/setup-gpg/
+        with:
+          gpg-private-key: ${{ secrets.GPG_SECRET_KEY }}
+          gpg-public-key: ${{ secrets.GPG_PUBLIC_KEY }}
+          gpg-key-pass: ${{ secrets.GPG_PASS }}
+
+      - name: GPG sign artifacts # Signing other artifacts
+        env:
+          GPG_TTY: /dev/null
+          HOME: /home/runner
+          GNUPGHOME: /home/runner/.gnupg
+        run: |
+          # Ensure environment variables are exported
+          export HOME="${HOME}"
+          export GNUPGHOME="${GNUPGHOME}"
+
+          # Sign the file
+          gpg --detach-sign --no-tty --batch --yes --output README.md.asc --passphrase-file "$GNUPGHOME/passphrase" README.md
+          # Verify the signature
+          gpg --verify README.md.asc README.md