Skip to content

Commit 8cdedfb

Browse files
dmurphy18dmurphy18
authored
Merge pull request #2033 from dmurphy18/fix_2032
Disabling signing of commits on release updates
2 parents aaa123a + 2a4e6a3 commit 8cdedfb

File tree

2 files changed

+135
-132
lines changed

2 files changed

+135
-132
lines changed

.github/workflows/release.yml

Lines changed: 133 additions & 130 deletions
Original file line numberDiff line numberDiff line change
@@ -74,44 +74,45 @@ jobs:
7474
python3 -m pip install -r requirements/release.txt
7575
pre-commit install --install-hooks
7676
77-
- name: Setup GnuPG
78-
run: |
79-
sudo install -d -m 0700 -o "$(id -u)" -g "$(id -g)" /run/gpg
80-
GNUPGHOME="$(mktemp -d -p /run/gpg)"
81-
echo "GNUPGHOME=${GNUPGHOME}" >> "$GITHUB_ENV"
82-
cat <<EOF > "${GNUPGHOME}/gpg.conf"
83-
batch
84-
no-tty
85-
pinentry-mode loopback
86-
EOF
87-
88-
- name: Get Secrets
89-
id: get-secrets
90-
env:
91-
SECRETS_KEY: ${{ secrets.SECRETS_KEY }}
92-
run: |
93-
SECRETS_KEY_FILE=$(mktemp /tmp/output.XXXXXXXXXX)
94-
echo "$SECRETS_KEY" > "$SECRETS_KEY_FILE"
95-
aws --region us-west-2 secretsmanager get-secret-value --secret-id /cmbu-saltstack/signing/repo-signing-keys-sha256-2023 \
96-
--query SecretString --output text | jq .default_key -r | base64 -d \
97-
| gpg --passphrase-file "${SECRETS_KEY_FILE}" -d - \
98-
| gpg --import -
99-
sync
100-
aws --region us-west-2 secretsmanager get-secret-value --secret-id /cmbu-saltstack/signing/repo-signing-keys-sha256-2023 \
101-
--query SecretString --output text| jq .default_passphrase -r | base64 -d \
102-
| gpg --passphrase-file "${SECRETS_KEY_FILE}" -o "${GNUPGHOME}/passphrase" -d -
103-
sync
104-
rm "$SECRETS_KEY_FILE"
105-
echo "passphrase-file ${GNUPGHOME}/passphrase" >> "${GNUPGHOME}/gpg.conf"
77+
## - name: Setup GnuPG
78+
## run: |
79+
## sudo install -d -m 0700 -o "$(id -u)" -g "$(id -g)" /run/gpg
80+
## GNUPGHOME="$(mktemp -d -p /run/gpg)"
81+
## echo "GNUPGHOME=${GNUPGHOME}" >> "$GITHUB_ENV"
82+
## cat <<EOF > "${GNUPGHOME}/gpg.conf"
83+
## batch
84+
## no-tty
85+
## pinentry-mode loopback
86+
## EOF
87+
88+
## - name: Get Secrets
89+
## id: get-secrets
90+
## env:
91+
## SECRETS_KEY: ${{ secrets.SECRETS_KEY }}
92+
## run: |
93+
## SECRETS_KEY_FILE=$(mktemp /tmp/output.XXXXXXXXXX)
94+
## echo "$SECRETS_KEY" > "$SECRETS_KEY_FILE"
95+
## aws --region us-west-2 secretsmanager get-secret-value --secret-id /cmbu-saltstack/signing/repo-signing-keys-sha256-2023 \
96+
## --query SecretString --output text | jq .default_key -r | base64 -d \
97+
## | gpg --passphrase-file "${SECRETS_KEY_FILE}" -d - \
98+
## | gpg --import -
99+
## sync
100+
## aws --region us-west-2 secretsmanager get-secret-value --secret-id /cmbu-saltstack/signing/repo-signing-keys-sha256-2023 \
101+
## --query SecretString --output text| jq .default_passphrase -r | base64 -d \
102+
## | gpg --passphrase-file "${SECRETS_KEY_FILE}" -o "${GNUPGHOME}/passphrase" -d -
103+
## sync
104+
## rm "$SECRETS_KEY_FILE"
105+
## echo "passphrase-file ${GNUPGHOME}/passphrase" >> "${GNUPGHOME}/gpg.conf"
106106

107107
- name: Configure Git
108108
shell: bash
109109
run: |
110110
git config --global --add safe.directory "$(pwd)"
111111
git config --global user.name "Salt Project Packaging"
112112
git config --global user.email [email protected]
113-
git config --global user.signingkey 64CBBC8173D76B3F
114-
git config --global commit.gpgsign true
113+
git config --global commit.gpgsign false
114+
## git config --global user.signingkey 64CBBC8173D76B3F
115+
## git config --global commit.gpgsign true
115116
116117
- name: Update Repository
117118
id: update-repo
@@ -166,44 +167,45 @@ jobs:
166167
ssh-key: ${{ secrets.SALT_BOOTSTRAP_RELEASE_KEY }}
167168
fetch-depth: 0
168169

169-
- name: Setup GnuPG
170-
run: |
171-
sudo install -d -m 0700 -o "$(id -u)" -g "$(id -g)" /run/gpg
172-
GNUPGHOME="$(mktemp -d -p /run/gpg)"
173-
echo "GNUPGHOME=${GNUPGHOME}" >> "$GITHUB_ENV"
174-
cat <<EOF > "${GNUPGHOME}/gpg.conf"
175-
batch
176-
no-tty
177-
pinentry-mode loopback
178-
EOF
179-
180-
- name: Get Secrets
181-
id: get-secrets
182-
env:
183-
SECRETS_KEY: ${{ secrets.SECRETS_KEY }}
184-
run: |
185-
SECRETS_KEY_FILE=$(mktemp /tmp/output.XXXXXXXXXX)
186-
echo "$SECRETS_KEY" > "$SECRETS_KEY_FILE"
187-
aws --region us-west-2 secretsmanager get-secret-value --secret-id /cmbu-saltstack/signing/repo-signing-keys-sha256-2023 \
188-
--query SecretString --output text | jq .default_key -r | base64 -d \
189-
| gpg --passphrase-file "${SECRETS_KEY_FILE}" -d - \
190-
| gpg --import -
191-
sync
192-
aws --region us-west-2 secretsmanager get-secret-value --secret-id /cmbu-saltstack/signing/repo-signing-keys-sha256-2023 \
193-
--query SecretString --output text| jq .default_passphrase -r | base64 -d \
194-
| gpg --passphrase-file "${SECRETS_KEY_FILE}" -o "${GNUPGHOME}/passphrase" -d -
195-
sync
196-
rm "$SECRETS_KEY_FILE"
197-
echo "passphrase-file ${GNUPGHOME}/passphrase" >> "${GNUPGHOME}/gpg.conf"
170+
## - name: Setup GnuPG
171+
## run: |
172+
## sudo install -d -m 0700 -o "$(id -u)" -g "$(id -g)" /run/gpg
173+
## GNUPGHOME="$(mktemp -d -p /run/gpg)"
174+
## echo "GNUPGHOME=${GNUPGHOME}" >> "$GITHUB_ENV"
175+
## cat <<EOF > "${GNUPGHOME}/gpg.conf"
176+
## batch
177+
## no-tty
178+
## pinentry-mode loopback
179+
## EOF
180+
181+
## - name: Get Secrets
182+
## id: get-secrets
183+
## env:
184+
## SECRETS_KEY: ${{ secrets.SECRETS_KEY }}
185+
## run: |
186+
## SECRETS_KEY_FILE=$(mktemp /tmp/output.XXXXXXXXXX)
187+
## echo "$SECRETS_KEY" > "$SECRETS_KEY_FILE"
188+
## aws --region us-west-2 secretsmanager get-secret-value --secret-id /cmbu-saltstack/signing/repo-signing-keys-sha256-2023 \
189+
## --query SecretString --output text | jq .default_key -r | base64 -d \
190+
## | gpg --passphrase-file "${SECRETS_KEY_FILE}" -d - \
191+
## | gpg --import -
192+
## sync
193+
## aws --region us-west-2 secretsmanager get-secret-value --secret-id /cmbu-saltstack/signing/repo-signing-keys-sha256-2023 \
194+
## --query SecretString --output text| jq .default_passphrase -r | base64 -d \
195+
## | gpg --passphrase-file "${SECRETS_KEY_FILE}" -o "${GNUPGHOME}/passphrase" -d -
196+
## sync
197+
## rm "$SECRETS_KEY_FILE"
198+
## echo "passphrase-file ${GNUPGHOME}/passphrase" >> "${GNUPGHOME}/gpg.conf"
198199

199200
- name: Configure Git
200201
shell: bash
201202
run: |
202203
git config --global --add safe.directory "$(pwd)"
203204
git config --global user.name "Salt Project Packaging"
204205
git config --global user.email [email protected]
205-
git config --global user.signingkey 64CBBC8173D76B3F
206-
git config --global commit.gpgsign true
206+
git config --global commit.gpgsign false
207+
## git config --global user.signingkey 64CBBC8173D76B3F
208+
## git config --global commit.gpgsign true
207209
208210
- name: Download Release Details
209211
uses: actions/download-artifact@v4
@@ -317,43 +319,43 @@ jobs:
317319
SPB_ENVIRONMENT=$(curl -sS -f -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/tags/instance/spb:environment)
318320
echo "SPB_ENVIRONMENT=$SPB_ENVIRONMENT" >> "$GITHUB_ENV"
319321
320-
- name: Setup GnuPG
321-
run: |
322-
sudo install -d -m 0700 -o "$(id -u)" -g "$(id -g)" /run/gpg
323-
GNUPGHOME="$(mktemp -d -p /run/gpg)"
324-
echo "GNUPGHOME=${GNUPGHOME}" >> "$GITHUB_ENV"
325-
cat <<EOF > "${GNUPGHOME}/gpg.conf"
326-
batch
327-
no-tty
328-
pinentry-mode loopback
329-
EOF
330-
331-
- name: Get Secrets
332-
id: get-secrets
333-
env:
334-
SECRETS_KEY: ${{ secrets.SECRETS_KEY }}
335-
run: |
336-
SECRETS_KEY_FILE=$(mktemp /tmp/output.XXXXXXXXXX)
337-
echo "$SECRETS_KEY" > "$SECRETS_KEY_FILE"
338-
aws --region us-west-2 secretsmanager get-secret-value --secret-id /cmbu-saltstack/signing/repo-signing-keys-sha256-2023 \
339-
--query SecretString --output text | jq .default_key -r | base64 -d \
340-
| gpg --passphrase-file "${SECRETS_KEY_FILE}" -d - \
341-
| gpg --import -
342-
sync
343-
aws --region us-west-2 secretsmanager get-secret-value --secret-id /cmbu-saltstack/signing/repo-signing-keys-sha256-2023 \
344-
--query SecretString --output text| jq .default_passphrase -r | base64 -d \
345-
| gpg --passphrase-file "${SECRETS_KEY_FILE}" -o "${GNUPGHOME}/passphrase" -d -
346-
sync
347-
rm "$SECRETS_KEY_FILE"
348-
echo "passphrase-file ${GNUPGHOME}/passphrase" >> "${GNUPGHOME}/gpg.conf"
349-
350-
- name: Install Requirements
351-
run: |
352-
python3 -m pip install -r requirements/release.txt
353-
354-
- name: Upload Stable Release to S3
355-
run: |
356-
tools release s3-publish --key-id 64CBBC8173D76B3F stable
322+
## - name: Setup GnuPG
323+
## run: |
324+
## sudo install -d -m 0700 -o "$(id -u)" -g "$(id -g)" /run/gpg
325+
## GNUPGHOME="$(mktemp -d -p /run/gpg)"
326+
## echo "GNUPGHOME=${GNUPGHOME}" >> "$GITHUB_ENV"
327+
## cat <<EOF > "${GNUPGHOME}/gpg.conf"
328+
## batch
329+
## no-tty
330+
## pinentry-mode loopback
331+
## EOF
332+
333+
## - name: Get Secrets
334+
## id: get-secrets
335+
## env:
336+
## SECRETS_KEY: ${{ secrets.SECRETS_KEY }}
337+
## run: |
338+
## SECRETS_KEY_FILE=$(mktemp /tmp/output.XXXXXXXXXX)
339+
## echo "$SECRETS_KEY" > "$SECRETS_KEY_FILE"
340+
## aws --region us-west-2 secretsmanager get-secret-value --secret-id /cmbu-saltstack/signing/repo-signing-keys-sha256-2023 \
341+
## --query SecretString --output text | jq .default_key -r | base64 -d \
342+
## | gpg --passphrase-file "${SECRETS_KEY_FILE}" -d - \
343+
## | gpg --import -
344+
## sync
345+
## aws --region us-west-2 secretsmanager get-secret-value --secret-id /cmbu-saltstack/signing/repo-signing-keys-sha256-2023 \
346+
## --query SecretString --output text| jq .default_passphrase -r | base64 -d \
347+
## | gpg --passphrase-file "${SECRETS_KEY_FILE}" -o "${GNUPGHOME}/passphrase" -d -
348+
## sync
349+
## rm "$SECRETS_KEY_FILE"
350+
## echo "passphrase-file ${GNUPGHOME}/passphrase" >> "${GNUPGHOME}/gpg.conf"
351+
352+
## - name: Install Requirements
353+
## run: |
354+
## python3 -m pip install -r requirements/release.txt
355+
356+
## - name: Upload Stable Release to S3
357+
## run: |
358+
## tools release s3-publish --key-id 64CBBC8173D76B3F stable
357359

358360
update-develop-checksums:
359361
name: Update Release Checksums on Develop
@@ -386,44 +388,45 @@ jobs:
386388
repository: ${{ github.repository }}
387389
ssh-key: ${{ secrets.SALT_BOOTSTRAP_RELEASE_KEY }}
388390

389-
- name: Setup GnuPG
390-
run: |
391-
sudo install -d -m 0700 -o "$(id -u)" -g "$(id -g)" /run/gpg
392-
GNUPGHOME="$(mktemp -d -p /run/gpg)"
393-
echo "GNUPGHOME=${GNUPGHOME}" >> "$GITHUB_ENV"
394-
cat <<EOF > "${GNUPGHOME}/gpg.conf"
395-
batch
396-
no-tty
397-
pinentry-mode loopback
398-
EOF
399-
400-
- name: Get Secrets
401-
id: get-secrets
402-
env:
403-
SECRETS_KEY: ${{ secrets.SECRETS_KEY }}
404-
run: |
405-
SECRETS_KEY_FILE=$(mktemp /tmp/output.XXXXXXXXXX)
406-
echo "$SECRETS_KEY" > "$SECRETS_KEY_FILE"
407-
aws --region us-west-2 secretsmanager get-secret-value --secret-id /cmbu-saltstack/signing/repo-signing-keys-sha256-2023 \
408-
--query SecretString --output text | jq .default_key -r | base64 -d \
409-
| gpg --passphrase-file "${SECRETS_KEY_FILE}" -d - \
410-
| gpg --import -
411-
sync
412-
aws --region us-west-2 secretsmanager get-secret-value --secret-id /cmbu-saltstack/signing/repo-signing-keys-sha256-2023 \
413-
--query SecretString --output text| jq .default_passphrase -r | base64 -d \
414-
| gpg --passphrase-file "${SECRETS_KEY_FILE}" -o "${GNUPGHOME}/passphrase" -d -
415-
sync
416-
rm "$SECRETS_KEY_FILE"
417-
echo "passphrase-file ${GNUPGHOME}/passphrase" >> "${GNUPGHOME}/gpg.conf"
391+
## - name: Setup GnuPG
392+
## run: |
393+
## sudo install -d -m 0700 -o "$(id -u)" -g "$(id -g)" /run/gpg
394+
## GNUPGHOME="$(mktemp -d -p /run/gpg)"
395+
## echo "GNUPGHOME=${GNUPGHOME}" >> "$GITHUB_ENV"
396+
## cat <<EOF > "${GNUPGHOME}/gpg.conf"
397+
## batch
398+
## no-tty
399+
## pinentry-mode loopback
400+
## EOF
401+
402+
## - name: Get Secrets
403+
## id: get-secrets
404+
## env:
405+
## SECRETS_KEY: ${{ secrets.SECRETS_KEY }}
406+
## run: |
407+
## SECRETS_KEY_FILE=$(mktemp /tmp/output.XXXXXXXXXX)
408+
## echo "$SECRETS_KEY" > "$SECRETS_KEY_FILE"
409+
## aws --region us-west-2 secretsmanager get-secret-value --secret-id /cmbu-saltstack/signing/repo-signing-keys-sha256-2023 \
410+
## --query SecretString --output text | jq .default_key -r | base64 -d \
411+
## | gpg --passphrase-file "${SECRETS_KEY_FILE}" -d - \
412+
## | gpg --import -
413+
## sync
414+
## aws --region us-west-2 secretsmanager get-secret-value --secret-id /cmbu-saltstack/signing/repo-signing-keys-sha256-2023 \
415+
## --query SecretString --output text| jq .default_passphrase -r | base64 -d \
416+
## | gpg --passphrase-file "${SECRETS_KEY_FILE}" -o "${GNUPGHOME}/passphrase" -d -
417+
## sync
418+
## rm "$SECRETS_KEY_FILE"
419+
## echo "passphrase-file ${GNUPGHOME}/passphrase" >> "${GNUPGHOME}/gpg.conf"
418420

419421
- name: Configure Git
420422
shell: bash
421423
run: |
422424
git config --global --add safe.directory "$(pwd)"
423425
git config --global user.name "Salt Project Packaging"
424426
git config --global user.email [email protected]
425-
git config --global user.signingkey 64CBBC8173D76B3F
426-
git config --global commit.gpgsign true
427+
git config --global commit.gpgsign false
428+
## git config --global user.signingkey 64CBBC8173D76B3F
429+
## git config --global commit.gpgsign true
427430
428431
- name: Update Latest Release on README
429432
run: |

bootstrap-salt.sh

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -657,7 +657,7 @@ elif [ "$ITYPE" = "stable" ]; then
657657
ITYPE="onedir"
658658
shift
659659
else
660-
echo "Unknown stable version: $1 (valid: 3006, 3007, latest)"
660+
echo "Unknown stable version: $1 (valid: 3006, 3007, latest), versions older than 3006 are not available"
661661
exit 1
662662
fi
663663
fi
@@ -676,7 +676,7 @@ elif [ "$ITYPE" = "onedir" ]; then
676676
STABLE_REV="$1"
677677
shift
678678
else
679-
echo "Unknown onedir version: $1 (valid: 3006, 3007, latest.)"
679+
echo "Unknown onedir version: $1 (valid: 3006, 3007, latest), versions older than 3006 are not available"
680680
exit 1
681681
fi
682682
fi

0 commit comments

Comments
 (0)