diff --git a/.github/actions/git-verify-ref/Dockerfile b/.github/actions/git-verify-ref/Dockerfile deleted file mode 100644 index f9f8c00..0000000 --- a/.github/actions/git-verify-ref/Dockerfile +++ /dev/null @@ -1,13 +0,0 @@ -FROM debian:buster-slim - -RUN apt update && \ - apt install -y git gnupg && \ - rm -rf /var/lib/apt/lists/* - -#RUN apk add --no-cache git gnupg - -COPY ./public-keys/atmoz.asc /tmp/atmoz.asc -RUN gpg --import /tmp/atmoz.asc - -COPY ./entrypoint.sh / -ENTRYPOINT ["/entrypoint.sh"] diff --git a/.github/actions/git-verify-ref/action.yml b/.github/actions/git-verify-ref/action.yml deleted file mode 100644 index 7b3d15e..0000000 --- a/.github/actions/git-verify-ref/action.yml +++ /dev/null @@ -1,6 +0,0 @@ -name: 'Verify git ref' -description: 'Verify GPG signed commits or tags' - -runs: - using: 'docker' - image: 'Dockerfile' diff --git a/.github/actions/git-verify-ref/entrypoint.sh b/.github/actions/git-verify-ref/entrypoint.sh deleted file mode 100755 index c6eba43..0000000 --- a/.github/actions/git-verify-ref/entrypoint.sh +++ /dev/null @@ -1,60 +0,0 @@ -#!/bin/bash -set -eo pipefail - -# Git reference -ref="${1:-HEAD}" - -# Number of required signatures -required="${2:-"1"}" - -# Options passed to git -git_options="${*:3}" - - -# GitHub Actions fix -if [ -e "/github/home/" ]; then - cp -r /root/.gnupg /github/home/ -fi - -# Show imported public keys -gpg --list-keys --keyid LONG - -# Check signatures -raw_gpg_status=$( - # shellcheck disable=SC2086 - git $git_options verify-commit --raw "$ref" 2>&1 - tags="$(git tag --points-at "$ref")" - - if [ -n "$tags" ]; then - # shellcheck disable=SC2046,SC2086 - git $git_options verify-tag --raw $tags 2>&1 - fi -) - -goodsig=0 -readarray -t status_line <<<"$raw_gpg_status" -# read -r -a info <<<"$status" -for status in "${status_line[@]}"; do - #readarray -t -d" " info <<<"$status" - read -r -a info <<<"$status" - - case "${info[1]}" in - "GOODSIG") - echo "Verified signature from ${info[2]}" - ((goodsig++)) || true - ;; - - "NO_PUBKEY") - echo "WARNING: Missing public key for ${info[2]}" - ;; - esac -done - -echo "RESULT: Found $goodsig good signatures" - -if [ "$goodsig" -lt "$required" ]; then - echo "FAIL: Not enough signatures ($required was required)" - exit 1 -else - exit 0 -fi diff --git a/.github/actions/git-verify-ref/public-keys/atmoz.asc b/.github/public-keys/atmoz.asc similarity index 100% rename from .github/actions/git-verify-ref/public-keys/atmoz.asc rename to .github/public-keys/atmoz.asc diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index b0a1079..b5d2143 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -63,7 +63,9 @@ jobs: - name: Verify signature if: github.event_name != 'pull_request' && github.ref == 'refs/heads/master' - uses: ./.github/actions/git-verify-ref + uses: atmoz/git-verify-ref@master + with: + public_key_dir: ./github/public-keys - name: Push images to Docker Hub registry if: github.event_name != 'pull_request' && github.ref == 'refs/heads/master'