Merge pull request #120 from crowdin/fix_gpg_private_key

enhance gpg_private_key
crowdin · May 6, 2022 · ecd7eb0 · ecd7eb0
2 parents 8e52bf8 + 9f85c62
commit ecd7eb0
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 9 deletions.
diff --git a/README.md b/README.md
@@ -33,7 +33,7 @@ jobs:
       uses: actions/checkout@v2
 
     - name: crowdin action
-      uses: crowdin/[email protected].8
+      uses: crowdin/[email protected].9
       with:
         upload_translations: true
         download_translations: true
@@ -120,9 +120,10 @@ In case you don’t want to download translations from Crowdin (`download_transl
     github_user_name: Crowdin Bot
     github_user_email: [email protected]
 
-    # For signed commits, add your ASCII-armored key
-    # Ensure that all emails are the same: for account profile that holds public key, the one specified during key generation, and for commit author (github_user_email parameter)
+    # For signed commits, add your ASCII-armored key and export "gpg --armor --export-secret-key GPG_KEY_ID"
+    # Ensure that all emails are the same: for account profile that holds private key, the one specified during key generation, and for commit author (github_user_email parameter)
     gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
+    gpg_passphrase: ${{ secrets.GPG_PASSPHRASE }}
 
     # config options
 

diff --git a/entrypoint.sh b/entrypoint.sh
@@ -93,6 +93,7 @@ create_pull_request() {
 
   PULL_REQUESTS=$(echo "$(curl -sSL -H "${AUTH_HEADER}" -H "${HEADER}" -X GET "${PULLS_URL}${PULL_REQUESTS_QUERY_PARAMS}")" | jq --raw-output '.[] | .head.ref ')
 
+  # check if pull request exist
   if echo "$PULL_REQUESTS " | grep -q "$LOCALIZATION_BRANCH "; then
     echo "PULL REQUEST ALREADY EXIST"
   else
@@ -103,7 +104,7 @@ create_pull_request() {
     fi
 
     PULL_RESPONSE_DATA="{\"title\":\"${INPUT_PULL_REQUEST_TITLE}\", \"base\":\"${BASE_BRANCH}\", \"head\":\"${LOCALIZATION_BRANCH}\" ${BODY}}"
-
+    # create pull request
     PULL_RESPONSE=$(curl -sSL -H "${AUTH_HEADER}" -H "${HEADER}" -X POST --data "${PULL_RESPONSE_DATA}" "${PULLS_URL}")
 
     set +x
@@ -120,6 +121,8 @@ create_pull_request() {
         ISSUE_URL="${REPO_URL}/issues/${PULL_REQUESTS_NUMBER}"
 
         LABELS_DATA="{\"labels\":${PULL_REQUEST_LABELS}}"
+
+        # add labels to created pull request
         curl -sSL -H "${AUTH_HEADER}" -H "${HEADER}" -X PATCH --data "${LABELS_DATA}" "${ISSUE_URL}"
       else
         echo "JSON OF pull_request_labels IS INVALID: ${PULL_REQUEST_LABELS}"
@@ -147,8 +150,8 @@ push_to_branch() {
     git checkout "${LOCALIZATION_BRANCH}"
   else
     git checkout -b "${LOCALIZATION_BRANCH}"
-  fi  
-  
+  fi
+
   git add .
 
   if [ ! -n "$(git status -s)" ]; then
@@ -176,7 +179,7 @@ setup_commit_signing() {
 
   echo "${INPUT_GPG_PRIVATE_KEY}" > private.key
 
-  gpg --import private.key
+  gpg --import --batch private.key
 
   GPG_KEY_ID=$(gpg --list-secret-keys --keyid-format=long | grep -o "rsa\d\+\/\(\w\+\)" | head -n1 | sed "s/rsa\d\+\/\(\w\+\)/\1/")
   GPG_KEY_OWNER_NAME=$(gpg --list-secret-keys --keyid-format=long | grep  "uid" | sed "s/.\+] \(.\+\) <\(.\+\)>/\1/")
@@ -189,6 +192,10 @@ setup_commit_signing() {
   git config --global user.signingkey "$GPG_KEY_ID"
   git config --global commit.gpgsign true
 
+  export GPG_TTY=$(tty)
+  # generate sign to store passphrase in cache for "git commit"
+  echo "test" | gpg --clearsign --pinentry-mode=loopback --passphrase "${INPUT_GPG_PASSPHRASE}" > /dev/null 2>&1
+
   rm private.key
 }
 
@@ -291,9 +298,9 @@ if [ "$INPUT_DOWNLOAD_TRANSLATIONS" = true ]; then
       exit 1
     }
 
-    if [ -n "${INPUT_GPG_PRIVATE_KEY}" ]; then
+    [ -n "${INPUT_GPG_PRIVATE_KEY}" ] && [ -n "${INPUT_GPG_PASSPHRASE}" ] && {
       setup_commit_signing
-    fi
+    }
 
     push_to_branch
   fi