From 50c005696778364657e40ea22da7f63a9352c3da Mon Sep 17 00:00:00 2001
From: Benjamin Reed <ben.reed@netboxlabs.com>
Date: Fri, 3 May 2024 10:31:11 -0400
Subject: [PATCH] feat: enable GPG signing (ENT-12)

---
 .github/workflows/ci.yml      |  6 ++++--
 .github/workflows/release.yml | 40 +++++++++++++++++++++++------------
 2 files changed, 30 insertions(+), 16 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 7d3e31f5..acc1f005 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -52,5 +52,7 @@ jobs:
       contents: write
       packages: write
       id-token: write
-    # secrets:
-    #   GPG_KEY_BASE64: ${{ secrets.GPG_KEY_BASE64 }}
+    secrets:
+      GPG_KEY_BASE64: ${{ secrets.GPG_KEY_BASE64 }}
+      GPG_KEY_ID: ${{ secrets.GPG_KEY_ID }}
+      GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index c31cc7bc..56b8d020 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -5,10 +5,16 @@ name: Release
 
 on:
   workflow_call:
-    # secrets:
-    #   GPG_KEY_BASE64:
-    #     required: true
-    #     description: GPG key for signing
+    secrets:
+      GPG_KEY_BASE64:
+        required: true
+        description: GPG key for signing
+      GPG_KEY_ID:
+        required: true
+        description: the GPG key ID for signing
+      GPG_PASSPHRASE:
+        required: true
+        description: passphrase for the signing key
 
 jobs:
   publish:
@@ -29,15 +35,19 @@ jobs:
           git config user.name "$GITHUB_ACTOR"
           git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
 
-      # - name: Prepare GPG key
-      #   run: |
-      #     gpg_dir=.cr-gpg
-      #     mkdir "$gpg_dir"
-      #     keyring="$gpg_dir/secring.gpg"
-      #     base64 -d <<< "$GPG_KEY_BASE64" > "$keyring"
-      #     echo "CR_KEYRING=$keyring" >> "$GITHUB_ENV"
-      #   env:
-      #     GPG_KEY_BASE64: ${{ secrets.GPG_KEY_BASE64 }}
+      - name: Prepare GPG key
+        run: |
+          gpg_dir=.cr-gpg
+          mkdir "$gpg_dir"
+          keyring="$gpg_dir/secring.gpg"
+          base64 -d <<< "$GPG_KEY_BASE64" > "$keyring"
+          passphrase_file="$gpg_dir/passphrase"
+          echo "$GPG_PASSPHRASE" > "$passphrase_file"
+          echo "CR_PASSPHRASE_FILE=$passphrase_file" >> "$GITHUB_ENV"
+          echo "CR_KEYRING=$keyring" >> "$GITHUB_ENV"
+        env:
+          GPG_KEY_BASE64: "${{ secrets.GPG_KEY_BASE64 }}"
+          GPG_PASSPHRASE: "${{ secrets.GPG_PASSPHRASE }}"
 
       - name: Install Helm
         uses: azure/setup-helm@v4.2.0
@@ -50,7 +60,9 @@ jobs:
         with:
           config: config.yaml
         env:
-          CR_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+          CR_KEY: "${{ secrets.GPG_KEY_ID }}"
+          CR_SIGN: true
 
       - name: Login to GitHub Container Registry
         uses: docker/login-action@v3