refactor: streamline ephemeral GPG key generation and signing process#49
refactor: streamline ephemeral GPG key generation and signing process#49alexlovelltroy wants to merge 6 commits intomainfrom
Conversation
Signed-off-by: Alex Lovell-Troy <alovelltroy@lanl.gov>
Signed-off-by: Alex Lovell-Troy <alovelltroy@lanl.gov>
Signed-off-by: Alex Lovell-Troy <alovelltroy@lanl.gov>
…GPG configurations Signed-off-by: Alex Lovell-Troy <alovelltroy@lanl.gov>
…t and documentation Signed-off-by: Alex Lovell-Troy <alovelltroy@lanl.gov>
synackd
left a comment
synackd
left a comment
There was a problem hiding this comment.
I might be missing something, but I don't see gpg-ephemeral-key used here. Was that intentional?
…and removing subkey expiration check Signed-off-by: Alex Lovell-Troy <alovelltroy@lanl.gov>
|
It is using parts from the gpg signing machinery. At this point, it is not doing ephemeral keys and is instead signing with the repo key. See build-rpm.yaml: |
synackd
left a comment
synackd
left a comment
There was a problem hiding this comment.
At this point, it is not doing ephemeral keys and is instead signing with the repo key.
Got it, just wanted to make sure.
This looks reasonable to me. Just one comment below.
| mkdir -p ~/rpmbuild/SOURCES/openchami-${{ env.VERSION }} | ||
| cp -r ./* ~/rpmbuild/SOURCES/openchami-${{ env.VERSION }}/ | ||
| tar -czf ~/rpmbuild/SOURCES/openchami-${{ env.VERSION }}.tar.gz \ | ||
| -C ~/rpmbuild/SOURCES openchami-${{ env.VERSION }} \ | ||
| --transform "s|openchami-${{ env.VERSION }}-${{ env.COMMIT_SHA }}|openchami-${{ env.VERSION }}|" | ||
| mkdir -p ~/rpmbuild/SOURCES/openchami-${VERSION} | ||
| cp -r ./* ~/rpmbuild/SOURCES/openchami-${VERSION}/ | ||
| tar -czf ~/rpmbuild/SOURCES/openchami-${VERSION}.tar.gz \ | ||
| -C ~/rpmbuild/SOURCES openchami-${VERSION} |
There was a problem hiding this comment.
Do we want to replace ${VERSION} here with ${{ steps.get_version.outputs.version }} here so we can get rid of the echo "VERSION=${VERSION}" >> $GITHUB_ENV above? Just to reduce redundancy. I noticed that the latter is used below, but there is still some mixing of the two.
2 participants
This pull request updates the RPM build GitHub Actions workflow to improve security and automation by switching to ephemeral GPG keys for signing and modernizing variable usage and output handling. The changes eliminate the need for long-lived signing credentials and streamline the build and release process.
Security and GPG Key Management:
OpenCHAMI/gpg-signing-manageraction. The ephemeral key is configured with a 1-day expiration and unique metadata per run. [1] [2]Workflow Modernization and Output Handling:
GITHUB_OUTPUTmechanism instead of deprecatedset-output, and consistently uses the dynamically determined version from theget_versionstep. [1] [2]Build Process Improvements:
These changes increase the security of the RPM build pipeline and align the workflow with current GitHub Actions best practices.