From 027d6e31aac38ca7010784cbf7c969cbb784ddee Mon Sep 17 00:00:00 2001 From: Andy Augustin Date: Sun, 7 Jan 2024 11:34:11 +0100 Subject: [PATCH 01/21] feat: :sparkles: (#204) add gnupg to docker image --- Dockerfile | 2 +- src/Dockerfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 67385fb8..22abbc41 100644 --- a/Dockerfile +++ b/Dockerfile @@ -33,7 +33,7 @@ WORKDIR /app FROM node:21.5.0-alpine as docs # install packages -RUN apk add --update --no-cache bash make git zsh curl tmux +RUN apk add --update --no-cache bash make git zsh curl tmux gnupg # Make zsh your default shell for tmux RUN echo "set-option -g default-shell /bin/zsh" >> /root/.tmux.conf diff --git a/src/Dockerfile b/src/Dockerfile index 826b49d0..1b6b336e 100644 --- a/src/Dockerfile +++ b/src/Dockerfile @@ -15,7 +15,7 @@ LABEL org.opencontainers.image.title="actions-template-sync image" LABEL org.opencontainers.image.description="contains actions-template-sync" # install packages -RUN apk add --update --no-cache bash git curl musl openssh git-lfs yq +RUN apk add --update --no-cache bash git curl musl openssh git-lfs yq gnupg RUN wget https://github.com/cli/cli/releases/download/v${GH_CLI_VER}/gh_${GH_CLI_VER}_linux_386.tar.gz -O ghcli.tar.gz RUN tar --strip-components=1 -xf ghcli.tar.gz From 89153409ab6d7b45b884d51f2197346e23bd73e5 Mon Sep 17 00:00:00 2001 From: Andy Augustin Date: Sun, 7 Jan 2024 20:47:29 +0100 Subject: [PATCH 02/21] feat: :sparkles: (#204) add option to sign commits --- Dockerfile | 4 +-- README.md | 63 ++++++++++++++++++++++++++++++++++++++++++++ action.yml | 6 +++++ src/entrypoint.sh | 21 +++++++++++++++ src/sync_common.sh | 10 +++---- src/sync_template.sh | 4 +-- 6 files changed, 99 insertions(+), 9 deletions(-) diff --git a/Dockerfile b/Dockerfile index 22abbc41..72ea4d46 100644 --- a/Dockerfile +++ b/Dockerfile @@ -6,7 +6,7 @@ FROM alpine:3.19.0 as dev ARG GH_CLI_VER=2.34.0 # install packages -RUN apk add --update --no-cache bash make git zsh curl tmux musl openssh git-lfs vim yq +RUN apk add --update --no-cache bash make git zsh curl tmux musl openssh git-lfs vim yq gnupg RUN wget https://github.com/cli/cli/releases/download/v${GH_CLI_VER}/gh_${GH_CLI_VER}_linux_386.tar.gz -O ghcli.tar.gz RUN tar --strip-components=1 -xf ghcli.tar.gz @@ -33,7 +33,7 @@ WORKDIR /app FROM node:21.5.0-alpine as docs # install packages -RUN apk add --update --no-cache bash make git zsh curl tmux gnupg +RUN apk add --update --no-cache bash make git zsh curl tmux # Make zsh your default shell for tmux RUN echo "set-option -g default-shell /bin/zsh" >> /root/.tmux.conf diff --git a/README.md b/README.md index 02ecd97c..b2d5282a 100644 --- a/README.md +++ b/README.md @@ -250,6 +250,8 @@ jobs: | git_user_name | `[optional]` set the committer git user.name | `false` | `${GITHUB_ACTOR}` | | git_user_email | `[optional]` set the committer git user.email | `false` | `github-action@actions-template-sync.noreply.${SOURCE_REPO_HOSTNAME}` | | git_remote_pull_params |`[optional]` set remote pull parameters | `false` | `--allow-unrelated-histories --squash --strategy=recursive -X theirs` | +| gpg_private_key | `[optional]` set if you want to sign commits | `false` | | +| gpg_passphrase | `[optional]` set if your optionial gpg private key has a passphrase | `false` | | ### Docker @@ -288,6 +290,64 @@ E.g. when you like to disable the sync for all files with exceptions, you need t * ``` +## Sign commits + +It is recommended to [sign your commits][devto-sign-commits]. This action is able to sign commits. + +First, [generate a GPG key][github-create-gpg-key] and export the GPG private key as an ASCII armored version to your clipboard: + +```bash +# macOS +gpg --armor --export-secret-key jon@doe.example | pbcopy + +# Ubuntu (assuming GNU base64) +gpg --armor --export-secret-key jon@doe.example -w0 | xclip + +# Arch +gpg --armor --export-secret-key jon@doe.example | xclip -selection clipboard -i + +# FreeBSD (assuming BSD base64) +gpg --armor --export-secret-key jon@doe.example | xclip +``` + +:warning: the gpg username and email must match the `git_user_name` and `git_user_email` parameters. +Paste your clipboard as a [secret][github-create-secret] named `GPG_PRIVATE_KEY` for example. If your key has a password, create another secret named `GPG_PASSPHRASE`. + +```yaml +# File: .github/workflows/template-sync.yml + +on: + # cronjob trigger + schedule: + - cron: "0 0 1 * *" + # manual trigger + workflow_dispatch: +jobs: + repo-sync: + runs-on: ubuntu-latest + # https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs + permissions: + contents: write + pull-requests: write + + steps: + # To use this repository's private action, you must check out the repository + - name: Checkout + uses: actions/checkout@v4 + + - name: actions-template-sync + uses: AndreasAugustin/actions-template-sync@v1 + with: + github_token: ${{ secrets.GITHUB_TOKEN }} + source_repo_path: + git_user_name: # add the gpg username + git_user_email: # add the gpg email + gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} + # uncomment if your key has a passpharse + # gpg_passpharse: ${{ secrets.GPG_PASSPHRASE }} + +``` + ## Lifecycle hooks Different lifecycle hooks are supported. You need to enable the functionality with the option `is_allow_hooks` and set it to `true` @@ -411,6 +471,7 @@ There are other great tools available within GitHub. Here you can find a compari | dry run | :heavy_check_mark: | :x: | :x: | :heavy_check_mark: | | ignore files | :heavy_check_mark: | :x: | :x: | :heavy_check_mark: | | creates a PR | :heavy_check_mark: | :heavy_check_mark: | :x: | :heavy_check_mark: | +| sign commits | :heavy_check_mark: | :x: | :x: | :x: | | remarks | The action is placed within the target repositories | The action is placed within the target repositories | CLI meant for local use | The action will be based within the base repository with a list of dependent repositories | ## DEV @@ -481,6 +542,7 @@ specification. Contributions of any kind are welcome! [self-usage]: https://github.com/AndreasAugustin/actions-template-sync/blob/main/.github/workflows/actions_template_sync.yml [pr-labels]: https://docs.github.com/en/issues/using-labels-and-milestones-to-track-work/managing-labels [devto-example]: https://dev.to/andreasaugustin/github-actions-template-sync-1g9k +[devto-sign-commits]: https://dev.to/andreasaugustin/git-how-and-why-to-sign-commits-35dn [github-example]: https://github.com/AndreasAugustin/teaching/blob/main/docs/git/git_action_sync.md [github-app]: https://docs.github.com/en/developers/apps/getting-started-with-apps/about-apps#about-github-apps [glob-pattern]: https://en.wikipedia.org/wiki/Glob_(programming) @@ -495,3 +557,4 @@ specification. Contributions of any kind are welcome! [dotdc-blog]: https://0xdc.me/blog/github-templates-and-repository-sync/ [github-create-pat]: https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#creating-a-fine-grained-personal-access-token [github-create-secret]: https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository +[github-create-gpg-key]: https://docs.github.com/en/authentication/managing-commit-signature-verification/generating-a-new-gpg-key diff --git a/action.yml b/action.yml index a4a23b5d..a6e72f9e 100644 --- a/action.yml +++ b/action.yml @@ -45,6 +45,10 @@ inputs: description: "[optional] set the committer git user.email for the merge commit" git_remote_pull_params: description: "[optional] set the pull parameters for the remote repository" + gpg_private_key: + description: "[optional] set the gpg private key if you want to sign your commits" + gpg_passphrase: + description: "[optional] set if your private gpg key has a password" runs: using: "docker" image: "src/Dockerfile" @@ -65,3 +69,5 @@ runs: GIT_USER_NAME: ${{ inputs.git_user_name }} GIT_USER_EMAIL: ${{ inputs.git_user_email }} GIT_REMOTE_PULL_PARAMS: ${{ inputs.git_remote_pull_params }} + GPG_PRIVATE_KEY: ${{ inputs.gpg_private_key }} + GPG_PASSPHRASE: ${{ inputs.gpg_passphrase }} diff --git a/src/entrypoint.sh b/src/entrypoint.sh index c5c34869..da9f66be 100644 --- a/src/entrypoint.sh +++ b/src/entrypoint.sh @@ -41,6 +41,23 @@ function ssh_setup() { echo "::endgroup::" } +function gpg_setup() { + echo "::group::gpg setup" + info "start prepare gpg" + echo -e "$GPG_PRIVATE_KEY" | gpg --import --batch + for fpr in $(gpg --list-key --with-colons "${GIT_USER_EMAIL}" | awk -F: '/fpr:/ {print $10}' | sort -u); do echo -e "5\ny\n" | gpg --command-fd 0 --expert --edit-key "$fpr" trust; done + + git config --global user.signingkey "$(gpg --list-secret-key --with-colons dev@andreas-augustin.org | awk -F: '/sec:/ {print $5}')" + git config --global commit.gpgsign true + + #if [[ -n "${GPG_PASSPHRASE}" ]] &>/dev/null; then + # TODO + #fi + + info "done prepare gpg" + echo "::endgroup::"for fpr in +} + # Forward to /dev/null to swallow the output of the private key if [[ -n "${SSH_PRIVATE_KEY_SRC}" ]] &>/dev/null; then ssh_setup @@ -73,5 +90,9 @@ function git_init() { git_init +if [[ -n "${GPG_PRIVATE_KEY}" ]] &>/dev/null; then + gpg_setup +fi + # shellcheck source=src/sync_template.sh source sync_template.sh diff --git a/src/sync_common.sh b/src/sync_common.sh index 36acaf43..8677a408 100755 --- a/src/sync_common.sh +++ b/src/sync_common.sh @@ -9,7 +9,7 @@ set -e # Arguments: # message to print. ####################################### -err() { +function err() { echo "::error::[$(date +'%Y-%m-%dT%H:%M:%S%z')]: $*" >&2; } @@ -18,7 +18,7 @@ err() { # Arguments: # message to print. ####################################### -debug() { +function debug() { echo "::debug::$*"; } @@ -27,7 +27,7 @@ debug() { # Arguments: # message to print. ####################################### -warn() { +function warn() { echo "::warn::$*"; } @@ -36,7 +36,7 @@ warn() { # Arguments: # message to print. ####################################### -info() { +function info() { echo "::info::$*"; } @@ -46,7 +46,7 @@ info() { # hook -> the hook to use # ####################################3# -cmd_from_yml_file() { +function cmd_from_yml_file() { local FILE_NAME="templatesync.yml" local HOOK=$1 local YML_PATH=".hooks.${HOOK}.commands" diff --git a/src/sync_template.sh b/src/sync_template.sh index 8408ecb2..d625fbae 100644 --- a/src/sync_template.sh +++ b/src/sync_template.sh @@ -44,7 +44,7 @@ debug "new Git HASH ${NEW_TEMPLATE_GIT_HASH}" echo "::group::Check new changes" -check_branch_remote_existing() { +function check_branch_remote_existing() { git ls-remote --exit-code --heads origin "${NEW_BRANCH}" || BRANCH_DOES_NOT_EXIST=true if [[ "${BRANCH_DOES_NOT_EXIST}" != true ]]; then @@ -119,7 +119,7 @@ git commit -m "${PR_COMMIT_MSG}" echo "::endgroup::" -push_and_create_pr () { +function push_and_create_pr () { cmd_from_yml_file "prepush" if [ "$IS_DRY_RUN" != "true" ]; then From 97a1e27212c76698615cf57fb7483ecea8dee37a Mon Sep 17 00:00:00 2001 From: Andy Augustin Date: Sun, 7 Jan 2024 20:58:52 +0100 Subject: [PATCH 03/21] fix: :bug: (#204) issue with tty --- src/entrypoint.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/entrypoint.sh b/src/entrypoint.sh index da9f66be..aa8920c0 100644 --- a/src/entrypoint.sh +++ b/src/entrypoint.sh @@ -45,9 +45,10 @@ function gpg_setup() { echo "::group::gpg setup" info "start prepare gpg" echo -e "$GPG_PRIVATE_KEY" | gpg --import --batch - for fpr in $(gpg --list-key --with-colons "${GIT_USER_EMAIL}" | awk -F: '/fpr:/ {print $10}' | sort -u); do echo -e "5\ny\n" | gpg --command-fd 0 --expert --edit-key "$fpr" trust; done + for fpr in $(gpg --list-key --with-colons "${GIT_USER_EMAIL}" | awk -F: '/fpr:/ {print $10}' | sort -u); do echo -e "5\ny\n" | gpg --no-tty --command-fd 0 --expert --edit-key "$fpr" trust; done - git config --global user.signingkey "$(gpg --list-secret-key --with-colons dev@andreas-augustin.org | awk -F: '/sec:/ {print $5}')" + KEY_ID="$(gpg --list-secret-key --with-colons dev@andreas-augustin.org | awk -F: '/sec:/ {print $5}')" + git config --global user.signingkey "${KEY_ID}" git config --global commit.gpgsign true #if [[ -n "${GPG_PASSPHRASE}" ]] &>/dev/null; then From 9621a7122b984977bcc0e395de53847f2864b5c1 Mon Sep 17 00:00:00 2001 From: Andy Augustin Date: Sun, 7 Jan 2024 21:16:41 +0100 Subject: [PATCH 04/21] fix: :bug: (#204) fix issue with no tty --- Dockerfile | 3 ++- src/Dockerfile | 3 ++- src/entrypoint.sh | 3 ++- src/gpg_no_tty.sh | 2 ++ src/sync_common.sh | 2 +- src/sync_template.sh | 2 +- 6 files changed, 10 insertions(+), 5 deletions(-) create mode 100644 src/gpg_no_tty.sh diff --git a/Dockerfile b/Dockerfile index 72ea4d46..29fc3e4a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -20,7 +20,8 @@ RUN sh -c "$(curl -fsSL https://raw.githubusercontent.com/robbyrussell/oh-my-zsh ADD src/*.sh /bin/ RUN chmod +x /bin/entrypoint.sh \ && chmod +x /bin/sync_template.sh \ - && chmod +x /bin/sync_common.sh + && chmod +x /bin/sync_common.sh \ + && chmod +x /bin/gpg_no_tty.sh RUN mkdir -p /root/.ssh \ && ssh-keyscan -t rsa github.com >> /root/.ssh/known_hosts diff --git a/src/Dockerfile b/src/Dockerfile index 1b6b336e..1d48a073 100644 --- a/src/Dockerfile +++ b/src/Dockerfile @@ -23,7 +23,8 @@ RUN tar --strip-components=1 -xf ghcli.tar.gz ADD *.sh /bin/ RUN chmod +x /bin/entrypoint.sh \ && chmod +x /bin/sync_template.sh \ - && chmod +x /bin/sync_common.sh + && chmod +x /bin/sync_common.sh \ + && chmod +x /bin/gpg_no_tty.sh RUN mkdir -p /root/.ssh \ && ssh-keyscan -t rsa github.com >> /root/.ssh/known_hosts diff --git a/src/entrypoint.sh b/src/entrypoint.sh index aa8920c0..a4ea5537 100644 --- a/src/entrypoint.sh +++ b/src/entrypoint.sh @@ -1,4 +1,4 @@ -#! /usr/bin/env bash +#!/usr/bin/env bash set -e # set -u # set -x @@ -50,6 +50,7 @@ function gpg_setup() { KEY_ID="$(gpg --list-secret-key --with-colons dev@andreas-augustin.org | awk -F: '/sec:/ {print $5}')" git config --global user.signingkey "${KEY_ID}" git config --global commit.gpgsign true + git config --global gpg.program /bin/gpg_no_tty.sh #if [[ -n "${GPG_PASSPHRASE}" ]] &>/dev/null; then # TODO diff --git a/src/gpg_no_tty.sh b/src/gpg_no_tty.sh new file mode 100644 index 00000000..e50462e5 --- /dev/null +++ b/src/gpg_no_tty.sh @@ -0,0 +1,2 @@ +#!/usr/bin/env bash +/usr/bin/gpg --batch --no-tty "$@" diff --git a/src/sync_common.sh b/src/sync_common.sh index 8677a408..e8abc366 100755 --- a/src/sync_common.sh +++ b/src/sync_common.sh @@ -1,4 +1,4 @@ -#! /usr/bin/env bash +#!/usr/bin/env bash set -e # set -u diff --git a/src/sync_template.sh b/src/sync_template.sh index d625fbae..97661a7e 100644 --- a/src/sync_template.sh +++ b/src/sync_template.sh @@ -1,4 +1,4 @@ -#! /usr/bin/env bash +#!/usr/bin/env bash set -e # set -u From f57d687bd2ee51e73e17d6d94e930571a06a391f Mon Sep 17 00:00:00 2001 From: Andy Augustin Date: Sun, 7 Jan 2024 21:28:21 +0100 Subject: [PATCH 05/21] fix: :bug: (#204) fix issue with no passphrase --- src/gpg_no_tty.sh | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/src/gpg_no_tty.sh b/src/gpg_no_tty.sh index e50462e5..e887883b 100644 --- a/src/gpg_no_tty.sh +++ b/src/gpg_no_tty.sh @@ -1,2 +1,14 @@ #!/usr/bin/env bash -/usr/bin/gpg --batch --no-tty "$@" + +export pflag="" +# create dynamic `--passphrase` flag to insert into the final command if the passphrase variable is not empty. +if [[ -n "$GPG_PASSPHRASE" ]]; then + pflag="--passphrase ${GPG_PASSPHRASE}" +fi + +# "<&0" → use same stdin as the one originally piped to script +# "$@" → pass all script arguments to actual command + +gpg --yes --batch --no-tty "$pflag" "$@" <&0 + +exit $? From 20188f49e4a9f66163a83155f9133f8644b04298 Mon Sep 17 00:00:00 2001 From: Andy Augustin Date: Sun, 7 Jan 2024 21:38:25 +0100 Subject: [PATCH 06/21] fix: :bug: (#204) trial --- src/sync_template.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/sync_template.sh b/src/sync_template.sh index 97661a7e..f87ef1d9 100644 --- a/src/sync_template.sh +++ b/src/sync_template.sh @@ -115,7 +115,7 @@ if git diff --quiet && git diff --staged --quiet; then exit 0 fi -git commit -m "${PR_COMMIT_MSG}" +GIT_TRACE=1 git commit -m "${PR_COMMIT_MSG}" echo "::endgroup::" From d6fe6dfdb9f9188a4f4fd7c6b63e9d7782405f1a Mon Sep 17 00:00:00 2001 From: Andy Augustin Date: Sun, 7 Jan 2024 21:54:03 +0100 Subject: [PATCH 07/21] fix: :bug: (#204) trial for fix --- src/entrypoint.sh | 4 ---- src/gpg_no_tty.sh | 13 ++++--------- 2 files changed, 4 insertions(+), 13 deletions(-) diff --git a/src/entrypoint.sh b/src/entrypoint.sh index a4ea5537..930445b3 100644 --- a/src/entrypoint.sh +++ b/src/entrypoint.sh @@ -52,10 +52,6 @@ function gpg_setup() { git config --global commit.gpgsign true git config --global gpg.program /bin/gpg_no_tty.sh - #if [[ -n "${GPG_PASSPHRASE}" ]] &>/dev/null; then - # TODO - #fi - info "done prepare gpg" echo "::endgroup::"for fpr in } diff --git a/src/gpg_no_tty.sh b/src/gpg_no_tty.sh index e887883b..0c8a1879 100644 --- a/src/gpg_no_tty.sh +++ b/src/gpg_no_tty.sh @@ -1,14 +1,9 @@ #!/usr/bin/env bash -export pflag="" -# create dynamic `--passphrase` flag to insert into the final command if the passphrase variable is not empty. -if [[ -n "$GPG_PASSPHRASE" ]]; then - pflag="--passphrase ${GPG_PASSPHRASE}" +if [[ -n "${GPG_PASSPHRASE}" ]] &>/dev/null; then + echo -e "${GPG_PASSPHRASE}" | gpg --batch --yes --passphrase-fd 0 --no-tty "$@" <&0 +else + gpg --yes --batch --no-tty "$@" <&0 fi -# "<&0" → use same stdin as the one originally piped to script -# "$@" → pass all script arguments to actual command - -gpg --yes --batch --no-tty "$pflag" "$@" <&0 - exit $? From d4dadf09c705e6d90b6be606ab0e6bcc17619afc Mon Sep 17 00:00:00 2001 From: Andy Augustin Date: Sun, 7 Jan 2024 21:58:17 +0100 Subject: [PATCH 08/21] fix: :bug: (#204) fix --- src/gpg_no_tty.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/gpg_no_tty.sh b/src/gpg_no_tty.sh index 0c8a1879..350c8819 100644 --- a/src/gpg_no_tty.sh +++ b/src/gpg_no_tty.sh @@ -1,7 +1,7 @@ #!/usr/bin/env bash if [[ -n "${GPG_PASSPHRASE}" ]] &>/dev/null; then - echo -e "${GPG_PASSPHRASE}" | gpg --batch --yes --passphrase-fd 0 --no-tty "$@" <&0 + echo -e "${GPG_PASSPHRASE}" | gpg --no-tty --batch --yes --passphrase-fd 0 "$@" <&0 else gpg --yes --batch --no-tty "$@" <&0 fi From 9d35a97e44c95bdea6bff54846047e9d54298b41 Mon Sep 17 00:00:00 2001 From: Andy Augustin Date: Sun, 7 Jan 2024 22:01:07 +0100 Subject: [PATCH 09/21] fix: :bug: (#204) trial --- src/gpg_no_tty.sh | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/gpg_no_tty.sh b/src/gpg_no_tty.sh index 350c8819..8dafc43c 100644 --- a/src/gpg_no_tty.sh +++ b/src/gpg_no_tty.sh @@ -1,9 +1,11 @@ #!/usr/bin/env bash +export GPG_TTY=$(tty) + if [[ -n "${GPG_PASSPHRASE}" ]] &>/dev/null; then - echo -e "${GPG_PASSPHRASE}" | gpg --no-tty --batch --yes --passphrase-fd 0 "$@" <&0 + echo -e "${GPG_PASSPHRASE}" | gpg --batch --yes --passphrase-fd 0 "$@" <&0 else - gpg --yes --batch --no-tty "$@" <&0 + gpg --yes --batch "$@" <&0 fi exit $? From 0cf076153b76d8cc010d9bfb30ca2f824617cebf Mon Sep 17 00:00:00 2001 From: Andy Augustin Date: Sun, 7 Jan 2024 22:17:37 +0100 Subject: [PATCH 10/21] fix: :bug: (#204) add pinentry mode loopback --- src/entrypoint.sh | 2 +- src/gpg_no_tty.sh | 6 ++---- 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/src/entrypoint.sh b/src/entrypoint.sh index 930445b3..4d788e13 100644 --- a/src/entrypoint.sh +++ b/src/entrypoint.sh @@ -47,7 +47,7 @@ function gpg_setup() { echo -e "$GPG_PRIVATE_KEY" | gpg --import --batch for fpr in $(gpg --list-key --with-colons "${GIT_USER_EMAIL}" | awk -F: '/fpr:/ {print $10}' | sort -u); do echo -e "5\ny\n" | gpg --no-tty --command-fd 0 --expert --edit-key "$fpr" trust; done - KEY_ID="$(gpg --list-secret-key --with-colons dev@andreas-augustin.org | awk -F: '/sec:/ {print $5}')" + KEY_ID="$(gpg --list-secret-key --with-colons "${GIT_USER_EMAIL}" | awk -F: '/sec:/ {print $5}')" git config --global user.signingkey "${KEY_ID}" git config --global commit.gpgsign true git config --global gpg.program /bin/gpg_no_tty.sh diff --git a/src/gpg_no_tty.sh b/src/gpg_no_tty.sh index 8dafc43c..8cdddaca 100644 --- a/src/gpg_no_tty.sh +++ b/src/gpg_no_tty.sh @@ -1,11 +1,9 @@ #!/usr/bin/env bash -export GPG_TTY=$(tty) - if [[ -n "${GPG_PASSPHRASE}" ]] &>/dev/null; then - echo -e "${GPG_PASSPHRASE}" | gpg --batch --yes --passphrase-fd 0 "$@" <&0 + echo -e "${GPG_PASSPHRASE}" | gpg --pinentry-mode loopback --batch --yes --passphrase-fd 0 "$@" <&0 else - gpg --yes --batch "$@" <&0 + gpg --pinentry-mode loopback --yes --batch "$@" <&0 fi exit $? From d620612da513cd94d417857e0d670e07c7dadb66 Mon Sep 17 00:00:00 2001 From: Andy Augustin Date: Sun, 7 Jan 2024 22:40:20 +0100 Subject: [PATCH 11/21] fix: :bug: (#204) --- src/sync_template.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/sync_template.sh b/src/sync_template.sh index f87ef1d9..97661a7e 100644 --- a/src/sync_template.sh +++ b/src/sync_template.sh @@ -115,7 +115,7 @@ if git diff --quiet && git diff --staged --quiet; then exit 0 fi -GIT_TRACE=1 git commit -m "${PR_COMMIT_MSG}" +git commit -m "${PR_COMMIT_MSG}" echo "::endgroup::" From 93fe048f18b69af95ef3b26457ca395196c7409d Mon Sep 17 00:00:00 2001 From: Andy Augustin Date: Mon, 8 Jan 2024 21:02:05 +0100 Subject: [PATCH 12/21] feat: :sparkles: (#204) add signoff and tig --- Dockerfile | 2 +- src/Dockerfile | 2 +- src/sync_template.sh | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 29fc3e4a..b829807f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -6,7 +6,7 @@ FROM alpine:3.19.0 as dev ARG GH_CLI_VER=2.34.0 # install packages -RUN apk add --update --no-cache bash make git zsh curl tmux musl openssh git-lfs vim yq gnupg +RUN apk add --update --no-cache bash make git zsh curl tmux musl openssh git-lfs vim yq gnupg tig RUN wget https://github.com/cli/cli/releases/download/v${GH_CLI_VER}/gh_${GH_CLI_VER}_linux_386.tar.gz -O ghcli.tar.gz RUN tar --strip-components=1 -xf ghcli.tar.gz diff --git a/src/Dockerfile b/src/Dockerfile index 1d48a073..c50b17e0 100644 --- a/src/Dockerfile +++ b/src/Dockerfile @@ -15,7 +15,7 @@ LABEL org.opencontainers.image.title="actions-template-sync image" LABEL org.opencontainers.image.description="contains actions-template-sync" # install packages -RUN apk add --update --no-cache bash git curl musl openssh git-lfs yq gnupg +RUN apk add --update --no-cache bash git curl musl openssh git-lfs yq gnupg tig RUN wget https://github.com/cli/cli/releases/download/v${GH_CLI_VER}/gh_${GH_CLI_VER}_linux_386.tar.gz -O ghcli.tar.gz RUN tar --strip-components=1 -xf ghcli.tar.gz diff --git a/src/sync_template.sh b/src/sync_template.sh index 97661a7e..e121ab4f 100644 --- a/src/sync_template.sh +++ b/src/sync_template.sh @@ -115,7 +115,7 @@ if git diff --quiet && git diff --staged --quiet; then exit 0 fi -git commit -m "${PR_COMMIT_MSG}" +git commit -m --signoff "${PR_COMMIT_MSG}" echo "::endgroup::" From 6a8107961ec08c948a3cb759ef53f4df55f39602 Mon Sep 17 00:00:00 2001 From: Andy Augustin Date: Mon, 8 Jan 2024 21:05:49 +0100 Subject: [PATCH 13/21] fix: :bug: (#204) fix commit --- src/sync_template.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/sync_template.sh b/src/sync_template.sh index e121ab4f..c4855b83 100644 --- a/src/sync_template.sh +++ b/src/sync_template.sh @@ -115,7 +115,7 @@ if git diff --quiet && git diff --staged --quiet; then exit 0 fi -git commit -m --signoff "${PR_COMMIT_MSG}" +git commit --signoff -m "${PR_COMMIT_MSG}" echo "::endgroup::" From a0821ac8e153cc3c3da551cbe0363f0021b2a8c5 Mon Sep 17 00:00:00 2001 From: Andy Augustin Date: Mon, 8 Jan 2024 21:21:26 +0100 Subject: [PATCH 14/21] fix: :bug: (#204) --- src/entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/entrypoint.sh b/src/entrypoint.sh index 4d788e13..2fe741ec 100644 --- a/src/entrypoint.sh +++ b/src/entrypoint.sh @@ -45,7 +45,7 @@ function gpg_setup() { echo "::group::gpg setup" info "start prepare gpg" echo -e "$GPG_PRIVATE_KEY" | gpg --import --batch - for fpr in $(gpg --list-key --with-colons "${GIT_USER_EMAIL}" | awk -F: '/fpr:/ {print $10}' | sort -u); do echo -e "5\ny\n" | gpg --no-tty --command-fd 0 --expert --edit-key "$fpr" trust; done + # for fpr in $(gpg --list-key --with-colons "${GIT_USER_EMAIL}" | awk -F: '/fpr:/ {print $10}' | sort -u); do echo -e "5\ny\n" | gpg --no-tty --command-fd 0 --expert --edit-key "$fpr" trust; done KEY_ID="$(gpg --list-secret-key --with-colons "${GIT_USER_EMAIL}" | awk -F: '/sec:/ {print $5}')" git config --global user.signingkey "${KEY_ID}" From 6759d0e38bd582252a1786ade902365adb9ae285 Mon Sep 17 00:00:00 2001 From: Andy Augustin Date: Mon, 8 Jan 2024 21:35:04 +0100 Subject: [PATCH 15/21] fix: :bug: (#204) trial --- src/sync_template.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/sync_template.sh b/src/sync_template.sh index c4855b83..4c16e17a 100644 --- a/src/sync_template.sh +++ b/src/sync_template.sh @@ -115,7 +115,7 @@ if git diff --quiet && git diff --staged --quiet; then exit 0 fi -git commit --signoff -m "${PR_COMMIT_MSG}" +GIT_TRACE=1 git commit --signoff -m "${PR_COMMIT_MSG}" echo "::endgroup::" From c302e72bc49cd961a13754ee0619bf7f0034660f Mon Sep 17 00:00:00 2001 From: Andy Augustin Date: Mon, 8 Jan 2024 22:13:42 +0100 Subject: [PATCH 16/21] fix: :bug: (#204) --- src/sync_template.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/sync_template.sh b/src/sync_template.sh index 4c16e17a..c4855b83 100644 --- a/src/sync_template.sh +++ b/src/sync_template.sh @@ -115,7 +115,7 @@ if git diff --quiet && git diff --staged --quiet; then exit 0 fi -GIT_TRACE=1 git commit --signoff -m "${PR_COMMIT_MSG}" +git commit --signoff -m "${PR_COMMIT_MSG}" echo "::endgroup::" From 3b9a8396884d7aea969c4af22379837ccc5caff8 Mon Sep 17 00:00:00 2001 From: Andy Augustin Date: Mon, 5 Feb 2024 21:10:20 +0100 Subject: [PATCH 17/21] fix: :bug: trial for gpg sign --- src/entrypoint.sh | 4 +++- src/gpg_no_tty.sh | 3 ++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/src/entrypoint.sh b/src/entrypoint.sh index 2fe741ec..a705a332 100644 --- a/src/entrypoint.sh +++ b/src/entrypoint.sh @@ -44,8 +44,10 @@ function ssh_setup() { function gpg_setup() { echo "::group::gpg setup" info "start prepare gpg" + GPG_TTY=$(tty) + export GPG_TTY echo -e "$GPG_PRIVATE_KEY" | gpg --import --batch - # for fpr in $(gpg --list-key --with-colons "${GIT_USER_EMAIL}" | awk -F: '/fpr:/ {print $10}' | sort -u); do echo -e "5\ny\n" | gpg --no-tty --command-fd 0 --expert --edit-key "$fpr" trust; done + for fpr in $(gpg --list-key --with-colons "${GIT_USER_EMAIL}" | awk -F: '/fpr:/ {print $10}' | sort -u); do echo -e "5\ny\n" | gpg --no-tty --command-fd 0 --expert --edit-key "$fpr" trust; done KEY_ID="$(gpg --list-secret-key --with-colons "${GIT_USER_EMAIL}" | awk -F: '/sec:/ {print $5}')" git config --global user.signingkey "${KEY_ID}" diff --git a/src/gpg_no_tty.sh b/src/gpg_no_tty.sh index 8cdddaca..70cf8868 100644 --- a/src/gpg_no_tty.sh +++ b/src/gpg_no_tty.sh @@ -1,7 +1,8 @@ #!/usr/bin/env bash if [[ -n "${GPG_PASSPHRASE}" ]] &>/dev/null; then - echo -e "${GPG_PASSPHRASE}" | gpg --pinentry-mode loopback --batch --yes --passphrase-fd 0 "$@" <&0 + # echo -e "${GPG_PASSPHRASE}" | gpg --pinentry-mode loopback --batch --yes --passphrase-fd 0 "$@" <&0 + echo -e "${GPG_PASSPHRASE}" | gpg --batch --yes --passphrase-fd 0 "$@" <&0 else gpg --pinentry-mode loopback --yes --batch "$@" <&0 fi From 2d4cee93c1d03f3fe00b927f6b0fde1c741d4e39 Mon Sep 17 00:00:00 2001 From: Andy Augustin Date: Mon, 5 Feb 2024 21:13:46 +0100 Subject: [PATCH 18/21] fix: :construction: wip --- src/entrypoint.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/entrypoint.sh b/src/entrypoint.sh index a705a332..48ff5245 100644 --- a/src/entrypoint.sh +++ b/src/entrypoint.sh @@ -44,8 +44,8 @@ function ssh_setup() { function gpg_setup() { echo "::group::gpg setup" info "start prepare gpg" - GPG_TTY=$(tty) - export GPG_TTY + # GPG_TTY=$(tty) + # export GPG_TTY echo -e "$GPG_PRIVATE_KEY" | gpg --import --batch for fpr in $(gpg --list-key --with-colons "${GIT_USER_EMAIL}" | awk -F: '/fpr:/ {print $10}' | sort -u); do echo -e "5\ny\n" | gpg --no-tty --command-fd 0 --expert --edit-key "$fpr" trust; done From 6c8e1be4554de79e877b0077ec527a66964c42db Mon Sep 17 00:00:00 2001 From: Andy Augustin Date: Mon, 5 Feb 2024 21:17:58 +0100 Subject: [PATCH 19/21] fix: :construction: WIP --- src/gpg_no_tty.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/gpg_no_tty.sh b/src/gpg_no_tty.sh index 70cf8868..6b3b677d 100644 --- a/src/gpg_no_tty.sh +++ b/src/gpg_no_tty.sh @@ -1,8 +1,8 @@ #!/usr/bin/env bash if [[ -n "${GPG_PASSPHRASE}" ]] &>/dev/null; then - # echo -e "${GPG_PASSPHRASE}" | gpg --pinentry-mode loopback --batch --yes --passphrase-fd 0 "$@" <&0 - echo -e "${GPG_PASSPHRASE}" | gpg --batch --yes --passphrase-fd 0 "$@" <&0 + echo -e "${GPG_PASSPHRASE}" | gpg --pinentry-mode loopback --batch --yes --passphrase-fd 0 "$@" <&0 + # echo -e "${GPG_PASSPHRASE}" | gpg --batch --yes --passphrase-fd 0 "$@" <&0 else gpg --pinentry-mode loopback --yes --batch "$@" <&0 fi From 739dc19eb9c5df7114795fe4a88c7f71d2680860 Mon Sep 17 00:00:00 2001 From: Andy Augustin Date: Tue, 6 Feb 2024 21:00:24 +0100 Subject: [PATCH 20/21] fix: :construction: WIP --- Makefile | 4 ++++ docker-compose.yml | 6 ++++++ src/Dockerfile | 2 +- src/entrypoint.sh | 2 -- src/gpg_no_tty.sh | 1 - 5 files changed, 11 insertions(+), 4 deletions(-) diff --git a/Makefile b/Makefile index 95d3cd06..5060ec00 100644 --- a/Makefile +++ b/Makefile @@ -25,6 +25,10 @@ markdownlint: ## Validate markdown files zsh: ## open dev container with build environment docker-compose run --service-ports dev /bin/zsh +.PHONY: prod +prod: ## run the prod docker image with bash + docker-compose run prod + .PHONY: prune prune: ## delete the whole environment docker-compose down -v --rmi all --remove-orphans diff --git a/docker-compose.yml b/docker-compose.yml index a72254db..2ab78b42 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -23,3 +23,9 @@ services: volumes: - .:/app/ working_dir: /app/ + + prod: + build: + context: ./src/ + tty: true + entrypoint: ["/bin/bash"] diff --git a/src/Dockerfile b/src/Dockerfile index 34fd8acb..3799db38 100644 --- a/src/Dockerfile +++ b/src/Dockerfile @@ -29,4 +29,4 @@ RUN chmod +x /bin/entrypoint.sh \ RUN mkdir -p /root/.ssh \ && ssh-keyscan -t rsa github.com >> /root/.ssh/known_hosts -ENTRYPOINT ["/bin/entrypoint.sh"] +ENTRYPOINT ["/bin/bash", "/bin/entrypoint.sh"] diff --git a/src/entrypoint.sh b/src/entrypoint.sh index 48ff5245..4d788e13 100644 --- a/src/entrypoint.sh +++ b/src/entrypoint.sh @@ -44,8 +44,6 @@ function ssh_setup() { function gpg_setup() { echo "::group::gpg setup" info "start prepare gpg" - # GPG_TTY=$(tty) - # export GPG_TTY echo -e "$GPG_PRIVATE_KEY" | gpg --import --batch for fpr in $(gpg --list-key --with-colons "${GIT_USER_EMAIL}" | awk -F: '/fpr:/ {print $10}' | sort -u); do echo -e "5\ny\n" | gpg --no-tty --command-fd 0 --expert --edit-key "$fpr" trust; done diff --git a/src/gpg_no_tty.sh b/src/gpg_no_tty.sh index 6b3b677d..8cdddaca 100644 --- a/src/gpg_no_tty.sh +++ b/src/gpg_no_tty.sh @@ -2,7 +2,6 @@ if [[ -n "${GPG_PASSPHRASE}" ]] &>/dev/null; then echo -e "${GPG_PASSPHRASE}" | gpg --pinentry-mode loopback --batch --yes --passphrase-fd 0 "$@" <&0 - # echo -e "${GPG_PASSPHRASE}" | gpg --batch --yes --passphrase-fd 0 "$@" <&0 else gpg --pinentry-mode loopback --yes --batch "$@" <&0 fi From 6daf078581310bffc45f8230e43e4edd6dda1339 Mon Sep 17 00:00:00 2001 From: Andy Augustin Date: Thu, 22 Feb 2024 17:11:58 +0100 Subject: [PATCH 21/21] fix: :bug: disable gpg with passphrase --- README.md | 4 ++-- action.yml | 3 --- src/gpg_no_tty.sh | 4 +++- 3 files changed, 5 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index b9ee7f6f..11c33484 100644 --- a/README.md +++ b/README.md @@ -253,7 +253,6 @@ jobs: | git_user_email | `[optional]` set the committer git user.email | `false` | `github-action@actions-template-sync.noreply.${SOURCE_REPO_HOSTNAME}` | | git_remote_pull_params | `[optional]` set remote pull parameters | `false` | `--allow-unrelated-histories --squash --strategy=recursive -X theirs` | | gpg_private_key | `[optional]` set if you want to sign commits | `false` | | -| gpg_passphrase | `[optional]` set if your optionial gpg private key has a passphrase | `false` | | ### Docker @@ -316,7 +315,8 @@ gpg --armor --export-secret-key jon@doe.example | xclip ``` :warning: the gpg username and email must match the `git_user_name` and `git_user_email` parameters. -Paste your clipboard as a [secret][github-create-secret] named `GPG_PRIVATE_KEY` for example. If your key has a password, create another secret named `GPG_PASSPHRASE`. +Paste your clipboard as a [secret][github-create-secret] named `GPG_PRIVATE_KEY` for example. +:warning: currently a pgp key with passphrase is not supported (yet). ```yaml # File: .github/workflows/template-sync.yml diff --git a/action.yml b/action.yml index eb1d071d..9479443c 100644 --- a/action.yml +++ b/action.yml @@ -54,8 +54,6 @@ inputs: description: "[optional] set the pull parameters for the remote repository" gpg_private_key: description: "[optional] set the gpg private key if you want to sign your commits" - gpg_passphrase: - description: "[optional] set if your private gpg key has a password" runs: using: "docker" image: "src/Dockerfile" @@ -79,4 +77,3 @@ runs: GIT_USER_EMAIL: ${{ inputs.git_user_email }} GIT_REMOTE_PULL_PARAMS: ${{ inputs.git_remote_pull_params }} GPG_PRIVATE_KEY: ${{ inputs.gpg_private_key }} - GPG_PASSPHRASE: ${{ inputs.gpg_passphrase }} diff --git a/src/gpg_no_tty.sh b/src/gpg_no_tty.sh index 8cdddaca..e742a973 100644 --- a/src/gpg_no_tty.sh +++ b/src/gpg_no_tty.sh @@ -1,7 +1,9 @@ #!/usr/bin/env bash if [[ -n "${GPG_PASSPHRASE}" ]] &>/dev/null; then - echo -e "${GPG_PASSPHRASE}" | gpg --pinentry-mode loopback --batch --yes --passphrase-fd 0 "$@" <&0 + # echo -e "${GPG_PASSPHRASE}" | gpg --pinentry-mode loopback --batch --yes --passphrase-fd 0 "$@" <&0 + echo "::error::currently gpg with passphrase is not supported" + exit 1 else gpg --pinentry-mode loopback --yes --batch "$@" <&0 fi