From 92bfd0acdfcbf8c9333b37fe234869100a0ad7fd Mon Sep 17 00:00:00 2001
From: afdesk <work@afdesk.com>
Date: Fri, 24 Mar 2023 09:46:18 +0600
Subject: [PATCH] ci: add gpg signing for RPM packages (#3612)

---
 .github/workflows/reusable-release.yaml | 12 ++++++++++++
 .github/workflows/test.yaml             |  3 ++-
 docs/getting-started/installation.md    |  3 ++-
 goreleaser.yml                          |  3 +++
 4 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/reusable-release.yaml b/.github/workflows/reusable-release.yaml
index 78cfc22a420..d281f8f34fd 100644
--- a/.github/workflows/reusable-release.yaml
+++ b/.github/workflows/reusable-release.yaml
@@ -75,6 +75,12 @@ jobs:
           args: mod -licenses -json -output bom.json
           version: ^v1
 
+      - name: "save gpg key"
+        env:
+          GPG_KEY: ${{ secrets.GPG_KEY }}
+        run: |
+          echo "$GPG_KEY" > gpg.txt
+
       - name: GoReleaser
         uses: goreleaser/goreleaser-action@v4
         with:
@@ -82,6 +88,12 @@ jobs:
           args: release -f=${{ inputs.goreleaser_config}} ${{ inputs.goreleaser_options}}
         env:
           GITHUB_TOKEN: ${{ secrets.ORG_REPO_TOKEN }}
+          NFPM_DEFAULT_RPM_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
+          GPG_FILE: "gpg.txt"
+
+      - name: "remove gpg key"
+        run: |
+          rm gpg.txt
 
       ## push images to registries
       ## only for canary build
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
index 41d230cef24..94e36c6eda5 100644
--- a/.github/workflows/test.yaml
+++ b/.github/workflows/test.yaml
@@ -120,4 +120,5 @@ jobs:
       with:
         version: v1.4.1
         args: release --skip-sign --snapshot --rm-dist --skip-publish --timeout 90m
-
+      env:
+        GPG_FILE: "nofile"
diff --git a/docs/getting-started/installation.md b/docs/getting-started/installation.md
index e9e8bf04375..92adf2fe58a 100644
--- a/docs/getting-started/installation.md
+++ b/docs/getting-started/installation.md
@@ -15,8 +15,9 @@ In this section you will find an aggregation of the different ways to install Tr
     [trivy]
     name=Trivy repository
     baseurl=https://aquasecurity.github.io/trivy-repo/rpm/releases/$RELEASE_VERSION/\$basearch/
-    gpgcheck=0
+    gpgcheck=1
     enabled=1
+    gpgkey=https://aquasecurity.github.io/trivy-repo/rpm/public.key
     EOF
     sudo yum -y update
     sudo yum -y install trivy
diff --git a/goreleaser.yml b/goreleaser.yml
index 434774fdde2..82393c97d10 100644
--- a/goreleaser.yml
+++ b/goreleaser.yml
@@ -74,6 +74,9 @@ nfpms:
     contents:
      - src: contrib/*.tpl
        dst: /usr/local/share/trivy/templates
+    rpm:
+      signature:
+         key_file: '{{ .Env.GPG_FILE }}'
 
 archives:
   -