We recommend using the crazy-max/ghaction-import-gpg upstream action that this was based on.
Note that there are a few small changes between this action and the upstream. You'll need to change the snippet of yaml from this:
uses: hashicorp/ghaction-import-gpg@v2.1.0
env:
GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} To this:
uses: crazy-max/ghaction-import-gpg@v5.0.0
with:
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
passphrase: ${{ secrets.GPG_PASSPHRASE }}GitHub action to import GPG private key
Note [7/14/22]: This action has been deprecated in favor of the upstream which now supports sign-only keys, and is well supported and documented.
Note [5/6/2021]: This was supposed to be a fork (paultyng/ghaction-import-gpg) of a fork (crazy-max/ghaction-import-gpg) of the upstream repo. Due to the restrictions on using a sign-only key, we encountered this issue. This is an internal action that overrides this fork until the issue is resolved upstream.
Following environment variables must be used as step.env keys
| Name | Description |
|---|---|
GPG_PRIVATE_KEY |
GPG private key exported as an ASCII armored version (required) |
PASSPHRASE |
Passphrase of the GPG_PRIVATE_KEY key if set |
Details on how to generate the Private Key and Passphrase can be found in our learn guide.
name: sign
on: push
jobs:
goreleaser:
runs-on: ubuntu-latest
steps:
- name: Import GPG key
id: import_gpg
uses: hashicorp/ghaction-import-gpg@v2.1.0
env:
GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
- run: |
touch foo.txt
gpg --detach-sig foo.txt