chore: add gpg logic to other node versions workflow (#3927)

lerna · Dec 30, 2023 · 63baf1f · 63baf1f
1 parent adea20e
commit 63baf1f
Showing 1 changed file with 40 additions and 0 deletions.
diff --git a/.github/workflows/other-node-versions.yml b/.github/workflows/other-node-versions.yml
@@ -87,6 +87,35 @@ jobs:
           git config --global user.email test@example.com
           git config --global user.name "Tester McPerson"
 
+      - name: Generate and configure GPG for signing commits and tags in E2E tests
+        run: |
+          # Generate a GPG key for test@example.com and store the output from stderr
+          GPG_OUTPUT=$(echo "Key-Type: default
+          Key-Length: 2048
+          Subkey-Type: default
+          Subkey-Length: 2048
+          Name-Real: Tester McPerson
+          Name-Email: test@example.com
+          Expire-Date: 0
+          %no-protection" | gpg --pinentry-mode loopback --batch --generate-key 2>&1)
+
+          # Find and extract the revocation file path from sdterr
+          REVOCATION_FILE=$(echo "$GPG_OUTPUT" | grep '.rev' | tr '\n' ' ' | awk -F "'" '{print $4}')
+
+          # Get the GPG key ID and the full fingerprint
+          export GPG_KEY_ID=$(gpg --list-secret-keys --keyid-format LONG | grep sec | awk '{print $2}' | cut -d'/' -f2)
+          export GPG_FULL_KEY_ID=$(gpg --list-secret-keys --keyid-format LONG | grep "$GPG_KEY_ID" | grep -v "sec" | awk '{print $1}' | cut -d'/' -f2)
+
+          # Export fingerprint and the path to the revocation file to GITHUB_ENV
+          # This allows the last step in this job to revoke and delete the key
+          echo "GPG_FULL_KEY_ID=$GPG_FULL_KEY_ID" >> $GITHUB_ENV
+          echo "REVOCATION_FILE=$REVOCATION_FILE" >> $GITHUB_ENV
+
+          # Setup git signing for commits and tags
+          git config commit.gpgsign true
+          git config tag.gpgsign true
+          git config --global user.signingkey $GPG_KEY_ID
+
       - name: Run e2e tests for task-runner
         run: npx nx prepare-for-e2e e2e-run-task-runner && e2e/run/task-runner/src/run-tests.sh
         shell: bash
@@ -98,6 +127,17 @@ jobs:
         if: ${{ always() }}
         run: npx nx-cloud stop-all-agents
 
+      - name: Revoke and delete GPG key
+        # It's important that we always run this step, otherwise the key will remain active if any of the steps above fail
+        if: ${{ always() }}
+        run: |
+          # As instructed in the text of revocation file, there is a colon that needs to be removed manually
+          sed -i "s/:-----BEGIN PGP PUBLIC KEY BLOCK-----/-----BEGIN PGP PUBLIC KEY BLOCK-----/" $REVOCATION_FILE
+
+          # Revoke the key and delete it
+          gpg --yes --import $REVOCATION_FILE
+          gpg --batch --yes --delete-secret-and-public-key $GPG_FULL_KEY_ID
+
   agents:
     name: Nx Cloud - Agent - node-${{ matrix.node }}-agent-${{ matrix.agent }}
     needs: set-node-versions