Add GPG signing support

[Unbinilium]

Is your feature request related to a problem? Please describe.
It not related with any problem, just a feature.

Describe the solution you'd like
Using GPG or S/MIME created sign tags and commits, and marked commits to GitHub Pages branch as verified on GitHub like this:

git config --global user.signingkey '<KEYID>'
git config --global commit.gpgsign true

Anyway, the gpg_private_key should be added before creating the commits.

This would be a awesome feature and it may not quite easy as I thought at beginning , so I add some contents here:

1. Export GPG private key on local machine with an ascii armored version which could be added as secrets in repository settings page:

gpg --output '<gpg_private_key.pgp>' --armor --export-secret-key '<username@email>'

2. Import the exported key to remote GitHub Actions machine, the passphrase must be confirmed, so there are two variables required - gpg_private_key.pgp and passphrase:

gpg --import '<gpg_private_key.pgp>' --passphrase '<passphrase>' #this '--passphrase' may not working as excepted

I'm not sure whether a chmod should be applied to the key file, but if it successfully added, the output is like this:

gpg: key KEYID: "KEY_USER_NAME (GitHub GPG Key) <KEY_USER_EMAIL>" not changed
gpg: key KEYID: secret key imported
gpg: Total number processed: 1
gpg:              unchanged: 1
gpg:       secret keys read: 1
gpg:   secret keys imported: 1

The KEYID could be extracted by regex.

3. Add GPG KEYID to .gitconfig and enable auto signing when perform a commit:

git config --global user.signingkey '<KEYID>'
git config --global commit.gpgsign true

I have not confirmed whether the user.name and user.email in git config should be as same as the key's, or it does not match may cause signing error.

4. Commit changes and push to branch:

git add -A
git commit -a -S -m "some message"

Here also requires the passphrase to be entered and I got puzzled in passing the passphrase directly to gpg form git in command line. Lastly git push as usual.

5. Should the GPG key to be removed after this step?

Additional context
Ref:

• https://help.github.com/en/github/authenticating-to-github/about-commit-signature-verification

• https://github.com/samuelmeuli/action-maven-publish

Add issues may did some help:

• GPG failed to sign the data fatal on macOS

• gpg asks for password even with --passphrase

[peaceiris]

That's nice! I will work on this on the weekend. The option name gpg_signingkey is probably better.

[Unbinilium]

That's nice! I will work on this on the weekend. The option name gpg_signingkey is probably better.

Yeah, I agree and you choose the variable name for the api better. And I added some information above which may did some help, waiting for this awesome feature.

[github-actions]

This issue is stale because it has been open 21 days with no activity. Remove stale label or comment or this will be closed in 7 days.

[peaceiris]

I have learned the flow of creating a commit with GPG signing, just now, for only on macOS and Ubuntu. The gpg command is also available on Actions Windows runner but I do not know that the setting on Windows is the same as other operating systems. We need further investigation.

[weklost]

@peaceiris @Unbinilium I just found the Import GPG action created by @crazy-max and I think it could easily fit in here.

I tested it with another action that deploys with GitHub Pages and the commits signature works very well! Here is a simple snippet of my workflow:

name: website

on: push

jobs:
  publish:
    runs-on: ubuntu-latest
    steps:
      -
        name: Checkout
        uses: actions/checkout@v2
      -
        name: Simple page
        run: |
          mkdir public
          echo "<!doctype html><html><head><title>Test!</title></head></html>" > public/index.html
      -
        name: Import GPG key
        uses: crazy-max/ghaction-import-gpg@v1
        with:
          git_user_signingkey: true
          git_commit_gpgsign: true
        env:
          GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
          PASSPHRASE: ${{ secrets.PASSPHRASE }}
      -
        name: Deploy to GitHub Pages
        if: success()
        uses: crazy-max/ghaction-github-pages@v2
        with:
          target_branch: gh-pages
          build_dir: public
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

[peaceiris]

@weklost
Thank you for suggesting that. I already know that action but I will avoid depending on external actions. It is desired to implement all features in one action for testability and maintainability. (Even the actions/checkout have caused trouble for me some times, it changed my mind. Nowadays I do not trust even actions/checkout...)