Add GPG signing support

[Unbinilium]

Is your feature request related to a problem? Please describe.
It not related with any problem, just a feature.

Describe the solution you'd like
Using GPG or S/MIME created sign tags and commits, and marked commits to GitHub Pages branch as verified on GitHub like this:

git config --global user.signingkey '<KEYID>'
git config --global commit.gpgsign true

Anyway, the gpg_private_key should be added before creating the commits.

This would be a awesome feature and it may not quite easy as I thought at beginning , so I add some contents here:

1. Export GPG private key on local machine with an ascii armored version which could be added as secrets in repository settings page:

gpg --output '<gpg_private_key.pgp>' --armor --export-secret-key '<username@email>'

2. Import the exported key to remote GitHub Actions machine, the passphrase must be confirmed, so there are two variables required - gpg_private_key.pgp and passphrase:

gpg --import '<gpg_private_key.pgp>' --passphrase '<passphrase>' #this '--passphrase' may not working as excepted

I'm not sure whether a chmod should be applied to the key file, but if it successfully added, the output is like this:

gpg: key KEYID: "KEY_USER_NAME (GitHub GPG Key) <KEY_USER_EMAIL>" not changed
gpg: key KEYID: secret key imported
gpg: Total number processed: 1
gpg:              unchanged: 1
gpg:       secret keys read: 1
gpg:   secret keys imported: 1

The KEYID could be extracted by regex.

3. Add GPG KEYID to .gitconfig and enable auto signing when perform a commit:

git config --global user.signingkey '<KEYID>'
git config --global commit.gpgsign true

I have not confirmed whether the user.name and user.email in git config should be as same as the key's, or it does not match may cause signing error.

4. Commit changes and push to branch:

git add -A
git commit -a -S -m "some message"

Here also requires the passphrase to be entered and I got puzzled in passing the passphrase directly to gpg form git in command line. Lastly git push as usual.

5. Should the GPG key to be removed after this step?

Additional context
Ref:

• https://help.github.com/en/github/authenticating-to-github/about-commit-signature-verification

• https://github.com/samuelmeuli/action-maven-publish

Add issues may did some help:

• GPG failed to sign the data fatal on macOS

• gpg asks for password even with --passphrase

[peaceiris]

That's nice! I will work on this on the weekend. The option name gpg_signingkey is probably better.

[Unbinilium]

That's nice! I will work on this on the weekend. The option name gpg_signingkey is probably better.

Yeah, I agree and you choose the variable name for the api better. And I added some information above which may did some help, waiting for this awesome feature.

[peaceiris]

I have learned the flow of creating a commit with GPG signing, just now, for only on macOS and Ubuntu. The gpg command is also available on Actions Windows runner but I do not know that the setting on Windows is the same as other operating systems. We need further investigation.

[peaceiris]

@weklost
Thank you for suggesting that. I already know that action but I will avoid depending on external actions. It is desired to implement all features in one action for testability and maintainability. (Even the actions/checkout have caused trouble for me some times, it changed my mind. Nowadays I do not trust even actions/checkout...)

[lepapareil]

Hello @peaceiris :)

Just wanted to know if we could reprioritize this issue please ?

[timerring]

Hi, I have just adjusted this action and combined with the crazy-max/ghaction-import-gpg, and finally implement the deploy on the github pages with GPG signing! You can check my result.

And here is my process:

1. I just introduced ghaction-import-gpg action first
2. Adjusted the commit function in src/git-utils.ts of this action, appending the parameter -S.
3. Then release a new version via ./release.sh. And use it substitue origin deploy action.

Finally using the combined workflow works well for me.

Or you can use my adjusted version directly:

You can check the full yml configuration here.

- name: Import GPG key # import the gpg key to the github action
  uses: crazy-max/ghaction-import-gpg@v6 # repository https://github.com/crazy-max/ghaction-import-gpg
  with: # I use the subkey to sign the commit, if you use the primary key, you can refer to his repository docs.
      gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} # the secret gpg subkey
      passphrase: ${{ secrets.PASSPHRASE }} # the passphrase of the gpg subkey
      git_user_signingkey: true
      git_commit_gpgsign: true
      fingerprint: ${{ secrets.FINGERPRINT }} # the fingerprint of the public subkey you use

- name: Deploy Web
  uses: timerring/actions-gh-pages@v5.0.0 # this is adjusted action from peaceiris/actions-gh-pages, you can use it directly.
  with:
      personal_token: ${{ secrets.PERSONAL_TOKEN }} # the personal token of the github action
      external_repository: your_username/your_repository # your target repository
      publish_branch: main # the branch you want to deploy
      publish_dir: ./public # the directory you want to deploy
      user_name: ${{ secrets.USER_NAME }} # the name of the github action
      user_email: ${{ secrets.USER_EMAIL }} # the email of the github action # ATTENTION: please add your github verified email
      commit_message: ${{ github.event.head_commit.message }}

Don't forget to fulfill the secret.XXX variables in repository.

For more details, I have written about the issues that may be encountered in my blog, you can refer it here.

[timerring]

Hi, I have just adjusted this action and combined with the crazy-max/ghaction-import-gpg, and finally implement the deploy on the github pages with GPG signing! You can check my result.

And here is my process:

1. I just introduced ghaction-import-gpg action first
2. Adjusted the commit function in src/git-utils.ts of this action, appending the parameter -S.
3. Then release a new version via ./release.sh. And use it substitue origin deploy action.

Finally using the combined workflow works well for me.

Or you can use my adjusted version directly:

You can check the full yml configuration here.

- name: Import GPG key # import the gpg key to the github action
  uses: crazy-max/ghaction-import-gpg@v6 # repository https://github.com/crazy-max/ghaction-import-gpg
  with: # I use the subkey to sign the commit, if you use the primary key, you can refer to his repository docs.
      gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} # the secret gpg subkey
      passphrase: ${{ secrets.PASSPHRASE }} # the passphrase of the gpg subkey
      git_user_signingkey: true
      git_commit_gpgsign: true
      fingerprint: ${{ secrets.FINGERPRINT }} # the fingerprint of the public subkey you use

- name: Deploy Web
  uses: timerring/actions-gh-pages@v5.0.0 # this is adjusted action from peaceiris/actions-gh-pages, you can use it directly.
  with:
      personal_token: ${{ secrets.PERSONAL_TOKEN }} # the personal token of the github action
      external_repository: your_username/your_repository # your target repository
      publish_branch: main # the branch you want to deploy
      publish_dir: ./public # the directory you want to deploy
      user_name: ${{ secrets.USER_NAME }} # the name of the github action
      user_email: ${{ secrets.USER_EMAIL }} # the email of the github action # ATTENTION: please add your github verified email
      commit_message: ${{ github.event.head_commit.message }}

Don't forget to fulfill the secret.XXX variables in repository.

For more details, I have written about the issues that may be encountered in my blog, you can refer it here.