From 2f052aa53689a0fc98d78c511b601629d79c0e67 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jaspar=20L=C3=B6chte?= <jaspar.loechte@greenbone.net>
Date: Tue, 3 Aug 2021 13:08:30 +0200
Subject: [PATCH] Add signing to workflow ...

---
 .github/workflows/release-pontos-patch.yml | 21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release-pontos-patch.yml b/.github/workflows/release-pontos-patch.yml
index 25306973c..057398f8a 100644
--- a/.github/workflows/release-pontos-patch.yml
+++ b/.github/workflows/release-pontos-patch.yml
@@ -11,6 +11,9 @@ jobs:
       GITHUB_USER: ${{ secrets.GREENBONE_BOT }}
       GITHUB_MAIL: ${{ secrets.GREENBONE_BOT_MAIL }}
       GITHUB_TOKEN: ${{ secrets.GREENBONE_BOT_TOKEN }}
+      GPG_KEY: ${{ secrets.GPG_KEY }}
+      GPG_FINGERPRINT: ${{ secrets.GPG_FINGERPRINT }}
+      GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
     name: Release patch with pontos
     # If the label 'make patch release' is set. If PR is closed because of an merge
     if: contains( github.event.pull_request.labels.*.name, 'make patch release') && github.event.pull_request.merged == true
@@ -35,7 +38,6 @@ jobs:
         git config --global user.name "${{ env.GITHUB_USER }}"
         git config --global user.email "${{ env.GITHUB_MAIL }}"
         git remote set-url origin https://${{ env.GITHUB_TOKEN }}@github.com/${{ github.repository }}
-      
     - name: Print base branch
       # we always should've checked out the correct branch'
       run: echo "Current Branch is $GITHUB_BASE_REF"
@@ -43,7 +45,24 @@ jobs:
       run: |
         . .venv/bin/activate
         pontos-release prepare --patch
+        echo "VERSION=$(pontos-version show)" >> $GITHUB_ENV
     - name: Release with pontos
       run: |
         . .venv/bin/activate
         pontos-release release
+    - name: Import key from secrets
+      run: |
+        echo -e "${{ env.GPG_KEY }}" >> tmp.file
+        gpg                                        \
+          --pinentry-mode loopback                 \
+          --passphrase ${{ env.GPG_PASSPHRASE }}   \
+          --import tmp.file
+        rm tmp.file
+    - name: Sign with pontos-release sign
+      run: |
+        echo "Signing assets for ${{env.VERSION}}"
+        . .venv/bin/activate
+        pontos-release sign                        \
+          --signing-key ${{ env.GPG_FINGERPRINT }} \
+          --passphrase ${{ env.GPG_PASSPHRASE }}   \
+          --release-version ${{ env.VERSION }}