ci(signed-commits): use GPG signing (#13069)

(cherry picked from commit 64ec9d5) # Conflicts: # .github/workflows/run-minor-release.yml
elastic · May 7, 2024 · fbb054d · fbb054d
1 parent bd90f95
commit fbb054d
Show file tree

Hide file tree

Showing 3 changed files with 57 additions and 3 deletions.
diff --git a/.github/workflows/run-minor-release.yml b/.github/workflows/run-minor-release.yml
@@ -20,3 +20,50 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+<<<<<<< HEAD
+=======
+        with:
+          # 0 indicates all history for all branches and tags.
+          fetch-depth: 0
+
+      # Required to use a service account, otherwise PRs created by
+      # GitHub bot won't trigger any CI builds.
+      # See https://github.com/peter-evans/create-pull-request/issues/48#issuecomment-537478081
+      - name: Configure git user
+        uses: elastic/apm-pipeline-library/.github/actions/setup-git@current
+        with:
+          token: ${{ env.GH_TOKEN }}
+
+      - name: Import GPG key
+        uses: crazy-max/ghaction-import-gpg@01dd5d3ca463c7f10f7f4f7b4f177225ac661ee4  # v6.1.0
+        with:
+          gpg_private_key: ${{ secrets.APM_SERVER_RELEASE_GPG_PRIVATE_KEY }}
+          passphrase: ${{ secrets.APM_SERVER_RELEASE_PASSPHRASE }}
+          git_user_signingkey: true
+          git_commit_gpgsign: true
+
+      - run: make minor-release
+
+      - uses: elastic/apm-pipeline-library/.github/actions/slack-message@current
+        if: success()
+        with:
+          url: ${{ secrets.VAULT_ADDR }}
+          roleId: ${{ secrets.VAULT_ROLE_ID }}
+          secretId: ${{ secrets.VAULT_SECRET_ID }}
+          channel: ${{ env.SLACK_CHANNEL }}
+          threadTimestamp: ${{ needs.prepare.outputs.slack-thread || '' }}
+          message: |-
+            `${{ github.repository }}@${{ env.RELEASE_BRANCH }}` is now available.
+            The docs and other references are updated. You can start using it.
+
+      - uses: elastic/apm-pipeline-library/.github/actions/slack-message@current
+        if: failure()
+        with:
+          url: ${{ secrets.VAULT_ADDR }}
+          roleId: ${{ secrets.VAULT_ROLE_ID }}
+          secretId: ${{ secrets.VAULT_SECRET_ID }}
+          channel: ${{ env.SLACK_CHANNEL }}
+          threadTimestamp: ${{ needs.prepare.outputs.slack-thread || '' }}
+          message: |-
+            :fire: Something went wrong with the release. See <${{ env.JOB_URL }}|logs>.
+>>>>>>> 64ec9d5bf (ci(signed-commits): use GPG signing (#13069))
diff --git a/.github/workflows/run-patch-release.yml b/.github/workflows/run-patch-release.yml
@@ -60,10 +60,17 @@ jobs:
       - name: Configure git user
         uses: elastic/apm-pipeline-library/.github/actions/setup-git@current
         with:
-          username: ${{ env.GIT_USER }}
-          email: ${{ env.GIT_EMAIL }}
           token: ${{ env.GH_TOKEN }}
 
+      - name: Import GPG key
+        uses: crazy-max/ghaction-import-gpg@01dd5d3ca463c7f10f7f4f7b4f177225ac661ee4  # v6.1.0
+        with:
+          gpg_private_key: ${{ secrets.APM_SERVER_RELEASE_GPG_PRIVATE_KEY }}
+          passphrase: ${{ secrets.APM_SERVER_RELEASE_PASSPHRASE }}
+          git_user_signingkey: true
+          git_commit_gpgsign: true
+          git_push_gpgsign: true
+
       - run: make patch-release
 
       - uses: elastic/apm-pipeline-library/.github/actions/slack-message@current

diff --git a/release.mk b/release.mk
@@ -274,7 +274,7 @@ create-commit:
 	if [ ! -z "$$(git status -s)" ]; then \
 		git status -s; \
 		git add --all; \
-		git commit -a -m "$(COMMIT_MESSAGE)"; \
+		git commit --gpg-sign -a -m "$(COMMIT_MESSAGE)"; \
 	fi
 	@echo "::endgroup::"