Sign with GPG key

Author: plfiorini

.github/workflows/build.yml

@@ -1,9 +1,17 @@
 name: Build
 
 on:
+  pull_request:
+    branches:
+      - develop
   schedule:
     - cron: '0 2 * * *'
 
+env:
+  CI_GPG_KEYID: ${{ secrets.CI_GPG_KEYID }}
+  CI_GPG_KEY: ${{ secrets.CI_GPG_KEY }}
+  CI_GPG_PASSPHRASE: ${{ secrets.CI_GPG_PASSPHRASE }}
+
 jobs:
   build:
     if: "!contains(github.event.head_commit.message, 'ci skip')"
@@ -19,7 +27,11 @@ jobs:
           set -x
           dnf install -y dnf-plugins-core
           dnf copr enable -y plfiorini/liri-tools
-          dnf install -y ostree-upload flatpak-builder
+          dnf install -y ostree-upload flatpak-builder gnupg2 pinentry
+      - name: Import GPG key
+        run: |
+          .github/workflows/scripts/setup-gpg
+          gpg --list-keys ${CI_GPG_KEYID}
       - name: Build
         run: |
           set -x

.github/workflows/scripts/build.sh

@@ -17,6 +17,8 @@ flatpak remote-add flathub --from https://flathub.org/repo/flathub.flatpakrepo -
 now=$(date +"%Y-%m-%d %H:%M:%S")
 
 flatpak-builder build ${app_id}.yaml \
+    --gpg-sign=${CI_GPG_KEYID} \
+    --gpg-homedir=${HOME}/.gnupg \
     --force-clean \
     --subject="Build of ${app_id} at ${now}" \
     --install-deps-from=flathub \

.github/workflows/scripts/setup-gpg

@@ -0,0 +1,21 @@
+#!/bin/bash
+# SPDX-FileCopyrightText: 2020 Pier Luigi Fiorini <[email protected]>
+#
+# SPDX-License-Identifier: CC0-1.0
+
+set -e
+
+export GNUPGHOME=${HOME}/.gnupg
+
+mkdir -m 700 -p ${GNUPGHOME}
+printf "${CI_GPG_KEY}" | base64 --decode > ${GNUPGHOME}/private.key
+gpg --batch --import ${GNUPGHOME}/private.key
+
+cat > ${GNUPGHOME}/gpg.conf <<EOF
+use-agent
+pinentry-mode loopback
+passphrase ${CI_GPG_PASSPHRASE}
+no-tty
+batch
+yes
+EOF