{"id":22700198,"url":"https://github.com/simp/github-action-build-and-sign-pkg-single-rpm","last_synced_at":"2025-04-13T05:53:32.332Z","repository":{"id":65155698,"uuid":"380339954","full_name":"simp/github-action-build-and-sign-pkg-single-rpm","owner":"simp","description":"Build \u0026 sign SIMP RPM(s) using `rake pkg:single`","archived":false,"fork":false,"pushed_at":"2024-08-20T19:52:48.000Z","size":35,"stargazers_count":1,"open_issues_count":2,"forks_count":2,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-03-26T22:36:23.212Z","etag":null,"topics":["github-actions","gpg","packaging","rpmbuild","simp"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/simp.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-06-25T19:49:13.000Z","updated_at":"2024-07-16T16:22:55.000Z","dependencies_parsed_at":"2024-12-10T06:20:34.823Z","dependency_job_id":null,"html_url":"https://github.com/simp/github-action-build-and-sign-pkg-single-rpm","commit_stats":{"total_commits":31,"total_committers":1,"mean_commits":31.0,"dds":0.0,"last_synced_commit":"23a105dc04e4211df76614f3da9b93b1939a7102"},"previous_names":[],"tags_count":7,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/simp%2Fgithub-action-build-and-sign-pkg-single-rpm","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/simp%2Fgithub-action-build-and-sign-pkg-single-rpm/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/simp%2Fgithub-action-build-and-sign-pkg-single-rpm/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/simp%2Fgithub-action-build-and-sign-pkg-single-rpm/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/simp","download_url":"https://codeload.github.com/simp/github-action-build-and-sign-pkg-single-rpm/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248329731,"owners_count":21085593,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["github-actions","gpg","packaging","rpmbuild","simp"],"created_at":"2024-12-10T06:10:24.628Z","updated_at":"2025-04-13T05:53:32.312Z","avatar_url":"https://github.com/simp.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# github-action-build-and-sign-pkg-single-rpm\n\nBuild and sign an RPM from the current directory (using `rake pkg:single`)\n\n[![Verify Action](https://github.com/simp/github-action-build-and-sign-pkg-single-rpm/workflows/Verify%20Action/badge.svg)](https://github.com/simp/github-action-build-and-sign-pkg-single-rpm/actions?query=workflow%3A%22Verify+Action%22)\n[![tag badge](https://img.shields.io/github/v/tag/simp/github-action-build-and-sign-pkg-single-rpm)](https://github.com/simp/github-action-build-and-sign-pkg-single-rpm/tags)\n[![license badge](https://img.shields.io/github/license/simp/github-action-build-and-sign-pkg-single-rpm)](./LICENSE)\n\n\n\u003c!-- vim-markdown-toc GFM --\u003e\n\n* [Description](#description)\n  * [Process](#process)\n* [Usage](#usage)\n* [Reference](#reference)\n  * [Action Inputs](#action-inputs)\n  * [Action Outputs](#action-outputs)\n  * [:warning: Security implications :warning:](#warning-security-implications-warning)\n* [Contributing](#contributing)\n* [Feedback \u0026 Questions](#feedback--questions)\n* [License](#license)\n\n\u003c!-- vim-markdown-toc --\u003e\n\n## Description\n\nA [Github action] to build and sign an RPM using `pkg:single` from simp-core\n\nNote that this requires the **secret (private) GPG signing key** as input;\nunderstand the [security implications](#warning-security-implications-warning)\nof this before using the action.\n\n### Process\n\n1. Pulls down SIMP build container\n2. Prepares build and signing environment\n   1. Copies local build directory into build container\n   2. Ensures simp-core is checked out to a specific ref for building\n   3. Adds GPG signing key to build container (without touching any\n      filesystems)\n      *  **IMPORTANT:** see [SECURITY IMPLICATIONS](#warning-security-implications-warning)\n   4. Configured GPG signing key to sign non-interactively\n3. Builds and signs RPM inside a SIMP build docker container\n   1. Runs `rake pkg:single` to build the RPM\n   2. Signs RPM with GPG signing key using `rpmsign`\n4. Outputs RPM and cleans up\n   1. Copies new RPM file back to local filesystem\n   2. Ensures container is stopped and removed\n   3. Returns information about new RPM file as output variables\n\n\n\n## Usage\n\nTo safely execute during a `pull_request_target` event, try something like the\nfollowing (using a previous **`contributor-permissions`** job to determine if\nthe Pull Request submitter is trusted):\n\n```yaml\n  test_action:\n    name: Test build \u0026 sign pupmod RPM\n    runs-on: ubuntu-18.04\n    steps:\n      - uses: actions/checkout@v2\n        with:\n          fetch-depth: 0\n          clean: true\n      - uses: simp/github-action-build-and-sign-pkg-single-rpm@v2\n        name: 'Build \u0026 sign RPM(s)'\n        id: build-and-sign-rpm\n        with:\n          gpg_signing_key: ${{ secrets.SIMP_DEV_GPG_SIGNING_KEY }}\n          gpg_signing_key_id: ${{ secrets.SIMP_DEV_GPG_SIGNING_KEY_ID }}\n          gpg_signing_key_passphrase: ${{ secrets.SIMP_DEV_GPG_SIGNING_KEY_PASSPHRASE }}\n      - name: 'Check basic results'\n        env:\n          rpm_file_paths: ${{ steps.build-and-sign-rpm.outputs.rpm_file_paths }}\n          rpm_gpg_file: ${{ steps.build-and-sign-rpm.outputs.rpm_gpg_file }}\n          expected_rpm_count: ${{ matrix.build.expected_rpm_count }}\n        run: |\n          [ -z \"$rpm_file_paths\" ] \u0026\u0026 { echo '::error ::$rpm_file_paths cannot be empty!'; exit 88; }\n          files=(${rpm_file_paths})\n\n          [ \"${#files[@]}\" -eq \"$expected_rpm_count\" ]  || \\\n            { echo \"::error ::Expected ${expected_rpm_count} RPM files, got ${#files[@]}\"; exit 88; }\n          echo \"Found expected number of files ($expected_rpm_count)\"\n\n          if [ ! -f \"$rpm_gpg_file\" ]; then\n            printf '::error ::No file found at $rpm_gpg_file (got \"%s\")!\\n' \"$rpm_gpg_file\"\n            exit 88\n          fi\n          echo \"Found GPG public key file: $rpm_gpg_file\"\n```\n\n\n## Reference\n\n### Action Inputs\n\n\u003ctable\u003e\n  \u003cthead\u003e\n    \u003ctr\u003e\n      \u003cth\u003eInput\u003c/th\u003e\n      \u003cth\u003eRequired\u003c/th\u003e\n      \u003cth\u003eDescription\u003c/th\u003e\n    \u003c/tr\u003e\n  \u003c/thead\u003e\n\n  \u003ctr\u003e\n    \u003ctd\u003e\u003cstrong\u003e\u003ccode\u003egpg_signing_key\u003c/code\u003e\u003c/strong\u003e\u003c/td\u003e\n    \u003ctd\u003eYes\u003c/td\u003e\n    \u003ctd\u003eASCII-armored content of the GPG signing key's secret/private key\u003c/td\u003e\n  \u003c/tr\u003e\n\n  \u003ctr\u003e\n    \u003ctd\u003e\u003cstrong\u003e\u003ccode\u003egpg_signing_key_id\u003c/code\u003e\u003c/strong\u003e\u003c/td\u003e\n    \u003ctd\u003eYes\u003c/td\u003e\n    \u003ctd\u003eGPG signing key's GPG ID (name)\u003c/td\u003e\n  \u003c/tr\u003e\n\n  \u003ctr\u003e\n    \u003ctd\u003e\u003cstrong\u003e\u003ccode\u003egpg_signing_key_passphrase\u003c/code\u003e\u003c/strong\u003e\u003c/td\u003e\n    \u003ctd\u003eYes\u003c/td\u003e\n    \u003ctd\u003ePassphrase to use the GPG signing key\u003c/td\u003e\n  \u003c/tr\u003e\n\n  \u003ctr\u003e\n    \u003ctd\u003e\u003cstrong\u003e\u003ccode\u003epath_to_build\u003c/code\u003e\u003c/strong\u003e\u003c/td\u003e\n    \u003ctd\u003eNo\u003c/td\u003e\n    \u003ctd\u003ePath to directory to build\u003cbr /\u003e\u003cem\u003eDefault:\u003c/em\u003e \u003ccode\u003e${{ github.workspace }}\u003c/code\u003e\u003c/td\u003e\n  \u003c/tr\u003e\n\n  \u003ctr\u003e\n    \u003ctd\u003e\u003cstrong\u003e\u003ccode\u003esimp_builder_docker_image\u003c/code\u003e\u003c/strong\u003e\u003c/td\u003e\n    \u003ctd\u003eNo\u003c/td\u003e\n    \u003ctd\u003eSIMP build container image to stage build.  So far, the action has only been tested with (and probably only works with) the EL8 build image'\n  \u003cbr /\u003e\u003cem\u003eDefault:\u003c/em\u003e \u003ccode\u003edocker.io/simpproject/simp_build_centos8:latest\u003c/code\u003e\u003c/td\u003e\n  \u003c/tr\u003e\n\n  \u003ctr\u003e\n    \u003ctd\u003e\u003cstrong\u003e\u003ccode\u003esimp_core_ref_for_building_rpms\u003c/code\u003e\u003c/strong\u003e\u003c/td\u003e\n    \u003ctd\u003eNo\u003c/td\u003e\n    \u003ctd\u003eA ref (usually tagged release) in simp-core that is stable enough to build RPMs\u003cbr /\u003e\u003cem\u003eDefault:\u003c/em\u003e \u003ccode\u003e6.5.0-1\u003c/code\u003e\u003c/td\u003e\n  \u003c/tr\u003e\n\n  \u003ctr\u003e\n    \u003ctd\u003e\u003cstrong\u003e\u003ccode\u003everbose\u003c/code\u003e\u003c/strong\u003e\u003c/td\u003e\n    \u003ctd\u003eNo\u003c/td\u003e\n    \u003ctd\u003eIf \"yes\", enables verbose logging while building the RPM\u003cbr /\u003e\u003cem\u003eDefault:\u003c/em\u003e \u003ccode\u003eyes\u003c/code\u003e\u003c/td\u003e\n  \u003c/tr\u003e\n\u003c/table\u003e\n\n\n### Action Outputs\n\n\u003ctable\u003e\n  \u003cthead\u003e\n    \u003ctr\u003e\n      \u003cth\u003eOutput\u003c/th\u003e\n      \u003cth\u003eDescription\u003c/th\u003e\n    \u003c/tr\u003e\n  \u003c/thead\u003e\n\n  \u003ctr\u003e\n    \u003ctd\u003e\u003cstrong\u003e\u003ccode\u003erpm_file_paths\u003c/code\u003e\u003c/strong\u003e\u003c/td\u003e\n    \u003ctd\u003eLocal absolute paths to new RPM(s)\u003c/td\u003e\n  \u003c/tr\u003e\n\n  \u003ctr\u003e\n    \u003ctd\u003e\u003cstrong\u003e\u003ccode\u003erpm_gpg_file\u003c/code\u003e\u003c/strong\u003e\u003c/td\u003e\n    \u003ctd\u003eLocal absolute path to public GPG signing key\u003c/td\u003e\n  \u003c/tr\u003e\n\n  \u003ctr\u003e\n    \u003ctd\u003e\u003cstrong\u003e\u003ccode\u003erpm_dist_dir\u003c/code\u003e\u003c/strong\u003e\u003c/td\u003e\n    \u003ctd\u003eLocal absolute path to RPM `dist/` dir\u003c/td\u003e\n  \u003c/tr\u003e\n\u003c/table\u003e\n\n\n### :warning: Security implications :warning:\n\nTo sign RPMs, the action requires the **secret (aka private) key** of your GPG\nsigning key **_and_ the passphrase** to decrypt and use it. This inherently\nposes [security risks][protecting your private key] that you should be aware of\nand understand.\n\nThe action does what it can to prevent exposure of the private signing key and\nits passphrase:\n\n* secrets are piped directly into the GPG keyring in the container\n* raw secrets never touch the filesystem on the runner or build container\n* the secrets are handled as environment variables\n  in a way that should not expose them to the action logs.\n\nHowever, make sure to:\n\n  * protect your GPG signing key and passphrase as [encrypted GitHub secrets],\n    and only provide them directly to the action's inputs.\n  * use a GPG signing key that you are comfortable storing and using within\n    GitHub's infrastructure.\n\n\n## Contributing\n\nThis is an open source project open to anyone. This project welcomes\ncontributions and suggestions!\n\n## Feedback \u0026 Questions\n\nIf you discover an issue, please report it on our Jira at\nhttps://simp-project.atlassian.net/\n\n## License\n\nApache 2.0, See [LICENSE](https://github.com/simp/github-action-build-and-sign-pkg-single-rpm/blob/main/LICENSE) for more information.\n\n\n\n[GitHub action]: https://github.com/features/actions\n[protecting your private key]: https://www.gnupg.org/gph/en/manual.html#AEN513\n[encrypted GitHub secrets]: https://docs.github.com/en/actions/reference/encrypted-secrets\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsimp%2Fgithub-action-build-and-sign-pkg-single-rpm","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsimp%2Fgithub-action-build-and-sign-pkg-single-rpm","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsimp%2Fgithub-action-build-and-sign-pkg-single-rpm/lists"}