Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/simp/github-action-build-and-sign-pkg-single-rpm

Build & sign SIMP RPM(s) using `rake pkg:single`
https://github.com/simp/github-action-build-and-sign-pkg-single-rpm

github-actions gpg packaging rpmbuild simp

Last synced: about 1 year ago
JSON representation

Build & sign SIMP RPM(s) using `rake pkg:single`

Awesome Lists containing this project

README 

          
# github-action-build-and-sign-pkg-single-rpm



Build and sign an RPM from the current directory (using `rake pkg:single`)



[![Verify Action](https://github.com/simp/github-action-build-and-sign-pkg-single-rpm/workflows/Verify%20Action/badge.svg)](https://github.com/simp/github-action-build-and-sign-pkg-single-rpm/actions?query=workflow%3A%22Verify+Action%22)

[![tag badge](https://img.shields.io/github/v/tag/simp/github-action-build-and-sign-pkg-single-rpm)](https://github.com/simp/github-action-build-and-sign-pkg-single-rpm/tags)

[![license badge](https://img.shields.io/github/license/simp/github-action-build-and-sign-pkg-single-rpm)](./LICENSE)



* [Description](#description)

  * [Process](#process)

* [Usage](#usage)

* [Reference](#reference)

  * [Action Inputs](#action-inputs)

  * [Action Outputs](#action-outputs)

  * [:warning: Security implications :warning:](#warning-security-implications-warning)

* [Contributing](#contributing)

* [Feedback & Questions](#feedback--questions)

* [License](#license)



## Description



A [Github action] to build and sign an RPM using `pkg:single` from simp-core



Note that this requires the **secret (private) GPG signing key** as input;

understand the [security implications](#warning-security-implications-warning)

of this before using the action.



### Process



1. Pulls down SIMP build container

2. Prepares build and signing environment

   1. Copies local build directory into build container

   2. Ensures simp-core is checked out to a specific ref for building

   3. Adds GPG signing key to build container (without touching any

      filesystems)

      *  **IMPORTANT:** see [SECURITY IMPLICATIONS](#warning-security-implications-warning)

   4. Configured GPG signing key to sign non-interactively

3. Builds and signs RPM inside a SIMP build docker container

   1. Runs `rake pkg:single` to build the RPM

   2. Signs RPM with GPG signing key using `rpmsign`

4. Outputs RPM and cleans up

   1. Copies new RPM file back to local filesystem

   2. Ensures container is stopped and removed

   3. Returns information about new RPM file as output variables



## Usage



To safely execute during a `pull_request_target` event, try something like the

following (using a previous **`contributor-permissions`** job to determine if

the Pull Request submitter is trusted):



```yaml

  test_action:

    name: Test build & sign pupmod RPM

    runs-on: ubuntu-18.04

    steps:

      - uses: actions/checkout@v2

        with:

          fetch-depth: 0

          clean: true

      - uses: simp/github-action-build-and-sign-pkg-single-rpm@v2

        name: 'Build & sign RPM(s)'

        id: build-and-sign-rpm

        with:

          gpg_signing_key: ${{ secrets.SIMP_DEV_GPG_SIGNING_KEY }}

          gpg_signing_key_id: ${{ secrets.SIMP_DEV_GPG_SIGNING_KEY_ID }}

          gpg_signing_key_passphrase: ${{ secrets.SIMP_DEV_GPG_SIGNING_KEY_PASSPHRASE }}

      - name: 'Check basic results'

        env:

          rpm_file_paths: ${{ steps.build-and-sign-rpm.outputs.rpm_file_paths }}

          rpm_gpg_file: ${{ steps.build-and-sign-rpm.outputs.rpm_gpg_file }}

          expected_rpm_count: ${{ matrix.build.expected_rpm_count }}

        run: |

          [ -z "$rpm_file_paths" ] && { echo '::error ::$rpm_file_paths cannot be empty!'; exit 88; }

          files=(${rpm_file_paths})



          [ "${#files[@]}" -eq "$expected_rpm_count" ]  || \

            { echo "::error ::Expected ${expected_rpm_count} RPM files, got ${#files[@]}"; exit 88; }

          echo "Found expected number of files ($expected_rpm_count)"



          if [ ! -f "$rpm_gpg_file" ]; then

            printf '::error ::No file found at $rpm_gpg_file (got "%s")!\n' "$rpm_gpg_file"

            exit 88

          fi

          echo "Found GPG public key file: $rpm_gpg_file"

```



## Reference



### Action Inputs



  

    

      Input

      Required

      Description

    

  



  

    gpg_signing_key

    Yes

    ASCII-armored content of the GPG signing key's secret/private key

  



  

    gpg_signing_key_id

    Yes

    GPG signing key's GPG ID (name)

  



  

    gpg_signing_key_passphrase

    Yes

    Passphrase to use the GPG signing key

  



  

    path_to_build

    No

    Path to directory to build
Default: ${{ github.workspace }}

  



  

    simp_builder_docker_image

    No

    SIMP build container image to stage build.  So far, the action has only been tested with (and probably only works with) the EL8 build image'

  
Default: docker.io/simpproject/simp_build_centos8:latest

  



  

    simp_core_ref_for_building_rpms

    No

    A ref (usually tagged release) in simp-core that is stable enough to build RPMs
Default: 6.5.0-1

  



  

    verbose

    No

    If "yes", enables verbose logging while building the RPM
Default: yes

  



### Action Outputs



  

    

      Output

      Description

    

  



  

    rpm_file_paths

    Local absolute paths to new RPM(s)

  



  

    rpm_gpg_file

    Local absolute path to public GPG signing key

  



  

    rpm_dist_dir

    Local absolute path to RPM `dist/` dir

  



### :warning: Security implications :warning:



To sign RPMs, the action requires the **secret (aka private) key** of your GPG

signing key **_and_ the passphrase** to decrypt and use it. This inherently

poses [security risks][protecting your private key] that you should be aware of

and understand.



The action does what it can to prevent exposure of the private signing key and

its passphrase:



* secrets are piped directly into the GPG keyring in the container

* raw secrets never touch the filesystem on the runner or build container

* the secrets are handled as environment variables

  in a way that should not expose them to the action logs.



However, make sure to:



  * protect your GPG signing key and passphrase as [encrypted GitHub secrets],

    and only provide them directly to the action's inputs.

  * use a GPG signing key that you are comfortable storing and using within

    GitHub's infrastructure.



## Contributing



This is an open source project open to anyone. This project welcomes

contributions and suggestions!



## Feedback & Questions



If you discover an issue, please report it on our Jira at

https://simp-project.atlassian.net/



## License



Apache 2.0, See [LICENSE](https://github.com/simp/github-action-build-and-sign-pkg-single-rpm/blob/main/LICENSE) for more information.



[GitHub action]: https://github.com/features/actions

[protecting your private key]: https://www.gnupg.org/gph/en/manual.html#AEN513

[encrypted GitHub secrets]: https://docs.github.com/en/actions/reference/encrypted-secrets