From f3c3945401b6c17f1242764cb76a1bce3a99cef5 Mon Sep 17 00:00:00 2001
From: CrazyMax <crazy-max@users.noreply.github.com>
Date: Sun, 10 May 2020 16:02:05 +0200
Subject: [PATCH] Remove key input and use Import GPG GitHub Action instead

---
 .github/workflows/ci.yaml | 41 +++++++++++++++++++++++++
 .goreleaser-signing.yml   | 40 ++++++++++++++++++++++++
 .goreleaser.yml           | 35 +++++++++++++++++++++
 README.md                 | 64 ++++++++++++++++++++++++++++-----------
 action.yml                |  2 --
 dist/index.js             |  8 -----
 src/main.ts               |  9 ------
 7 files changed, 162 insertions(+), 37 deletions(-)
 create mode 100644 .goreleaser-signing.yml
 create mode 100644 .goreleaser.yml

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 739afc0..d5b55a9 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -49,3 +49,44 @@ jobs:
         with:
           version: ${{ matrix.version }}
           args: release --skip-publish --rm-dist
+
+  signing:
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        os:
+          - ubuntu-latest
+          - macOS-latest
+          - windows-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v2
+      -
+        name: Unshallow
+        run: git fetch --prune --unshallow
+      -
+        name: Set up Go
+        uses: actions/setup-go@v2
+        with:
+          go-version: 1.13
+      -
+        name: Import GPG key
+        id: import_gpg
+        uses: crazy-max/ghaction-import-gpg@v1
+        env:
+          GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY_TEST }}
+          PASSPHRASE: ${{ secrets.PASSPHRASE_TEST }}
+      -
+        name: Check
+        uses: ./
+        with:
+          version: latest
+          args: -f .goreleaser-signing.yml check --debug
+      -
+        name: GoReleaser
+        uses: ./
+        with:
+          version: latest
+          args: -f .goreleaser-signing.yml release --skip-publish --rm-dist
diff --git a/.goreleaser-signing.yml b/.goreleaser-signing.yml
new file mode 100644
index 0000000..91995cf
--- /dev/null
+++ b/.goreleaser-signing.yml
@@ -0,0 +1,40 @@
+env:
+  - GO111MODULE=on
+  - GOPROXY=https://goproxy.io
+
+before:
+  hooks:
+    - go mod download
+
+builds:
+  -
+    env:
+      - CGO_ENABLED=0
+    goos:
+      - darwin
+      - linux
+      - windows
+    goarch:
+      - 386
+      - amd64
+
+archives:
+  -
+    replacements:
+      386: i386
+      amd64: x86_64
+    format_overrides:
+      - goos: windows
+        format: zip
+    files:
+      - LICENSE
+      - README.md
+      - CHANGELOG.md
+
+checksum:
+  name_template: 'checksums.txt'
+
+signs:
+  -
+    artifacts: checksum
+    args: ["--batch", "-u", "{{ .Env.GPG_FINGERPRINT }}", "--output", "${signature}", "--detach-sign", "${artifact}"]
diff --git a/.goreleaser.yml b/.goreleaser.yml
new file mode 100644
index 0000000..23d88a8
--- /dev/null
+++ b/.goreleaser.yml
@@ -0,0 +1,35 @@
+env:
+  - GO111MODULE=on
+  - GOPROXY=https://goproxy.io
+
+before:
+  hooks:
+    - go mod download
+
+builds:
+  -
+    env:
+      - CGO_ENABLED=0
+    goos:
+      - darwin
+      - linux
+      - windows
+    goarch:
+      - 386
+      - amd64
+
+archives:
+  -
+    replacements:
+      386: i386
+      amd64: x86_64
+    format_overrides:
+      - goos: windows
+        format: zip
+    files:
+      - LICENSE
+      - README.md
+      - CHANGELOG.md
+
+checksum:
+  name_template: 'checksums.txt'
diff --git a/README.md b/README.md
index f9ea1ed..e7af6be 100644
--- a/README.md
+++ b/README.md
@@ -11,12 +11,24 @@
   </p>
 </p>
 
----
+___
 
 ![GoRelease Action](.github/goreleaser-action.png)
 
+* [Usage](#usage)
+  * [Workflow](#workflow)
+  * [Run on new tag](#run-on-new-tag)
+  * [Signing](#signing)
+* [Customizing](#customizing)
+  * [inputs](#inputs)
+  * [environment variables](#environment-variables)
+* [Limitation](#limitation)
+* [License](#license)
+
 ## Usage
 
+### Workflow
+
 ```yaml
 name: goreleaser
 
@@ -45,13 +57,14 @@ jobs:
         with:
           version: latest
           args: release --rm-dist
-          key: ${{ secrets.YOUR_PRIVATE_KEY }}
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 ```
 
 > **IMPORTANT**: note the `Unshallow` step. It is required for the changelog to work correctly.
 
+### Run on new tag
+
 If you want to run GoReleaser only on new tag, you can use this event:
 
 ```yaml
@@ -71,13 +84,43 @@ Or with a condition on GoReleaser step:
         with:
           version: latest
           args: release --rm-dist
-          key: ${{ secrets.YOUR_PRIVATE_KEY }}
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 ```
 
 > For detailed instructions please follow GitHub Actions [workflow syntax](https://help.github.com/en/articles/workflow-syntax-for-github-actions#About-yaml-syntax-for-workflows).
 
+### Signing
+
+If [signing is enabled](https://goreleaser.com/customization/#Signing) in your GoReleaser configuration, you can use the [Import GPG](https://github.com/crazy-max/ghaction-import-gpg) GitHub Action along with this one:
+
+```yaml
+      -
+        name: Import GPG key
+        id: import_gpg
+        uses: crazy-max/ghaction-import-gpg@v1
+        env:
+          GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
+          PASSPHRASE: ${{ secrets.PASSPHRASE }}
+      -
+        name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@v1
+        with:
+          version: latest
+          args: release --rm-dist
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}
+```
+
+Reference the fingerprint in your signing configuration using the `GPG_FINGERPRINT` envrionment variable:
+
+```yaml
+signs:
+  - artifacts: checksum
+    args: ["--batch", "-u", "{{ .Env.GPG_FINGERPRINT }}", "--output", "${signature}", "--detach-sign", "${artifact}"]
+```
+
 ## Customizing
 
 ### inputs
@@ -88,7 +131,6 @@ Following inputs can be used as `step.with` keys
 |---------------|---------|-----------|-------------------------------------------|
 | `version`     | String  | `latest`  | GoReleaser version. Example: `v0.117.0`   |
 | `args`        | String  |           | Arguments to pass to GoReleaser           |
-| `key`         | String  |           | Private key to import                     |
 | `workdir`     | String  | `.`       | Working directory (below repository root) |
 
 ### environment variables
@@ -115,24 +157,10 @@ secret named `GH_PAT`, the step will look like this:
         with:
           version: latest
           args: release --rm-dist
-          key: ${{ secrets.YOUR_PRIVATE_KEY }}
         env:
           GITHUB_TOKEN: ${{ secrets.GH_PAT }}
 ```
 
-## Signing
-
-If signing is enabled in your GoReleaser configuration, populate the `key` input with your private key
-and reference the key in your signing configuration, e.g.
-
-```yaml
-signs:
-  - artifacts: checksum
-    args: ["--batch", "-u", "<key id, fingerprint, email, ...>", "--output", "${signature}", "--detach-sign", "${artifact}"]
-```
-
-This feature is currently only compatible when using the default `gpg` command and a private key without a passphrase.
-
 ## License
 
 MIT. See `LICENSE` for more details.
diff --git a/action.yml b/action.yml
index e27e7f7..acb2397 100644
--- a/action.yml
+++ b/action.yml
@@ -12,8 +12,6 @@ inputs:
     default: 'latest'
   args:
     description: 'Arguments to pass to GoReleaser'
-  key:
-    description: 'Private key to import'
   workdir:
     description: 'Working directory (below repository root)'
     default: '.'
diff --git a/dist/index.js b/dist/index.js
index 3071837..ac9f76c 100644
--- a/dist/index.js
+++ b/dist/index.js
@@ -1281,13 +1281,11 @@ const git = __importStar(__webpack_require__(453));
 const installer = __importStar(__webpack_require__(749));
 const core = __importStar(__webpack_require__(470));
 const exec = __importStar(__webpack_require__(986));
-const fs = __importStar(__webpack_require__(747));
 function run() {
     return __awaiter(this, void 0, void 0, function* () {
         try {
             const version = core.getInput('version') || 'latest';
             const args = core.getInput('args');
-            const key = core.getInput('key');
             const workdir = core.getInput('workdir') || '.';
             const goreleaser = yield installer.getGoReleaser(version);
             const commit = yield git.getShortCommit();
@@ -1309,12 +1307,6 @@ function run() {
                     core.info(`✅ ${tag} tag found for commit ${commit}`);
                 }
             }
-            if (key) {
-                core.info('🔑 Importing signing key...');
-                let path = `${process.env.HOME}/key.asc`;
-                fs.writeFileSync(path, key, { mode: 0o600 });
-                yield exec.exec('gpg', ['--import', path]);
-            }
             core.info('🏃 Running GoReleaser...');
             yield exec.exec(`${goreleaser} ${args}${snapshot}`);
         }
diff --git a/src/main.ts b/src/main.ts
index 29bce57..fb86d15 100644
--- a/src/main.ts
+++ b/src/main.ts
@@ -2,13 +2,11 @@ import * as git from './git';
 import * as installer from './installer';
 import * as core from '@actions/core';
 import * as exec from '@actions/exec';
-import * as fs from 'fs';
 
 async function run(): Promise<void> {
   try {
     const version = core.getInput('version') || 'latest';
     const args = core.getInput('args');
-    const key = core.getInput('key');
     const workdir = core.getInput('workdir') || '.';
     const goreleaser = await installer.getGoReleaser(version);
 
@@ -33,13 +31,6 @@ async function run(): Promise<void> {
       }
     }
 
-    if (key) {
-      core.info('🔑 Importing signing key...');
-      let path = `${process.env.HOME}/key.asc`;
-      fs.writeFileSync(path, key, {mode: 0o600});
-      await exec.exec('gpg', ['--import', path]);
-    }
-
     core.info('🏃 Running GoReleaser...');
     await exec.exec(`${goreleaser} ${args}${snapshot}`);
   } catch (error) {