.goreleaser.yml: add binary-only releases and ed25519 signatures
This lays the groundwork for future secure self-updates.
The corresponding public key is in selfupdate/ed25519.pem.
Co-Authored-By: sketch <hello@sketch.dev>
Change-ID: s5b7440b1a9e2c5e3k
diff --git a/.github/workflows/release-build.yml b/.github/workflows/release-build.yml
index d511538..d35e58f 100644
--- a/.github/workflows/release-build.yml
+++ b/.github/workflows/release-build.yml
@@ -30,6 +30,21 @@
go-version-file: "${{ inputs.working-directory || '.'}}/go.mod"
cache: true
+ - name: Install selfupdatectl
+ run: go install github.com/fynelabs/selfupdate/cmd/selfupdatectl@v0.2.1
+
+ - name: Extract Ed25519 signing key
+ env:
+ SELFUPDATE_SIGNING_KEY_B64: ${{ secrets.SELFUPDATE_ED25519_PRIVATE_KEY }}
+ run: |
+ # when https://github.com/fynelabs/selfupdate/issues/39 is fixed, we can stop writing to disk
+ set -euo pipefail
+ [[ -z "${SELFUPDATE_SIGNING_KEY_B64:-}" ]] && { echo >&2 "Signing key secret missing"; exit 1; }
+ selfupdate_keyfile=$(mktemp "$RUNNER_TEMP/ed25519.XXXXXX")
+ chmod 600 "$selfupdate_keyfile"
+ echo "$SELFUPDATE_SIGNING_KEY_B64" | base64 -d > "$selfupdate_keyfile"
+ echo "SELFUPDATE_PRIVKEY_PATH=$selfupdate_keyfile" >>"$GITHUB_ENV"
+
- name: Check for changes since last tag
id: check_changes
run: |
@@ -100,3 +115,10 @@
});
env:
TAG: ${{ steps.check_changes.outputs.tag }}
+
+ - name: Clean up signing key
+ if: always()
+ run: |
+ if [[ -n "${SELFUPDATE_PRIVKEY_PATH:-}" && -f "$SELFUPDATE_PRIVKEY_PATH" ]]; then
+ shred -u "$SELFUPDATE_PRIVKEY_PATH"
+ fi