Update the workflow, split into multiple steps.

2020-01-10 10:25:28 +09:00 · 2020-01-10 10:25:28 +09:00 · 5daed056a3
parent 4c2c5bf397
commit 5daed056a3
2 changed files with 22 additions and 17 deletions
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -17,25 +17,38 @@ jobs:
        uses: actions/checkout@v2

      - name: Build
-        env:
-          GPG_KEY: ${{ secrets.GITHUB_GPG_KEY }}
-          GPG_PASSPHRASE: ${{ secrets.GITHUB_GPG_PASSPHRASE }}
        run: |
-          pushd pkg/arch
-          # Create user
+          cd pkg/arch
+
+          # Create build user (can't makepkg as root)
          useradd -m -g wheel -s /bin/bash build
          echo "build ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
          chown -R build:wheel .
-          chown -R build:wheel $HOME

          # Install makepkg deps
          pacman -Sy sudo binutils fakeroot grep base-devel git --noconfirm

          # Build
          su build --pty -s /bin/bash -c './build.sh'
-          popd
+
+      - name: Prepare Release
+        run: |
          mkdir release
-          mv pkg/arch/**/*.pkg.tar.zst* release
+          mv pkg/arch/**/*.pkg.tar.zst release
+
+      - name: Sign Packages
+        env:
+          GPG_KEY: ${{ secrets.GITHUB_GPG_KEY }}
+          GPG_PASSPHRASE: ${{ secrets.GITHUB_GPG_PASSPHRASE }}
+        run: |
+          cd release
+
+          # import GPG key
+          echo "$GPG_KEY" | base64 -d | gpg --import --no-tty --batch --yes
+          export GPG_TTY=$(tty)
+
+          # sign packages
+          ls *.pkg.tar.zst | xargs -L1 gpg --detach-sign --batch --no-tty --pinentry-mode=loopback --passphrase $GPG_PASSPHRASE -u 5B574D1B513F9A05

      - name: Upload artifacts
        uses: actions/upload-artifact@v1
--- a/pkg/arch/build.sh
+++ b/pkg/arch/build.sh
@ -5,19 +5,11 @@ set -euxo pipefail
 export PKGEXT='.pkg.tar.zst'
 export COMPRESSZST=(zstd -c -T0 --ultra -20 -)

-# Import GPG key
-echo "$GPG_KEY" | base64 -d | gpg --import --no-tty --batch --yes
-export GPG_TTY=$(tty)
-
-# Build the packages as `build' user
+# Build the packages
 pushd surface-ipts-firmware
 makepkg -f --syncdeps --skippgpcheck --noconfirm
-# Sign as a separate step (makepkg -s needs pinentry)
-makepkg --packagelist | xargs -L1 gpg --detach-sign --batch --no-tty --pinentry-mode=loopback --passphrase $GPG_PASSPHRASE -u 5B574D1B513F9A05
 popd

 pushd kernel
 makepkg -f --syncdeps --skippgpcheck --noconfirm
-# Sign as a separate step (makepkg -s needs pinentry)
-makepkg --packagelist | xargs -L1 gpg --detach-sign --batch --no-tty --pinentry-mode=loopback --passphrase $GPG_PASSPHRASE -u 5B574D1B513F9A05
 popd