From 5daed056a362f001d89d82935b2b16eee757c744 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bla=C5=BE=20Hrastnik?= <blaz@mxxn.io>
Date: Fri, 10 Jan 2020 10:25:28 +0900
Subject: [PATCH] Update the workflow, split into multiple steps.

---
 .github/workflows/release.yml | 29 +++++++++++++++++++++--------
 pkg/arch/build.sh             | 10 +---------
 2 files changed, 22 insertions(+), 17 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 6cc7c19db..6021244c4 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -17,25 +17,38 @@ jobs:
         uses: actions/checkout@v2
 
       - name: Build
-        env:
-          GPG_KEY: ${{ secrets.GITHUB_GPG_KEY }}
-          GPG_PASSPHRASE: ${{ secrets.GITHUB_GPG_PASSPHRASE }}
         run: |
-          pushd pkg/arch
-          # Create user
+          cd pkg/arch
+
+          # Create build user (can't makepkg as root)
           useradd -m -g wheel -s /bin/bash build
           echo "build ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
           chown -R build:wheel .
-          chown -R build:wheel $HOME
 
           # Install makepkg deps
           pacman -Sy sudo binutils fakeroot grep base-devel git --noconfirm
 
           # Build
           su build --pty -s /bin/bash -c './build.sh'
-          popd
+
+      - name: Prepare Release
+        run: |
           mkdir release
-          mv pkg/arch/**/*.pkg.tar.zst* release
+          mv pkg/arch/**/*.pkg.tar.zst release
+
+      - name: Sign Packages
+        env:
+          GPG_KEY: ${{ secrets.GITHUB_GPG_KEY }}
+          GPG_PASSPHRASE: ${{ secrets.GITHUB_GPG_PASSPHRASE }}
+        run: |
+          cd release
+
+          # import GPG key
+          echo "$GPG_KEY" | base64 -d | gpg --import --no-tty --batch --yes
+          export GPG_TTY=$(tty)
+
+          # sign packages
+          ls *.pkg.tar.zst | xargs -L1 gpg --detach-sign --batch --no-tty --pinentry-mode=loopback --passphrase $GPG_PASSPHRASE -u 5B574D1B513F9A05
 
       - name: Upload artifacts
         uses: actions/upload-artifact@v1
diff --git a/pkg/arch/build.sh b/pkg/arch/build.sh
index b607971d6..55ce9c974 100755
--- a/pkg/arch/build.sh
+++ b/pkg/arch/build.sh
@@ -5,19 +5,11 @@ set -euxo pipefail
 export PKGEXT='.pkg.tar.zst'
 export COMPRESSZST=(zstd -c -T0 --ultra -20 -)
 
-# Import GPG key
-echo "$GPG_KEY" | base64 -d | gpg --import --no-tty --batch --yes
-export GPG_TTY=$(tty)
-
-# Build the packages as `build' user
+# Build the packages
 pushd surface-ipts-firmware
 makepkg -f --syncdeps --skippgpcheck --noconfirm
-# Sign as a separate step (makepkg -s needs pinentry)
-makepkg --packagelist | xargs -L1 gpg --detach-sign --batch --no-tty --pinentry-mode=loopback --passphrase $GPG_PASSPHRASE -u 5B574D1B513F9A05
 popd
 
 pushd kernel
 makepkg -f --syncdeps --skippgpcheck --noconfirm
-# Sign as a separate step (makepkg -s needs pinentry)
-makepkg --packagelist | xargs -L1 gpg --detach-sign --batch --no-tty --pinentry-mode=loopback --passphrase $GPG_PASSPHRASE -u 5B574D1B513F9A05
 popd