Skip to content

Commit 0b6fb84

Browse files
ldenningtondscho
ldennington
authored and
dscho
committed
build-git-installers: publish gpg public key
Update build-git-installers workflow to publish `microsoft/git`'s GPG public key as part of each release. Add explanation for how to use this key to verify the Debian package's signature to the README.
1 parent 1366e18 commit 0b6fb84

File tree

1 file changed

+21
-0
lines changed

1 file changed

+21
-0
lines changed

.github/workflows/build-git-installers.yml

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -734,11 +734,13 @@ jobs:
734734
runs-on: ubuntu-latest
735735
permissions:
736736
contents: write
737+
id-token: write # required for Azure login via OIDC
737738
needs:
738739
- create-linux-artifacts
739740
- create-macos-artifacts
740741
- windows_artifacts
741742
- prereqs
743+
environment: release
742744
if: |
743745
success() ||
744746
(needs.create-linux-artifacts.result == 'skipped' &&
@@ -787,6 +789,25 @@ jobs:
787789
name: linux-arm64
788790
path: deb-package
789791

792+
- name: Log into Azure
793+
uses: azure/login@v2
794+
with:
795+
client-id: ${{ secrets.AZURE_CLIENT_ID }}
796+
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
797+
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
798+
799+
- name: Check out repository (for akv-secret Action)
800+
uses: actions/checkout@v4
801+
with:
802+
path: git
803+
804+
- name: Download Linux GPG public key signature file
805+
uses: ./git/.github/actions/akv-secret
806+
with:
807+
vault: ${{ secrets.AZURE_VAULT }}
808+
secrets: |
809+
${{ secrets.LINUX_GPG_PUBLIC_SECRET_NAME }} base64> deb-package/msft-git-public.asc
810+
790811
- uses: actions/github-script@v6
791812
with:
792813
script: |

0 commit comments

Comments
 (0)