Build and sign an RPM from the current directory (using rake pkg:single)

• Description
  • Process
• Usage
• Reference
  • Action Inputs
  • Action Outputs
  • ⚠️ Security implications ⚠️
• Contributing
• Feedback & Questions
• License

A Github action to build and sign an RPM using pkg:single from simp-core

Note that this requires the secret (private) GPG signing key as input; understand the security implications of this before using the action.

1. Pulls down SIMP build container
2. Prepares build and signing environment
   1. Copies local build directory into build container
   2. Ensures simp-core is checked out to a specific ref for building
   3. Adds GPG signing key to build container (without touching any filesystems)
      • IMPORTANT: see SECURITY IMPLICATIONS
   4. Configured GPG signing key to sign non-interactively
3. Builds and signs RPM inside a SIMP build docker container
   1. Runs rake pkg:single to build the RPM
   2. Signs RPM with GPG signing key using rpmsign
4. Outputs RPM and cleans up
   1. Copies new RPM file back to local filesystem
   2. Ensures container is stopped and removed
   3. Returns information about new RPM file as output variables

To safely execute during a pull_request_target event, try something like the following (using a previous contributor-permissions job to determine if the Pull Request submitter is trusted):

  test_action:
    name: Test build & sign pupmod RPM
    runs-on: ubuntu-18.04
    steps:
      - uses: actions/checkout@v2
        with:
          fetch-depth: 0
          clean: true
      - uses: simp/github-action-build-and-sign-pkg-single-rpm@v2
        name: 'Build & sign RPM(s)'
        id: build-and-sign-rpm
        with:
          gpg_signing_key: ${{ secrets.SIMP_DEV_GPG_SIGNING_KEY }}
          gpg_signing_key_id: ${{ secrets.SIMP_DEV_GPG_SIGNING_KEY_ID }}
          gpg_signing_key_passphrase: ${{ secrets.SIMP_DEV_GPG_SIGNING_KEY_PASSPHRASE }}
      - name: 'Check basic results'
        env:
          rpm_file_paths: ${{ steps.build-and-sign-rpm.outputs.rpm_file_paths }}
          rpm_gpg_file: ${{ steps.build-and-sign-rpm.outputs.rpm_gpg_file }}
          expected_rpm_count: ${{ matrix.build.expected_rpm_count }}
        run: |
          [ -z "$rpm_file_paths" ] && { echo '::error ::$rpm_file_paths cannot be empty!'; exit 88; }
          files=(${rpm_file_paths})

          [ "${#files[@]}" -eq "$expected_rpm_count" ]  || \
            { echo "::error ::Expected ${expected_rpm_count} RPM files, got ${#files[@]}"; exit 88; }
          echo "Found expected number of files ($expected_rpm_count)"

          if [ ! -f "$rpm_gpg_file" ]; then
            printf '::error ::No file found at $rpm_gpg_file (got "%s")!\n' "$rpm_gpg_file"
            exit 88
          fi
          echo "Found GPG public key file: $rpm_gpg_file"

To sign RPMs, the action requires the secret (aka private) key of your GPG signing key and the passphrase to decrypt and use it. This inherently poses security risks that you should be aware of and understand.

The action does what it can to prevent exposure of the private signing key and its passphrase:

• secrets are piped directly into the GPG keyring in the container
• raw secrets never touch the filesystem on the runner or build container
• the secrets are handled as environment variables in a way that should not expose them to the action logs.

However, make sure to:

• protect your GPG signing key and passphrase as encrypted GitHub secrets, and only provide them directly to the action's inputs.
• use a GPG signing key that you are comfortable storing and using within GitHub's infrastructure.

This is an open source project open to anyone. This project welcomes contributions and suggestions!

If you discover an issue, please report it on our Jira at https://simp-project.atlassian.net/

Apache 2.0, See LICENSE for more information.