ci(gh-actions/update-flake-lock): Enable GPG commit signing

Author: PetarKirov

.github/workflows/reusable-update-flake-lock.yml

@@ -14,6 +14,11 @@ on:
         default: ''
         required: false
         type: string
+      sign-commits:
+        description: 'Enable GPG commit signing'
+        default: false
+        required: false
+        type: boolean
 
     secrets:
       NIX_GITHUB_TOKEN:
@@ -31,6 +36,12 @@ on:
       CREATE_PR_APP_PRIVATE_KEY:
         description: Private key of the GitHub App used for opening pull requests.
         required: true
+      GIT_GPG_SIGNING_SECRET_KEY:
+        description: GPG secret key used to sign commits
+        required: false
+      GIT_GPG_SIGNING_PASSPHRASE:
+        description: GPG passphrase for secret key
+        required: false
 
     outputs:
       pr-url:
@@ -61,13 +72,30 @@ jobs:
           trusted-public-keys: ${{ vars.TRUSTED_PUBLIC_KEYS }}
           substituters: ${{ vars.SUBSTITUTERS }}
 
+      - name: Configure Git credentials
+        run: |
+          git config --local user.name "${{ vars.GIT_USER_NAME }}"
+          git config --local user.email "${{ vars.GIT_USER_EMAIL }}"
+          git config --local commit.gpgsign ${{ inputs.sign-commits }}
+
+      - name: Import GPG key with passphrase
+        if: ${{ inputs.sign-commits }}
+        env:
+          GIT_GPG_SIGNING_SECRET_KEY: ${{ secrets.GIT_GPG_SIGNING_SECRET_KEY }}
+          GIT_GPG_SIGNING_PASSPHRASE: ${{ secrets.GIT_GPG_SIGNING_PASSPHRASE }}
+        run: |
+          echo "$GIT_GPG_SIGNING_SECRET_KEY" \
+            | gpg --batch --yes \
+                --pinentry-mode loopback \
+                --passphrase "$GIT_GPG_SIGNING_PASSPHRASE" \
+                --import
+          git config --local user.signingkey "${{ vars.GIT_GPG_SIGNING_KEY_ID }}"
+
       - name: Run `nix flake update`
         id: update-lockfile
-        run: |
-          curl -fsSL --proto '=https' --tlsv1.2 \
-            https://raw.githubusercontent.com/metacraft-labs/nixos-modules/main/scripts/commit_flake_update.bash \
-            -o commit_flake_update.bash
-          FLAKE_INPUT=${{ inputs.flake-input }} bash commit_flake_update.bash
+        run: ${GITHUB_ACTION_PATH}/scripts/commit_flake_update.bash
+        env:
+          FLAKE_INPUT: ${{ inputs.flake-input }}
 
       - uses: tibdex/[email protected]
         id: generate-token

.github/workflows/update-flake-lock.yml

@@ -14,3 +14,4 @@ jobs:
     secrets: inherit
     with:
       runner: '["self-hosted", "Linux", "x86-64-v2"]'
+      sign-commits: true

scripts/commit_flake_update.bash

@@ -4,21 +4,25 @@ set -euo pipefail
 
 FLAKE_INPUT=${FLAKE_INPUT:-""}
 
-if ! git config --get user.name >/dev/null 2>&1 || \
-  [ "$(git config --get user.name)" = "" ] ||
-  ! git config --get user.email >/dev/null 2>&1 || \
-  [ "$(git config --get user.email)" = "" ]; then
-  echo "git config user.{name,email} is not set - configuring"
-  set -x
-  git config --local user.email "[email protected]"
-  git config --local user.name "beep boop"
+running_in_github_actions() {
+  [ -n "$CI" ] && \
+  [ -n "$GITHUB_REPOSITORY" ] && \
+  [ -n "$GITHUB_RUN_ID" ] && \
+  [ -n "$GITHUB_TOKEN" ] && \
+  curl --silent --fail \
+    -H "Authorization: Bearer ${GITHUB_TOKEN}" \
+    -H "Accept: application/vnd.github.v3+json" \
+    "https://api.github.com/repos/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}" > /dev/null 2>&1
+}
+
+if running_in_github_actions; then
+  echo "Running in GitHub Actions."
+  git config --list --show-origin
 fi
 
 current_commit="$(git rev-parse HEAD)"
 export PRE_COMMIT_ALLOW_NO_CONFIG=1
 
-git config --list --show-origin
-
 nix flake update $FLAKE_INPUT --accept-flake-config --commit-lock-file
 commit_after_update="$(git rev-parse HEAD)"