CI/tags: always use .release-signers from HEAD

philpennock · philpennock · commit 92b70d5e4e18 · 2025-02-21T17:45:51.000-05:00
diff --git a/.github/workflows/tags.yaml b/.github/workflows/tags.yaml
@@ -39,7 +39,16 @@ jobs:
         name: Import keys
         shell: bash
         run: |2
-          for ghUser in $GitHubSigningUsers; do
+          allowed_signers_file=.release-signers
+          declare -a GitHubSigningUsers=()
+          while read -r line; do
+            case "${line:-#}" in
+              \#*) ;;
+              *) GitHubSigningUsers+=("$line") ;;
+            esac
+          done <<< "$(git cat-file -p "origin/HEAD:$allowed_signers_file")"
+          typeset -p GitHubSigningUsers
+          for ghUser in "${GitHubSigningUsers[@]}"; do
             echo "::debug::importing from GitHub any OpenPGP keys for user ${ghUser@Q}"
             curl -fSsL "https://github.com/$ghUser.gpg" | gpg --import || true
           done
diff --git a/.release-signers b/.release-signers
@@ -0,0 +1,2 @@
+# These are the GitHub users who can sign a release tag
+philpennock

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+# These are the GitHub users who can sign a release tag`
	`2`	`+philpennock`