Update release workflows to use the new GPG private key (1.3.x branch) (#3400)

pingtimeout · MonkeyCanCode · web-flow · commit c940ded0f6be · 2026-01-09T15:02:49.000+01:00
* Update release workflows to use the new GPG private key * Fix helm unittest for GH action (#3279) --------- Co-authored-by: Yong Zheng <yongzheng0809@gmail.com>
diff --git a/.github/workflows/helm.yml b/.github/workflows/helm.yml
@@ -76,7 +76,8 @@ jobs:
 
       - name: Run Helm unit tests
         run: |
-          helm plugin install https://github.com/helm-unittest/helm-unittest.git || true
+          # Pin version to 1.0.2 due to https://github.com/helm-unittest/helm-unittest/issues/790
+          helm plugin install https://github.com/helm-unittest/helm-unittest.git --version 1.0.2 || true
           helm unittest helm/polaris
 
       - name: Run chart-testing (lint)
diff --git a/.github/workflows/release-3-build-and-publish-artifacts.yml b/.github/workflows/release-3-build-and-publish-artifacts.yml
@@ -141,8 +141,7 @@ jobs:
       - name: Import GPG key
         uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v6.3.0
         with:
-          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
-          passphrase: ${{ secrets.GPG_PASSPHRASE }}
+          gpg_private_key: ${{ secrets.POLARIS_GPG_PRIVATE_KEY }}
           git_user_signingkey: true
           git_commit_gpgsign: true
 
@@ -336,28 +335,22 @@ jobs:
       - name: Import GPG key
         uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v6.3.0
         with:
-          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
-          passphrase: ${{ secrets.GPG_PASSPHRASE }}
+          gpg_private_key: ${{ secrets.POLARIS_GPG_PRIVATE_KEY }}
           git_user_signingkey: true
           git_commit_gpgsign: true
 
       - name: Create Helm package
-        env:
-          GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
         run: |
-          echo "::add-mask::$GPG_PASSPHRASE"
-
           source "${LIBS_DIR}/_exec.sh"
 
           # Make sure these files are always deleted
-          trap "rm -f /tmp/secring.gpg /tmp/pubring.gpg /tmp/passphrase" EXIT
+          trap "rm -f /tmp/secring.gpg /tmp/pubring.gpg" EXIT
 
-          echo "$GPG_PASSPHRASE" > /tmp/passphrase
-          gpg --batch --pinentry-mode loopback --passphrase-file /tmp/passphrase --export-secret-keys > /tmp/secring.gpg
+          gpg --batch --pinentry-mode loopback --export-secret-keys > /tmp/secring.gpg
           gpg --batch --pinentry-mode loopback --export > /tmp/pubring.gpg
 
           exec_process cd helm
-          exec_process helm package polaris --sign --key "." --keyring /tmp/secring.gpg --passphrase-file /tmp/passphrase
+          exec_process helm package polaris --sign --key "." --keyring /tmp/secring.gpg
           exec_process helm verify polaris-${version_without_rc}.tgz --keyring /tmp/pubring.gpg
 
           calculate_sha512 polaris-${version_without_rc}.tgz
