feat(debian): add sign job

endersonmaia · endersonmaia · commit 78deb7bd62e0 · 2026-04-17T09:03:15.000-03:00
diff --git a/.github/workflows/debian.yml b/.github/workflows/debian.yml
@@ -105,6 +105,54 @@ jobs:
       - name: Test
         working-directory: debian
         run: |
-          ls -R ../cdn
           make test-packages TARGET_ARCH=amd64
-          make test-packages TARGET_ARCH-arm64
+          make test-packages TARGET_ARCH=arm64
+
+  debian-sign:
+    runs-on: ubuntu-24.04
+    name: Debian Signing
+    needs: [ debian-build, debian-test ]
+    steps:
+      - name: Checkout machine emulator source code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          submodules: recursive
+
+      - name: Download apt artifacts
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        with:
+          pattern: artifacts-apt-*
+          path: cdn/apt/
+          merge-multiple: true
+
+      - name: Download builder images
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        with:
+          pattern: image-deb-builder-amd64
+          path: /tmp/images
+
+      - name: Import builder images
+        run: find /tmp/images -name '*.tar.gz' | xargs -I {} docker image load --input {}
+
+      - name: Import GPG signing key
+        working-directory: debian
+        env:
+          GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
+        run: |
+          mkdir -p key
+          chmod 700 key
+          echo "$GPG_PRIVATE_KEY" | base64 -d | gpg --homedir "$(pwd)/key" --import
+
+      - name: Make index
+        working-directory: debian
+        run: make index
+
+      - name: Sign repository
+        working-directory: debian
+        run: make sign
+
+      - name: Upload artifacts
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        with:
+          name: signed-artifacts-apt
+          path: cdn/apt
