ci: setup GPG signing

Author: damienbutt

.github/workflows/ci.yml

@@ -163,51 +163,51 @@ jobs:
           retention-days: 30
 
   # Docker build and push
-  docker:
-    name: Build Docker Images
-    runs-on: ubuntu-latest
-    needs: [test, lint]
-    if: github.event_name == 'push'
-    permissions:
-      contents: read
-      packages: write
-      id-token: write
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v5
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-
-      - name: Log in to GitHub Container Registry
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Extract metadata
-        id: meta
-        uses: docker/metadata-action@v5
-        with:
-          images: ghcr.io/${{ github.repository }}
-          tags: |
-            type=ref,event=branch
-            type=ref,event=pr
-            type=semver,pattern={{version}}
-            type=semver,pattern={{major}}.{{minor}}
-            type=raw,value=latest,enable={{is_default_branch}}
-
-      - name: Build and push Docker image
-        uses: docker/build-push-action@v6
-        with:
-          context: .
-          platforms: linux/amd64,linux/arm64
-          push: true
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
+  # docker:
+  #   name: Build Docker Images
+  #   runs-on: ubuntu-latest
+  #   needs: [test, lint]
+  #   if: github.event_name == 'push'
+  #   permissions:
+  #     contents: read
+  #     packages: write
+  #     id-token: write
+  #   steps:
+  #     - name: Checkout code
+  #       uses: actions/checkout@v5
+
+  #     - name: Set up Docker Buildx
+  #       uses: docker/setup-buildx-action@v3
+
+  #     - name: Log in to GitHub Container Registry
+  #       uses: docker/login-action@v3
+  #       with:
+  #         registry: ghcr.io
+  #         username: ${{ github.repository_owner }}
+  #         password: ${{ secrets.GITHUB_TOKEN }}
+
+  #     - name: Extract metadata
+  #       id: meta
+  #       uses: docker/metadata-action@v5
+  #       with:
+  #         images: ghcr.io/${{ github.repository }}
+  #         tags: |
+  #           type=ref,event=branch
+  #           type=ref,event=pr
+  #           type=semver,pattern={{version}}
+  #           type=semver,pattern={{major}}.{{minor}}
+  #           type=raw,value=latest,enable={{is_default_branch}}
+
+  #     - name: Build and push Docker image
+  #       uses: docker/build-push-action@v6
+  #       with:
+  #         context: .
+  #         platforms: linux/amd64,linux/arm64
+  #         push: true
+  #         tags: ${{ steps.meta.outputs.tags }}
+  #         labels: ${{ steps.meta.outputs.labels }}
+  #         cache-from: type=gha
+  #         cache-to: type=gha,mode=max
 
   # Validate release prerequisites
   validate-release:
@@ -225,17 +225,11 @@ jobs:
 
       - name: Validate prerequisites
         env:
-          # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          # HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.HOMEBREW_TAP_GITHUB_TOKEN }}
-          SCOOP_BUCKET_GITHUB_TOKEN: ${{ secrets.SCOOP_BUCKET_GITHUB_TOKEN }}
-          WINGET_GITHUB_TOKEN: ${{ secrets.WINGET_GITHUB_TOKEN }}
-          CHOCOLATEY_API_KEY: ${{ secrets.CHOCOLATEY_API_KEY }}
-          AUR_KEY: ${{ secrets.AUR_KEY }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          RELEASE_TOKEN: ${{ secrets.RELEASE_TOKEN }}
+          AUR_SSH_PRIVATE_KEY: ${{ secrets.AUR_SSH_PRIVATE_KEY }}
           GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
-          GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
-          GPG_KEY_FILE: ${{ secrets.GPG_KEY_FILE }}
-          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
-          SNAPCRAFT_STORE_CREDENTIALS: ${{ secrets.SNAPCRAFT_STORE_CREDENTIALS }}
+          GPG_FINGERPRINT: ${{ secrets.GPG_FINGERPRINT }}
         run: ./scripts/validate-release-prerequisites.sh
 
   # GoReleaser configuration and build test
@@ -360,17 +354,10 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      # - name: Log in to Docker Hub
-      #   uses: docker/login-action@v3
-      #   with:
-      #     username: ${{ secrets.DOCKERHUB_USERNAME }}
-      #     password: ${{ secrets.DOCKERHUB_TOKEN }}
-
       - name: Import GPG key
         uses: crazy-max/ghaction-import-gpg@v6
         with:
           gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
-          passphrase: ${{ secrets.GPG_PASSPHRASE }}
 
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v6
@@ -380,51 +367,6 @@ jobs:
           args: release --clean
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.HOMEBREW_TAP_GITHUB_TOKEN }}
-          SCOOP_BUCKET_GITHUB_TOKEN: ${{ secrets.SCOOP_BUCKET_GITHUB_TOKEN }}
-          WINGET_GITHUB_TOKEN: ${{ secrets.WINGET_GITHUB_TOKEN }}
-          CHOCOLATEY_API_KEY: ${{ secrets.CHOCOLATEY_API_KEY }}
-          AUR_KEY: ${{ secrets.AUR_KEY }}
-          GPG_KEY_FILE: ${{ secrets.GPG_KEY_FILE }}
-          GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
-
-  # Update package repositories
-  update-packages:
-    name: Update Package Repositories
-    runs-on: ubuntu-latest
-    needs: [release]
-    if: startsWith(github.ref, 'refs/tags/v')
-    steps:
-      - name: Update Homebrew Formula
-        run: |
-          echo "Homebrew formula will be updated automatically by GoReleaser"
-
-      - name: Trigger AUR Package Update
-        run: |
-          echo "AUR package will be updated automatically by GoReleaser"
-
-      - name: Update Winget Manifest
-        run: |
-          echo "Winget manifest will be updated automatically by GoReleaser"
-
-  # Notify on successful release
-  notify:
-    name: Notify Release
-    runs-on: ubuntu-latest
-    needs: [release, update-packages]
-    if: startsWith(github.ref, 'refs/tags/v')
-    steps:
-      - name: Get version
-        id: version
-        run: echo "version=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT
-
-      - name: Create release announcement
-        run: |
-          echo "🚀 Emojify ${{ steps.version.outputs.version }} has been released!"
-          echo "📦 Available on multiple package managers"
-          echo "🍺 Homebrew: brew install damienbutt/tap/emojify"
-          echo "🪟 Scoop: scoop install emojify"
-          echo "🍫 Chocolatey: choco install emojify"
-          echo "📦 WinGet: winget install damienbutt.emojify"
-          echo "🐧 AUR: paru -S emojify-bin"
-          echo "📸 Snap: sudo snap install emojify"
+          RELEASE_TOKEN: ${{ secrets.RELEASE_TOKEN }}
+          AUR_SSH_PRIVATE_KEY: ${{ secrets.AUR_SSH_PRIVATE_KEY }}
+          GPG_FINGERPRINT: ${{ secrets.GPG_FINGERPRINT }}

.goreleaser.yml

@@ -32,6 +32,21 @@ archives:
       - goos: windows
         formats: [zip]
 
+signs:
+  - artifacts: checksum
+    args:
+      [
+        "--pinentry-mode",
+        "loopback",
+        "--batch",
+        "-u",
+        "{{ .Env.GPG_FINGERPRINT }}",
+        "--output",
+        "${signature}",
+        "--detach-sign",
+        "${artifact}",
+      ]
+
 source:
   enabled: true
 
@@ -56,6 +71,12 @@ nfpms:
         dst: /usr/share/doc/emojify/LICENSE
       - src: ./README.md
         dst: /usr/share/doc/emojify/README.md
+    rpm:
+      signature:
+    deb:
+      signature:
+    apk:
+      signature:
 
 release:
   github:

scripts/validate-release-prerequisites.sh

@@ -58,19 +58,14 @@ echo "----------------------------------"
 
 # GitHub tokens
 check_secret "GITHUB_TOKEN" "true" "GitHub Actions token (auto-provided)"
-check_secret "HOMEBREW_TAP_GITHUB_TOKEN" "true" "Token for Homebrew tap repository"
-# NOTE: SCOOP_BUCKET_GITHUB_TOKEN not needed when targeting main Scoop repository
+check_secret "RELEASE_TOKEN" "true" "Token for Homebrew tap repository"
 
 # GPG signing
 check_secret "GPG_PRIVATE_KEY" "true" "GPG private key for package signing"
-check_secret "GPG_PASSPHRASE" "true" "GPG key passphrase"
-check_secret "GPG_KEY_FILE" "false" "GPG key file for RPM signing"
+check_secret "GPG_FINGERPRINT" "true" "GPG key fingerprint for package signing"
 
 # Package manager APIs
-check_secret "AUR_KEY" "true" "SSH private key for AUR publishing (both emojify-go and emojify-go-bin)"
-
-# Optional services
-check_secret "CODECOV_TOKEN" "false" "Codecov.io token for coverage reporting"
+check_secret "AUR_SSH_PRIVATE_KEY" "true" "SSH private key for AUR publishing (both emojify-go and emojify-go-bin)"
 
 echo -e "\n${BLUE}🏗️  Checking Required Repositories${NC}"
 echo "--------------------------------------"
@@ -79,11 +74,9 @@ echo "--------------------------------------"
 if [ -n "${GITHUB_TOKEN}" ]; then
     check_github_repo "damienbutt/homebrew-tap" "Homebrew formula repository"
 
-    # Note: Scoop targets main repository, so no custom bucket needed
-    echo -e "${GREEN}✅ Scoop: Targeting main ScoopInstaller/Main repository${NC}"
+    check_github_repo "damienbutt/scoop-bucket" "Scoop bucket repository"
 
-    # Note: We can't easily check the WinGet fork without more complex logic
-    echo -e "${YELLOW}ℹ️  Note: Please ensure you have a fork of microsoft/winget-pkgs${NC}"
+    check_github_repo "damienbutt/winget-pkgs" "Winget package repository"
 else
     echo -e "${YELLOW}⚠️  Skipping repository checks (no GITHUB_TOKEN)${NC}"
 fi