fix: Sanitize secrets

Signed-off-by: matttrach <matt.trachier@suse.com>

Author: matttrach

.github/workflows/release.yaml

@@ -34,26 +34,42 @@ jobs:
 
       - name: sign shasum
         env:
-          GPG_KEY: ${{ env.GPG_KEY }}
-          GPG_KEY_ID: ${{ env.GPG_KEY_ID }}
           GPG_PASSPHRASE: ${{ env.GPG_PASSPHRASE }}
+          GPG_KEY_ID: ${{ env.GPG_KEY_ID }}
+          GPG_KEY: ${{ env.GPG_KEY }}
         run: |
+          cleanup() {
+            # clear history just in case
+            history -c
+          }
+          trap cleanup EXIT TERM
+
+          # sanitize variables
+          GPG_PASSPHRASE="$(echo "${GPG_PASSPHRASE}" | xargs)"
+          GPG_KEY_ID="$(echo "${GPG_KEY_ID}" | xargs)"
+          GPG_KEY="$(echo -n "${GPG_KEY}" | awk '/-----BEGIN PGP PRIVATE KEY BLOCK-----/,/-----END PGP PRIVATE KEY BLOCK-----/')"
+
+          if [ -z "${GPG_PASSPHRASE}" ]; then echo "gpg passphrase empty"; exit 1; fi
+          if [ -z "${GPG_KEY_ID}" ]; then echo "key id empty"; exit 1; fi
+          if [ -z "${GPG_KEY}" ]; then echo "key contents empty"; exit 1; fi
+
           echo "Importing gpg key"
-          echo -n '${{ env.GPG_KEY }}' | gpg --import --batch > /dev/null
+          echo "${GPG_KEY}" | gpg --import --batch > /dev/null || { echo "Failed to import GPG key"; exit 1; }
 
-          echo "signing SHASUM file"
-          VERSION_NO_V="$(echo ${{ github.ref_name }} | tr -d 'v')"
+          echo "Signing SHASUM file"
+          VERSION_NO_V="$(echo "${{ github.ref_name }}" | tr -d 'v')"
           SHASUM_FILE="dist/artifacts/${{ github.ref_name }}/terraform-provider-rancher2_${VERSION_NO_V}_SHA256SUMS"
-          echo '${{ env.GPG_PASSPHRASE }}' | gpg --detach-sig --pinentry-mode loopback --passphrase-fd 0 --local-user "${{ env.GPG_KEY_ID }}" --output "${SHASUM_FILE}.sig" --sign "${SHASUM_FILE}"
 
-          echo "Validating signature..."
+          gpg --detach-sig \
+              --pinentry-mode loopback \
+              --passphrase "${GPG_PASSPHRASE}" \
+              --local-user "${GPG_KEY_ID}" \
+              --output "${SHASUM_FILE}.sig" \
+              --sign "${SHASUM_FILE}" || { echo "Failed to sign checksum."; exit 1; }
 
-          if ! gpg --verify "${SHASUM_FILE}.sig" "${SHASUM_FILE}"; then
-            echo "Signature is valid..."
-          else
-            echo "Signature verification failed!"
-            exit 1
-          fi
+          echo "Validating signature..."
+          gpg --verify "${SHASUM_FILE}.sig" "${SHASUM_FILE}" || { echo "Signature verification failed!"; exit 1; }
+          echo "Signature is valid..."
       - name: GH release
         env:
           GH_TOKEN: ${{ github.token }}