ci: sign RPM packages before pushing to GCP Artifact Registry

[PrzemekZglinicki]

Summary

• Add sign_rpm() to push_pkg_to_gcp_ar.sh: fetches the Redpanda GPG private key from AWS Secrets Manager (sdlc/prod/github/rpm_signing_key_private), signs each RPM with rpmsign --resign, verifies the signature using a temp RPM database, then uploads to GCP AR
• DEBs are unchanged — GCP AR provides repository-level signing for APT
• Fix signature verification to use rpm --dbpath <tmpdb> so the GPG check actually validates the signature (plain rpm --checksig ignores GNUPGHOME and checks the system keyring, returning exit 0 even for NOKEY)
• Add test-push-to-gcp-ar CI job: generates a throwaway GPG key, builds a minimal RPM, mocks aws and gcloud, and asserts signing + routing for GA (redpanda-yum), RC (redpanda-unstable-yum), DEB (redpanda-apt), and missing-region error cases

🤖 Generated with Claude Code

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.

---

Przemek Zglinicki seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.

---

Przemek Zglinicki seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[PrzemekZglinicki]

@claude review once

[claude]

Commits

1. The single commit ci: sign RPM packages before pushing to GCP Artifact Registry bundles two unrelated changes: the RPM signing work (the focus of the PR) and a new label-gated integration-test job in .github/workflows/test.yml#L65-L114. The integration-test job is not mentioned in the commit body or PR description and has no functional relationship to RPM signing. Per the commit policy, each commit should be one self-contained logical change — please split this into two commits/PRs.

Review
The RPM signing logic and test-push-to-gcp-ar job look reasonable: AWS region is validated, GPG state is isolated to a temp GNUPGHOME, and verification correctly uses a temp RPM database (the comment in resources/scripts/push_pkg_to_gcp_ar.sh#L68-L76 accurately explains why the previous rpm --checksig was insufficient). Test coverage exercises GA, RC, DEB skip, and missing-region paths.

1. See inline comment on the unrelated integration-test job in .github/workflows/test.yml.

[claude]

Commits
LGTM

Review
CI changes to sign RPM packages with a key fetched from AWS Secrets Manager before pushing to GCP Artifact Registry, with a new test-push-to-gcp-ar job exercising RPM/DEB routing and the missing-region error path.

LGTM

[claude]

Commits
LGTM

Review
Single commit ci: sign RPM packages before pushing to GCP Artifact Registry adds RPM signing in push_pkg_to_gcp_ar.sh plus a CI test job that mocks aws/gcloud and exercises GA, RC, DEB, and missing-region paths. Script correctly uses set -euo pipefail, scopes temp dirs/keyring inside a subshell with an EXIT trap so cleanup fires even on early exit, verifies signatures via a temp RPM database (rpm --dbpath) instead of the system keyring, and short-circuits with a clear error when no AWS region is set.

LGTM

[claude]

Commits
LGTM

Review
RPM signing flow uses a subshell with an EXIT trap so cleanup runs even under set -e, and set -euo pipefail plus the pre-flight region check give clear failure modes. The new CI job exercises GA / RC / DEB / missing-region paths against mocked aws and gcloud, and the verification step correctly uses rpm --dbpath to ensure the GPG check actually validates against the imported key.

LGTM