Bump to v0.12 (#4) #115
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| on: | |
| # On push/pr & weekly | |
| push: | |
| pull_request: | |
| schedule: | |
| - cron: "0 23 * * 0" | |
| name: CI | |
| jobs: | |
| verify_container_signatures: | |
| name: "Verify upstream container's published signature matches" | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v2 | |
| - uses: sigstore/cosign-installer@main | |
| - run: | | |
| cosign verify --key ./minisign-container-cosign.pub jedisct1/minisign@sha256:ee60186c5d05e342e66cbc81133aa744d026752d909d8ea021a15c4d16b1193b | |
| verify: | |
| name: "Verify" | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v2 | |
| - name: fetch minsign 0.12 release | |
| run: | | |
| wget \ | |
| https://github.com/jedisct1/minisign/releases/download/0.12/minisign-0.12.tar.gz \ | |
| https://github.com/jedisct1/minisign/releases/download/0.12/minisign-0.12.tar.gz.minisig | |
| - name: verify minisign 0.12 release | |
| uses: ./ | |
| with: | |
| args: -Vm "minisign-0.12.tar.gz" -P "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3" | |
| sign: | |
| name: "Sign" | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v2 | |
| - name: Generate a test key | |
| uses: ./ | |
| with: | |
| args: -G | |
| - name: Create test file to sign | |
| run: dd if=/dev/urandom bs=4k count=1 of=test-file.bin | |
| - name: Sign our test file | |
| uses: ./ | |
| with: | |
| args: -Sm test-file.bin | |
| - name: Verify the signature still works | |
| uses: ./ | |
| with: | |
| args: -Vm test-file.bin | |
| sign_with_existing_unencrypted_key: | |
| name: "Sign with a pre-existing key fetched from secret" | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v2 | |
| - name: Create test file to sign | |
| run: dd if=/dev/urandom bs=4k count=1 of=test-file.bin | |
| - name: Sign our test file with key from secrets | |
| uses: ./ | |
| with: | |
| args: -Sm test-file.bin | |
| minisign_key: ${{ secrets.TEST_DATA_NO_PASSWORD_MINISIGN_KEY }} | |
| - name: Save a copy of our verification key to disk | |
| run: printenv MINISIGN_VERIFICATION_KEY > minisign.pub | |
| env: | |
| MINISIGN_VERIFICATION_KEY: ${{ secrets.TEST_DATA_NO_PASSWORD_MINISIGN_PUB }} | |
| - name: Verify our test file using the verification key we just wrote | |
| uses: ./ | |
| with: | |
| args: -Vm test-file.bin | |
| sign_with_existing_encrypted_key: | |
| name: "Sign with a pre-existing key w/ password fetched from secret " | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v2 | |
| - name: Create test file to sign | |
| run: dd if=/dev/urandom bs=4k count=1 of=test-file.bin | |
| - name: Sign our test file with key from secrets | |
| uses: ./ | |
| with: | |
| args: -Sm test-file.bin | |
| minisign_key: ${{ secrets.TEST_DATA_HAS_PASSWORD_MINISIGN_KEY }} | |
| password: ${{ secrets.TEST_DATA_HAS_PASSWORD_PASSWORD }} | |
| - name: Verify our test file | |
| uses: ./ | |
| with: | |
| args: -Vm test-file.bin -P "${{ secrets.TEST_DATA_HAS_PASSWORD_MINISIGN_PUB_NOHEADER }}" |