/ghaction-import-gpg

GitHub Actions to import a GPG key in the local gpg agent to be able to sign things

MIT LicenseMIT

Usage

uses: scalingo/ghaction-import-gpg@v1
with:
  GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
  PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}

ghaction-import-gpg

GitHub action to import GPG private key

Node [1/23/2023]: This action is a fork from https://github.com/hashicorp/ghaction-import-gpg maintained by Scalingo

Note [7/14/22]: This action has been deprecated in favor of the upstream which now supports sign-only keys, and is well supported and documented.

Note [5/6/2021]: This was supposed to be a fork (paultyng/ghaction-import-gpg) of a fork (crazy-max/ghaction-import-gpg) of the upstream repo. Due to the restrictions on using a sign-only key, we encountered this issue. This is an internal action that overrides this fork until the issue is resolved upstream.

Environment Variables

Following environment variables must be used as step.env keys

Name Description
GPG_PRIVATE_KEY GPG private key exported as an ASCII armored version (required)
PASSPHRASE Passphrase of the GPG_PRIVATE_KEY key if set

Details on how to generate the Private Key and Passphrase can be found in our learn guide.

Workflow Example

name: sign
on: push

jobs:
  goreleaser:
    runs-on: ubuntu-latest
    steps:
      - name: Import GPG key
        id: import_gpg
        uses: scalingo/ghaction-import-gpg@v1
        env:
          GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
          PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
      - run: |
          touch foo.txt
          gpg --detach-sig foo.txt