build: Sign for upgrades

author: Jakob Borg <jakob@kastelo.net> 2023-04-28 11:24:41 +0200
committer: Jakob Borg <jakob@kastelo.net> 2023-04-28 13:03:25 +0200
commit: aa01ff5d50d8025d46d2d06715d1a7d17d151207 (patch)
tree: e7c305c24d266173d4e3012ba75ee4361054d734
parent: 63503e0c98cd20baf66890faaf0d83c7a3a0ea5b (diff)
download: syncthing-aa01ff5d50d8025d46d2d06715d1a7d17d151207.tar.gz
syncthing-aa01ff5d50d8025d46d2d06715d1a7d17d151207.zip
1 files changed, 50 insertions, 0 deletions
diff --git a/.github/workflows/build-syncthing.yaml b/.github/workflows/build-syncthing.yaml
index 32745c5da..87c2f199b 100644
--- a/.github/workflows/build-syncthing.yaml
+++ b/.github/workflows/build-syncthing.yaml
@@ -409,3 +409,53 @@ jobs:
         with:
           name: packages-source
           path: syncthing-source-*.tar.gz
+
+  #
+  # Sign binaries for auto upgrade
+  #
+
+  sign-for-upgrade:
+    name: Sign for upgrade
+    if: github.event_name == 'push' && (github.ref == 'refs/heads/release' || startsWith(github.ref, 'refs/heads/release-'))
+    environment: signing
+    needs:
+      - package-windows
+      - package-linux
+      - package-macos
+      - package-cross
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - uses: actions/checkout@v3
+        with:
+          repository: syncthing/release-tools
+          path: tools
+          fetch-depth: 0
+
+      - name: Download artifacts
+        uses: actions/download-artifact@v3
+
+      - name: Install signing tool
+        run: |
+          go install ./cmd/stsigtool
+
+      - name: Sign archives
+        run: |
+          export PRIVATE_KEY="$RUNNER_TEMP/privkey.pem"
+          export PATH="$PATH:$(go env GOPATH)/bin"
+          echo "$STSIGTOOL_PRIVATE_KEY" | base64 -d > "$PRIVATE_KEY"
+          mkdir packages
+          mv packages-*/* packages
+          pushd packages
+          "$GITHUB_WORKSPACE/tools/sign-only"
+        env:
+          STSIGTOOL_PRIVATE_KEY: ${{ secrets.STSIGTOOL_PRIVATE_KEY }}
+
+      - name: Archive artifacts
+        uses: actions/upload-artifact@v3
+        with:
+          name: packages-signed
+          path: packages/*
author	Jakob Borg <jakob@kastelo.net>	2023-04-28 11:24:41 +0200
committer	Jakob Borg <jakob@kastelo.net>	2023-04-28 13:03:25 +0200
commit	aa01ff5d50d8025d46d2d06715d1a7d17d151207 (patch)
tree	e7c305c24d266173d4e3012ba75ee4361054d734
parent	63503e0c98cd20baf66890faaf0d83c7a3a0ea5b (diff)
download	syncthing-aa01ff5d50d8025d46d2d06715d1a7d17d151207.tar.gz syncthing-aa01ff5d50d8025d46d2d06715d1a7d17d151207.zip