1616 required : true
1717 type : string
1818 description : The version of python to use with relenv
19+ sign-rpm-packages :
20+ type : boolean
21+ default : false
22+ description : Sign RPM Packages
1923 sign-macos-packages :
2024 type : boolean
2125 default : false
4549 type : string
4650 description : Json job matrix config
4751
52+
4853env :
4954 COLUMNS : 190
5055 PIP_INDEX_URL : ${{ vars.PIP_INDEX_URL }}
@@ -162,6 +167,7 @@ jobs:
162167
163168 build-rpm-packages :
164169 name : RPM
170+ environment : ${{ inputs.environment }}
165171 if : ${{ toJSON(fromJSON(inputs.matrix)['linux']) != '[]' }}
166172 runs-on :
167173 - ${{ matrix.arch == 'x86_64' && 'ubuntu-24.04' || inputs.linux_arm_runner }}
@@ -199,6 +205,25 @@ jobs:
199205 with :
200206 salt-version : " ${{ inputs.salt-version }}"
201207
208+ - name : Setup GnuPG
209+ if : ${{ inputs.sign-rpm-packages }}
210+ env :
211+ SIGNING_GPG_KEY : ${{ secrets.SIGNING_GPG_KEY }}
212+ SIGNING_PASSPHRASE : ${{ secrets.SIGNING_PASSPHRASE }}
213+ run : |
214+ install -d -m 0700 -o "$(id -u)" -g "$(id -g)" /run/gpg
215+ GNUPGHOME="$(mktemp -d -p /run/gpg)"
216+ export GNUPGHOME
217+ echo "GNUPGHOME=${GNUPGHOME}" >> "$GITHUB_ENV"
218+ cat <<EOF > "${GNUPGHOME}/gpg.conf"
219+ batch
220+ no-tty
221+ pinentry-mode loopback
222+ passphrase-file ${GNUPGHOME}/passphrase
223+ EOF
224+ echo "${SIGNING_PASSPHRASE}" > "${GNUPGHOME}/passphrase"
225+ echo "${SIGNING_GPG_KEY}" | gpg --import -
226+
202227name : Configure Git
203228 if : ${{ startsWith(github.event.ref, 'refs/tags') == false }}
204229 run : |
@@ -216,7 +241,7 @@ jobs:
216241 format('--onedir=salt-{0}-onedir-linux-{1}.tar.xz', inputs.salt-version, matrix.arch)
217242 ||
218243 format('--arch={0}', matrix.arch)
219- }}
244+ }} ${{ inputs.sign-rpm-packages && '--key-id=64CBBC8173D76B3F' || '' }}
220245
221246name : Set Artifact Name
222247 id : set-artifact-name
@@ -368,6 +393,7 @@ jobs:
368393 SM_CLIENT_CERT_PASSWORD : " ${{ secrets.WIN_SIGN_CERT_PASSWORD }}"
369394 SM_CLIENT_CERT_FILE_B64 : " ${{ secrets.WIN_SIGN_CERT_FILE_B64 }}"
370395 WIN_SIGN_CERT_SHA1_HASH : " ${{ secrets.WIN_SIGN_CERT_SHA1_HASH }}"
396+ SM_CODE_SIGNING_CERT_SHA1_HASH : " ${{ secrets.WIN_SIGN_CERT_SHA1_HASH }}"
371397 PIP_INDEX_URL : https://pypi.org/simple
372398
373399 steps :
@@ -416,16 +442,17 @@ jobs:
416442 name : salt-${{ inputs.salt-version }}-onedir-windows-${{ matrix.arch }}.zip
417443 path : artifacts/
418444
419- - name : Code signing with Software Trust Manager
420- if : ${{ steps.check-pkg-sign.outputs.sign-pkgs == 'true' }}
421- uses : digicert/ssm-code-signing@v0.0.2
422-
423445 - name : Setup Certificate
424446 if : ${{ steps.check-pkg-sign.outputs.sign-pkgs == 'true' }}
425447 shell : bash
426448 run : |
427449 echo "${{ secrets.WIN_SIGN_CERT_FILE_B64 }}" | base64 --decode > /d/Certificate_pkcs12.p12
428450
451+
452+ name : Code signing with Software Trust Manager
453+ if : ${{ steps.check-pkg-sign.outputs.sign-pkgs == 'true' }}
454+ uses : digicert/ssm-code-signing@v0.0.2
455+
429456 - name : Build Windows Packages
430457 run : |
431458 tools pkg build windows --relenv-version=${{ inputs.relenv-version }} --python-version=${{ inputs.python-version }} ${{
0 commit comments