Merge pull request #19230 from Homebrew/ww/ssh-signing

ci: switch to SSH signing everywhere
2025-02-04 11:04:05 +00:00 · 2025-02-04 11:04:05 +00:00 · 2758336890
commit 2758336890
parent c5e2aa63e5 6530dd5487
5 changed files with 11 additions and 13 deletions
--- a/.github/workflows/schemas.yml
+++ b/.github/workflows/schemas.yml
@ -37,13 +37,13 @@ jobs:
      - name: Set up commit signing
        uses: Homebrew/actions/setup-commit-signing@master
        with:
-          signing_key: ${{ secrets.BREWTESTBOT_GPG_SIGNING_SUBKEY }}
+          ssh: true
+          signing_key: ${{ secrets.BREWTESTBOT_SSH_SIGNING_KEY }}

      - name: Update schema data
        id: update
        env:
          GITHUB_TOKEN: ${{ secrets.HOMEBREW_GITHUB_PUBLIC_REPO_TOKEN }}
-          HOMEBREW_GPG_PASSPHRASE: ${{ secrets.BREWTESTBOT_GPG_SIGNING_SUBKEY_PASSPHRASE }}
        working-directory: ${{ steps.set-up-homebrew.outputs.repository-path }}
        run: |
          git fetch origin
@ -61,7 +61,7 @@ jobs:

          # Intentionally tracking 2.3.x to match what we output in sbom.rb. 3.0 also doesn't have a JSON Schema.
          # Note: this is a 2.3.1 development branch - not a 2.3.1 tag. It contains bugfixes compared to 2.3.0.
-          curl --location --output Library/Homebrew/data/schemas/sbom.json https://raw.githubusercontent.com/spdx/spdx-spec/development/v2.3.1/schemas/spdx-schema.json
+          curl --location --output Library/Homebrew/data/schemas/sbom.json https://raw.githubusercontent.com/spdx/spdx-spec/support/v2.3.1/schemas/spdx-schema.json
          # https://github.com/spdx/spdx-spec/pull/1029
          sed -i -e 's|\(2019-09/schema\)#|\1|' Library/Homebrew/data/schemas/sbom.json

--- a/.github/workflows/sorbet.yml
+++ b/.github/workflows/sorbet.yml
@ -45,7 +45,8 @@ jobs:
        if: github.event_name != 'pull_request'
        uses: Homebrew/actions/setup-commit-signing@master
        with:
-          signing_key: ${{ secrets.BREWTESTBOT_GPG_SIGNING_SUBKEY }}
+          ssh: true
+          signing_key: ${{ secrets.BREWTESTBOT_SSH_SIGNING_KEY }}

      - name: Update RBI files
        id: update
@ -74,7 +75,6 @@ jobs:
        if: github.event_name != 'pull_request'
        env:
          GITHUB_TOKEN: ${{ secrets.HOMEBREW_GITHUB_PUBLIC_REPO_TOKEN }}
-          HOMEBREW_GPG_PASSPHRASE: ${{ secrets.BREWTESTBOT_GPG_SIGNING_SUBKEY_PASSPHRASE }}
        working-directory: ${{ steps.set-up-homebrew.outputs.repository-path }}
        run: |
          if ! git diff --stat --exit-code "Library/Homebrew/sorbet"
--- a/.github/workflows/spdx.yml
+++ b/.github/workflows/spdx.yml
@ -37,13 +37,13 @@ jobs:
      - name: Set up commit signing
        uses: Homebrew/actions/setup-commit-signing@master
        with:
-          signing_key: ${{ secrets.BREWTESTBOT_GPG_SIGNING_SUBKEY }}
+          ssh: true
+          signing_key: ${{ secrets.BREWTESTBOT_SSH_SIGNING_KEY }}

      - name: Update SPDX license data
        id: update
        env:
          GITHUB_TOKEN: ${{ secrets.HOMEBREW_GITHUB_PUBLIC_REPO_TOKEN }}
-          HOMEBREW_GPG_PASSPHRASE: ${{ secrets.BREWTESTBOT_GPG_SIGNING_SUBKEY_PASSPHRASE }}
        working-directory: ${{ steps.set-up-homebrew.outputs.repository-path }}
        run: |
          git fetch origin
--- a/.github/workflows/sponsors-maintainers-man-completions.yml
+++ b/.github/workflows/sponsors-maintainers-man-completions.yml
@ -46,7 +46,8 @@ jobs:
      - name: Set up commit signing
        uses: Homebrew/actions/setup-commit-signing@master
        with:
-          signing_key: ${{ secrets.BREWTESTBOT_GPG_SIGNING_SUBKEY }}
+          ssh: true
+          signing_key: ${{ secrets.BREWTESTBOT_SSH_SIGNING_KEY }}

      - name: Cache Bundler RubyGems
        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
@ -120,7 +121,6 @@ jobs:
        env:
          GITHUB_TOKEN: ${{ secrets.HOMEBREW_GITHUB_PUBLIC_REPO_TOKEN }}
          HOMEBREW_GITHUB_API_TOKEN: ${{ secrets.HOMEBREW_BREW_UPDATE_SPONSORS_MAINTAINERS_TOKEN }}
-          HOMEBREW_GPG_PASSPHRASE: ${{ secrets.BREWTESTBOT_GPG_SIGNING_SUBKEY_PASSPHRASE }}
        working-directory: ${{ steps.set-up-homebrew.outputs.repository-path }}

      - name: Push commits
--- a/.github/workflows/vendor-gems.yml
+++ b/.github/workflows/vendor-gems.yml
@ -47,7 +47,8 @@ jobs:
        if: github.event_name == 'workflow_dispatch'
        uses: Homebrew/actions/setup-commit-signing@master
        with:
-          signing_key: ${{ secrets.BREWTESTBOT_GPG_SIGNING_SUBKEY }}
+          ssh: true
+          signing_key: ${{ secrets.BREWTESTBOT_SSH_SIGNING_KEY }}

      - name: Check out pull request
        id: checkout
@ -66,8 +67,6 @@ jobs:
        working-directory: ${{ steps.set-up-homebrew.outputs.repository-path }}

      - name: Vendor Gems
-        env:
-          HOMEBREW_GPG_PASSPHRASE: ${{ secrets.BREWTESTBOT_GPG_SIGNING_SUBKEY_PASSPHRASE }}
        run: |
          if [[ "${GITHUB_EVENT_NAME}" == "workflow_dispatch" ]]
          then
@ -83,7 +82,6 @@ jobs:
        if: github.event_name == 'workflow_dispatch'
        env:
          GEM_NAME: ${{ steps.checkout.outputs.gem_name }}
-          HOMEBREW_GPG_PASSPHRASE: ${{ secrets.BREWTESTBOT_GPG_SIGNING_SUBKEY_PASSPHRASE }}
        working-directory: ${{ steps.set-up-homebrew.outputs.repository-path }}
        run: |
          if ! git diff --stat --exit-code "Library/Homebrew/sorbet"