Add role to GPG sign artifacts in a directory
This will sign everything in the artifacts directory. Change-Id: I1f07b1b05ff4336e32469f85ff2c09fb72c0b51c
This commit is contained in:
parent
80ec023985
commit
6271966f10
22
roles/sign-artifacts/README.rst
Normal file
22
roles/sign-artifacts/README.rst
Normal file
@ -0,0 +1,22 @@
|
|||||||
|
Sign artifacts
|
||||||
|
|
||||||
|
**Role Variables**
|
||||||
|
|
||||||
|
.. zuul:rolevar:: gpg_key
|
||||||
|
|
||||||
|
Complex argument which contains the GPG public and secret keyrings
|
||||||
|
for signing the artifacts. It is expected that this argument comes
|
||||||
|
from a `Secret`.
|
||||||
|
|
||||||
|
.. zuul:rolevar:: pubring
|
||||||
|
|
||||||
|
The binary contents of the GPG pubring.
|
||||||
|
|
||||||
|
.. zuul:rolevar:: secring
|
||||||
|
|
||||||
|
The binary contents of the GPG secring.
|
||||||
|
|
||||||
|
.. zuul:rolevar:: gpg_artifact_path
|
||||||
|
:default: "{{ zuul.executor.work_root }}/artifacts/"
|
||||||
|
|
||||||
|
Path to a directory containing artifacts to sign.
|
1
roles/sign-artifacts/defaults/main.yaml
Normal file
1
roles/sign-artifacts/defaults/main.yaml
Normal file
@ -0,0 +1 @@
|
|||||||
|
gpg_sign_path: "{{ zuul.executor.work_root }}/artifacts/"
|
26
roles/sign-artifacts/tasks/main.yaml
Normal file
26
roles/sign-artifacts/tasks/main.yaml
Normal file
@ -0,0 +1,26 @@
|
|||||||
|
- name: Make GPG directory
|
||||||
|
tempfile:
|
||||||
|
state: directory
|
||||||
|
register: gnupg_tmpdir
|
||||||
|
|
||||||
|
- name: Create GPG pubring
|
||||||
|
copy:
|
||||||
|
content: "{{ gpg_key.pubring }}"
|
||||||
|
dest: "{{ gnupg_tmpdir.path }}/pubring.gpg"
|
||||||
|
mode: 0400
|
||||||
|
|
||||||
|
- name: Create GPG secring
|
||||||
|
copy:
|
||||||
|
content: "{{ gpg_key.secring }}"
|
||||||
|
dest: "{{ gnupg_tmpdir.path }}/secring.gpg"
|
||||||
|
mode: 0400
|
||||||
|
|
||||||
|
- name: Find files to sign
|
||||||
|
find:
|
||||||
|
paths: "{{ gpg_sign_path }}"
|
||||||
|
register: artifacts
|
||||||
|
|
||||||
|
- name: Sign artifacts
|
||||||
|
command: "gpg --homedir {{ gnupg_tmpdir.path }} --armor --detach-sign {{ item.path }}"
|
||||||
|
with_items: "{{ artifacts.files }}"
|
||||||
|
when: artifacts.matched|bool
|
Loading…
Reference in New Issue
Block a user