Merge "Add role to GPG sign artifacts in a directory"

This commit is contained in:
Zuul 2017-08-22 23:37:10 +00:00 committed by Gerrit Code Review
commit 9c6a3a7573
3 changed files with 49 additions and 0 deletions

View File

@ -0,0 +1,22 @@
Sign artifacts
**Role Variables**
.. zuul:rolevar:: gpg_key
Complex argument which contains the GPG public and secret keyrings
for signing the artifacts. It is expected that this argument comes
from a `Secret`.
.. zuul:rolevar:: pubring
The binary contents of the GPG pubring.
.. zuul:rolevar:: secring
The binary contents of the GPG secring.
.. zuul:rolevar:: gpg_artifact_path
:default: "{{ zuul.executor.work_root }}/artifacts/"
Path to a directory containing artifacts to sign.

View File

@ -0,0 +1 @@
gpg_sign_path: "{{ zuul.executor.work_root }}/artifacts/"

View File

@ -0,0 +1,26 @@
- name: Make GPG directory
tempfile:
state: directory
register: gnupg_tmpdir
- name: Create GPG pubring
copy:
content: "{{ gpg_key.pubring }}"
dest: "{{ gnupg_tmpdir.path }}/pubring.gpg"
mode: 0400
- name: Create GPG secring
copy:
content: "{{ gpg_key.secring }}"
dest: "{{ gnupg_tmpdir.path }}/secring.gpg"
mode: 0400
- name: Find files to sign
find:
paths: "{{ gpg_sign_path }}"
register: artifacts
- name: Sign artifacts
command: "gpg --homedir {{ gnupg_tmpdir.path }} --armor --detach-sign {{ item.path }}"
with_items: "{{ artifacts.files }}"
when: artifacts.matched|bool