Feat: Git tag support and documentation

Also removes sign-dir, which is not a current feature.

Signed-off-by: Eric Ball <[email protected]>

.gitlint

@@ -0,0 +1,96 @@
+# All these sections are optional, edit this file as you like.
+[general]
+# Ignore certain rules, you can reference them by their id or by their full
+# name
+# ignore=title-trailing-punctuation, T3
+
+# verbosity should be a value between 1 and 3, the command line -v flags take
+# precedence over this
+# verbosity = 2
+
+# By default gitlint will ignore merge commits. Set to 'false' to disable.
+# ignore-merge-commits=true
+
+# By default gitlint will ignore fixup commits. Set to 'false' to disable.
+# ignore-fixup-commits=true
+
+# By default gitlint will ignore squash commits. Set to 'false' to disable.
+# ignore-squash-commits=true
+
+# Enable debug mode (prints more output). Disabled by default.
+# debug=true
+
+# Set the extra-path where gitlint will search for user defined rules
+# See http://jorisroovers.github.io/gitlint/user_defined_rules for details
+# extra-path=examples/
+
+contrib=contrib-title-conventional-commits,contrib-body-requires-signed-off-by
+
+# [title-max-length]
+# line-length=80
+
+# [title-must-not-contain-word]
+# Comma-separated list of words that should not occur in the title. Matching is
+# case insensitive. It's fine if the keyword occurs as part of a larger word
+# (so "WIPING" will not cause a violation, but "WIP: my title" will.
+# words=wip
+
+# [title-match-regex]
+# python like regex (https://docs.python.org/2/library/re.html) that the
+# commit-msg title must be matched to.
+# Note that the regex can contradict with other rules if not used correctly
+# (e.g. title-must-not-contain-word).
+# regex=^US[0-9]*
+
+# [B1]
+# B1 = body-max-line-length
+# line-length=120
+
+# [body-min-length]
+# min-length=5
+
+# [body-is-missing]
+# Whether to ignore this rule on merge commits (which typically only have a title)
+# default = True
+# ignore-merge-commits=false
+
+# [body-changed-file-mention]
+# List of files that need to be explicitly mentioned in the body when they are
+# changed This is useful for when developers often erroneously edit certain
+# files or git submodules.  By specifying this rule, developers can only change
+# the file when they explicitly reference it in the commit message.
+# files=gitlint/rules.py,README.md
+
+# [author-valid-email]
+# python like regex (https://docs.python.org/2/library/re.html) that the
+# commit author email address should be matched to
+# For example, use the following regex if you only want to allow email
+# addresses from foo.com
+# regex=[^@][email protected]
+
+# [ignore-by-title]
+# Ignore certain rules for commits of which the title matches a regex
+# E.g. Match commit titles that start with "Release"
+# regex=^Release(.*)
+#
+# Ignore certain rules, you can reference them by their id or by their full name
+# Use 'all' to ignore all rules
+# ignore=T1,body-min-length
+
+# [ignore-by-body]
+# Ignore certain rules for commits of which the body has a line that matches a
+# regex
+# E.g. Match bodies that have a line that contain "release"
+# regex=(.*)release(.*)
+#
+# Ignore certain rules, you can reference them by their id or by their full name
+# Use 'all' to ignore all rules
+# ignore=T1,body-min-length
+
+# Enable Conventional Commit subject line enforcement
+# https://www.conventionalcommits.org/en/v1.0.0/
+#
+# Since we want all subjects to be well formed, enforce the topics
+# to the following (fairly standard) topics and require them to be Mixed Case
+[contrib-title-conventional-commits]
+types=Fix,Feat,Chore,Docs,Style,Refactor,Perf,Test,Revert,CI,Build

Dockerfile

@@ -13,7 +13,7 @@ gpgkey=https://infrastructure.fedoraproject.org/repo/infra/RPM-GPG-KEY-INFRA-TAG
 includepkgs=sigul* \n\
 skip_if_unavailable=True' > /etc/yum.repos.d/fedora-infra-sigul.repo
 
-RUN yum install -y -q sigul
+RUN yum install -y -q sigul git
 
 COPY entrypoint.sh /entrypoint.sh
 

README.md

@@ -1 +1,51 @@
-# sigul-sign
+# Sigul-sign action
+
+This action is used to sign build artifacts and git tags using a Sigul server.
+
+## Inputs
+
+## `sign-type`
+
+The type of signing to do, either `"sign-data"` or `"sign-git-tag"`.
+Default `"sign-data"`
+
+## `sign-object`
+
+**Required** The file or git tag to sign.
+
+## `sigul-ip`
+
+**Required** The IP address of the sigul server being used.
+
+## `sigul-uri`
+
+**Required** The URI of the sigul server. This is used with the IP address to
+create a hosts file entry for the server.
+
+## `sigul-conf`
+
+**Required** The sigul config file.
+
+## `sigul-key-name`
+
+**Required** The key name on the server to utilize.
+
+## `sigul-pass`
+
+**Required** The password for the sigul connection (this should be specific to
+the key name being used).
+
+## `sigul-pki`
+
+**Required** PKI info for the sigul connection. This expected to be stored in a
+GPG armor file, encrypted using the above sigul-pass.
+
+## `gh-user`
+
+For git tag signing, the action requires a user to push the signed tag as.
+Default: GITHUB_ACTOR (the name of the person or app that initiated the workflow)
+
+## `gh-key`
+
+An API key for the user specified in `gh-user`. This is not a required field for
+sign-data actions, but *MUST* be specified for sign-git-tag actions.

action.yml

@@ -3,11 +3,11 @@ description: "Sign artifacts with Sigul"
 
 inputs:
   sign-type:
-    description: "One of 'sign-data', 'sign-dir', or 'sign-git-tag'"
-    required: true
+    description: "Either 'sign-data' or 'sign-git-tag'"
+    required: false
     default: "sign-data"
   sign-object:
-    description: "Object (file, directory, or git tag) to sign"
+    description: "File or git tag to sign"
     required: true
   sigul-ip:
     description: "IP address of sigul server"
@@ -18,22 +18,34 @@ inputs:
   sigul-conf:
     description: "Config file for sigul connection"
     required: true
+  sigul-key-name:
+    description: "The key name on the server to utilize"
+    required: true
   sigul-pass:
     description: "Password for sigul connection"
     required: true
   sigul-pki:
     description: "PKI info for sigul connection"
     required: true
+  gh-user:
+    description: "GitHub user for pushing signed tags"
+    required: false
+    default: GITHUB_ACTOR
+  gh-key:
+    description: "GitHub API key for pushing signed tags"
+    required: false
 
 runs:
   using: "docker"
   image: Dockerfile
-  args:
-    - ${{ inputs.sign-type }}
-    - ${{ inputs.sign-object }}
   env:
+    SIGN_TYPE: ${{ inputs.sign-type }}
+    SIGN_OBJECT: ${{ inputs.sign-object }}
     SIGUL_IP: ${{ inputs.sigul-ip }}
     SIGUL_URI: ${{ inputs.sigul-uri }}
     SIGUL_CONF: ${{ inputs.sigul-conf }}
+    SIGUL_KEY_NAME: ${{ inputs.sigul-key-name }}
     SIGUL_PASS: ${{ inputs.sigul-pass }}
     SIGUL_PKI: ${{ inputs.sigul-pki }}
+    GH_USER: ${{ inputs.gh-user }}
+    GH_KEY: ${{ inputs.gh-key }}

entrypoint.sh

@@ -1,7 +1,7 @@
 #!/bin/bash -l
 SIGUL_PASS_FILE=/etc/sigul/sigul-pass
 
-# Used values passed in from the calling workflow to create needed files
+# Use values passed in from the calling workflow to create needed files
 echo "$SIGUL_IP" "$SIGUL_URI" >> /etc/hosts
 mkdir -p /etc/sigul
 echo "$SIGUL_CONF" > /etc/sigul/client.conf
@@ -17,8 +17,13 @@ tar Jxf sigul.tar.xz
 sed -i 's/$/\x0/' "${SIGUL_PASS_FILE}"
 
 cd $GITHUB_WORKSPACE
-# $1 is sign-type and $2 is sign-object
-sigul --batch $1 -a -o $2.asc odpi-release-2021 $2 < "${SIGUL_PASS_FILE}"
-# We need the signature files to be readable by the workflow
-chmod 644 *.asc
-ls -al
+if [ $SIGN_TYPE = "sign-data" ]; then
+    sigul --batch $SIGN_TYPE -o $SIGN_OBJECT.asc $SIGUL_KEY_NAME $SIGN_OBJECT < "${SIGUL_PASS_FILE}"
+    # We need the signature files to be readable by the workflow
+    chmod 644 *.asc
+elif [ $SIGN_TYPE = "sign-git-tag" ]; then
+    git remote add github "https://${GH_USER}:${GH_KEY}@github.com/${GITHUB_REPOSITORY}"
+    git fetch --tags
+    sigul --batch $SIGN_TYPE $SIGUL_KEY_NAME $SIGN_OBJECT < "${SIGUL_PASS_FILE}"
+    git push -f github $SIGN_OBJECT
+fi