From 9cd5d3173f17873830965c15256081d183d09b78 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 17 Jun 2026 14:59:49 +0000 Subject: [PATCH 1/3] Initial plan From 3cd9a51d4c34687e89617d905f8e52e62ef2cb98 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 17 Jun 2026 15:09:06 +0000 Subject: [PATCH 2/3] fix: pass gpg passphrase to prerelease signing --- .github/workflows/community_beta.yml | 1 + .github/workflows/community_release.yml | 1 + .github/workflows/pro_selfhosted_beta.yml | 1 + .github/workflows/pro_selfhosted_release.yml | 1 + .goreleaser.yml | 1 + 5 files changed, 5 insertions(+) diff --git a/.github/workflows/community_beta.yml b/.github/workflows/community_beta.yml index 627df6581f..e4f482e023 100644 --- a/.github/workflows/community_beta.yml +++ b/.github/workflows/community_beta.yml @@ -56,6 +56,7 @@ jobs: GITHUB_TOKEN=${{ github.token }} \ PROJECT_NAME=semaphore_community \ GPG_KEY_ID="${{ vars.GPG_KEY_ID }}" \ + GPG_PASS="${{ secrets.GPG_PASS }}" \ task release:prod deploy-beta: diff --git a/.github/workflows/community_release.yml b/.github/workflows/community_release.yml index 85ae3ca736..7441c432b6 100644 --- a/.github/workflows/community_release.yml +++ b/.github/workflows/community_release.yml @@ -55,6 +55,7 @@ jobs: run: | GITHUB_TOKEN=${{ github.token }} \ GPG_KEY_ID="${{ vars.GPG_KEY_ID }}" \ + GPG_PASS="${{ secrets.GPG_PASS }}" \ PROJECT_NAME=semaphore_community \ task release:prod diff --git a/.github/workflows/pro_selfhosted_beta.yml b/.github/workflows/pro_selfhosted_beta.yml index 942b7ad262..b0dff6d7ec 100644 --- a/.github/workflows/pro_selfhosted_beta.yml +++ b/.github/workflows/pro_selfhosted_beta.yml @@ -62,6 +62,7 @@ jobs: APP_BUILD_TYPE=pro_selfhosted \ GITHUB_TOKEN=${{ github.token }} \ GPG_KEY_ID="${{ vars.GPG_KEY_ID }}" \ + GPG_PASS="${{ secrets.GPG_PASS }}" \ PROJECT_NAME=semaphore \ task release:prod diff --git a/.github/workflows/pro_selfhosted_release.yml b/.github/workflows/pro_selfhosted_release.yml index 4a42476356..bee7040991 100644 --- a/.github/workflows/pro_selfhosted_release.yml +++ b/.github/workflows/pro_selfhosted_release.yml @@ -60,6 +60,7 @@ jobs: APP_BUILD_TYPE=pro_selfhosted \ GITHUB_TOKEN=${{ github.token }} \ GPG_KEY_ID="${{ vars.GPG_KEY_ID }}" \ + GPG_PASS="${{ secrets.GPG_PASS }}" \ PROJECT_NAME=semaphore \ task release:prod diff --git a/.goreleaser.yml b/.goreleaser.yml index 243a2b3489..c18c9ce46b 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -60,6 +60,7 @@ signs: "--pinentry-mode", "loopback", "--yes", "--batch", + "--passphrase", "{{ .Env.GPG_PASS }}", "--output", "${signature}", "--detach-sign", "${artifact}" ] From 887c704d1d1c1538b0ec719a9358c9736d82a914 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 17 Jun 2026 15:10:22 +0000 Subject: [PATCH 3/3] fix: avoid exposing release gpg passphrase --- .goreleaser.yml | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/.goreleaser.yml b/.goreleaser.yml index c18c9ce46b..63a2144c79 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -54,15 +54,10 @@ signs: - artifacts: checksum signature: "{{ .Env.PROJECT_NAME }}_{{ .Version }}_checksums.txt.sig" - cmd: gpg + cmd: sh args: [ - "-u", "{{ .Env.GPG_KEY_ID }}", - "--pinentry-mode", "loopback", - "--yes", - "--batch", - "--passphrase", "{{ .Env.GPG_PASS }}", - "--output", "${signature}", - "--detach-sign", "${artifact}" + "-c", + "printf '%s' \"$GPG_PASS\" | gpg -u \"{{ .Env.GPG_KEY_ID }}\" --pinentry-mode loopback --yes --batch --passphrase-fd 0 --output \"${signature}\" --detach-sign \"${artifact}\"" ] checksum: