feat: enable commit signing (dd6129b6) · Commits · to be continuous... / semantic-release

README.md

+10 −0

Original line number	Diff line number	Diff line
		@@ -135,6 +135,16 @@ Parameters:
		1. Last release version
		2. next release version

		#### Signing release commits with GPG

		For an introduction on commit signing, see [GitLab documentation](https://docs.gitlab.com/ee/user/project/repository/gpg_signed_commits/).

		To make semantic-release sign its commits, use the following variable.

		\| Name \| description \| default value \|
		\| ---------------------\| ------------------------------------------------------------------------ \| ------------- \|
		\| :lock: `SEMREL_GPG_SIGNKEY` \| Path to the GPG signkey exported with `gpg --armor --export-secret-key`<br/>:warning: Declare as a masked [project variable of File type](https://docs.gitlab.com/ee/ci/variables/#cicd-variable-types). \| _none_ \|

		### `semantic-release-info` job

		This job (disabled by default) runs `semantic-release` with `dry-run` mode in `.pre` stage to save the following variables as [dotenv artifact](https://docs.gitlab.com/ee/ci/pipelines/job_artifacts.html#artifactsreportsdotenv) making them available for the next pipeline stages:

+6 −0

Original line number	Diff line number	Diff line
		@@ -77,6 +77,12 @@
		"name": "SEMREL_RELEASE_DISABLED",
		"description": "Disable this job.",
		"advanced": true
		},
		{
		"name": "SEMREL_GPG_SIGNKEY",
		"description": "Path to the GPG signkey exported with `gpg --armor --export-secret-key`.",
		"secret": true,
		"advanced": true
		}
		]
		},

+30 −0

Original line number	Diff line number	Diff line
		@@ -537,6 +537,35 @@ stages:
		fi
		}

		function configure_commit_signing() {
		if [[ -z "${SEMREL_GPG_SIGNKEY}" ]]; then
		log_info "No GPG key provided."
		return
		fi

		log_info "Setting commit signing up."

		if [[ ! -f "${SEMREL_GPG_SIGNKEY}" ]]; then
		fail "SEMREL_GPG_SIGNKEY is not a file."
		fi

		if ! gpg --batch --dry-run --yes --import "${SEMREL_GPG_SIGNKEY}"; then
		fail "Could not import GPG key."
		fi

		# import the key and extract its ID from the command output
		_GPG_KEY_ID=$(gpg --batch --yes --import "${SEMREL_GPG_SIGNKEY}" 2>&1 \| grep "key [A-F0-9]" \| head -n 1 \| sed -e 's/^.key $[A-F0-9]$: .*$/\1/g')

		if [[ -z "${_GPG_KEY_ID}" ]]; then
		fail "Could not extract key ID from gpg --import command."
		fi

		git config --global commit.gpgsign true
		git config --global user.signingkey "${_GPG_KEY_ID}"

		log_info "Commit signing setup complete."
		}

		unscope_variables
		eval_all_secrets

		@@ -578,6 +607,7 @@ semantic-release:
		extends: .semrel-base
		stage: publish
		script:
		- configure_commit_signing
		- install_semantic_release_plugins
		- semantic-release --ci ${SEMREL_DRY_RUN+-d}
		dependencies: []