ci(GitHub-CI): draft only, also use version output

Set the draft to true and manually verify tags before release Set our version tag so we use [vX.X.X] for cleaner release
2026-06-11 00:02:29 +02:00 · 2026-05-31 06:15:01 -04:00
parent cc5ad371a8
commit 45a8539a9e
20 changed files with 56095 additions and 53058 deletions
@@ -0,0 +1,256 @@
+name: 🔏 Sign PDFs
+
+# Can be triggered:
+# 1. Automatically after build.yml completes on main
+# 2. Manually, pointing at a specific build run to pull PDFs from
+on:
+  workflow_dispatch:
+    inputs:
+      build_run_id:
+        description: 'build.yml run ID to download PDFs from'
+        required: true
+        type: string
+
+# Download artifacts from other runs + commit export/ files back to the repo
+permissions:
+  actions:  read
+  contents: write
+
+jobs:
+  sign:
+    name: Hash & Sign PDFs
+    runs-on: ubuntu-latest
+    outputs:
+      light_sha256: ${{ steps.hashes.outputs.light_sha256 }}
+      dark_sha256:  ${{ steps.hashes.outputs.dark_sha256 }}
+      light_b2:     ${{ steps.hashes.outputs.light_b2 }}
+      dark_b2:      ${{ steps.hashes.outputs.dark_b2 }}
+
+    steps:
+      - name: 🛠️ Checkout (for pgp/ key reference only)
+        uses: actions/checkout@v4
+        with:
+          sparse-checkout: pgp
+
+      - name: 📥 Download PDF artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name:         pdfs
+          path:         export/
+          run-id:       ${{ inputs.build_run_id }}
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: 📋 List downloaded files
+        run: ls -lh export/
+
+      # Hash - extensions match export/ conventions: .sha256, .b2sum
+      - name: "#️⃣ Hash PDFs"
+        id: hashes
+        run: |
+          cd export
+
+          for f in thgtoa.pdf thgtoa-dark.pdf; do
+            [ -f "$f" ] || continue
+            sha256sum "$f" | awk '{print $1}' > "${f}.sha256"
+            b2sum     "$f" | awk '{print $1}' > "${f}.b2sum"
+          done
+
+          # Combined summary files
+          sha256sum thgtoa.pdf thgtoa-dark.pdf 2>/dev/null > sha256sums.txt || \
+            sha256sum thgtoa.pdf               2>/dev/null > sha256sums.txt
+          b2sum     thgtoa.pdf thgtoa-dark.pdf 2>/dev/null > b2sums.txt     || \
+            b2sum     thgtoa.pdf               2>/dev/null > b2sums.txt
+
+          light_sha256=$(cat thgtoa.pdf.sha256      2>/dev/null || echo "")
+          dark_sha256=$(cat  thgtoa-dark.pdf.sha256 2>/dev/null || echo "")
+          light_b2=$(cat     thgtoa.pdf.b2sum       2>/dev/null || echo "")
+          dark_b2=$(cat      thgtoa-dark.pdf.b2sum  2>/dev/null || echo "")
+
+          echo "light_sha256=$light_sha256" >> $GITHUB_OUTPUT
+          echo "dark_sha256=$dark_sha256"   >> $GITHUB_OUTPUT
+          echo "light_b2=$light_b2"         >> $GITHUB_OUTPUT
+          echo "dark_b2=$dark_b2"           >> $GITHUB_OUTPUT
+
+          echo "--- SHA-256 ---"
+          cat sha256sums.txt
+          echo "--- BLAKE2b ---"
+          cat b2sums.txt
+
+      # GPG sign — detached ASCII-armor signatures use .asc extension
+      - name: 🔑 Install GPG
+        run: |
+          sudo apt-get update -qq
+          sudo apt-get install -y gnupg
+
+      - name: 🔏 Import GPG signing key
+        env:
+          GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
+          GPG_PASSPHRASE:  ${{ secrets.GPG_PASSPHRASE }}
+        run: |
+          echo "$GPG_PRIVATE_KEY" | gpg --batch --import
+          echo "$GPG_PASSPHRASE" | gpg --batch --yes --passphrase-fd 0 \
+            --pinentry-mode loopback --list-secret-keys
+
+      - name: 🔏 Sign PDFs and hash files
+        env:
+          GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
+        run: |
+          sign() {
+            local file="$1"
+            [ -f "$file" ] || return 0
+            echo "$GPG_PASSPHRASE" | gpg --batch --yes --passphrase-fd 0 \
+              --pinentry-mode loopback \
+              --detach-sign --armor --output "${file}.asc" "$file"
+            echo "Signed: $file → ${file}.asc"
+          }
+          sign export/thgtoa.pdf
+          sign export/thgtoa-dark.pdf
+          sign export/sha256sums.txt
+          sign export/b2sums.txt
+
+      # Commit export/ back to main
+      - name: 📦 Checkout full repo for commit
+        uses: actions/checkout@v4
+        with:
+          ref: main
+          fetch-depth: 0
+          path: repo
+
+      - name: 📂 Copy export files into repo
+        run: cp -v export/* repo/export/
+
+      - name: 🔏 Configure SSH commit signing
+        run: |
+          mkdir -p ~/.ssh
+          echo "${{ secrets.ACTIONS_SSH_SIGNING_KEY }}" > ~/.ssh/signing_key
+          chmod 600 ~/.ssh/signing_key
+          git config --global gpg.format ssh
+          git config --global user.signingKey ~/.ssh/signing_key
+          git config --global commit.gpgSign true
+          git config --global user.name  "github-actions[bot]"
+          git config --global user.email "github-actions[bot]@users.noreply.github.com"
+
+      # If no change in git diff, do nothing
+      - name: 📤 Commit and push export/ to main
+        working-directory: repo
+        run: |
+          git add export/
+          if git diff --cached --quiet; then
+            echo "Nothing to commit — export/ is already up to date."
+          else
+            git commit -S -m "chore(export): update PDFs, hashes and signatures [skip ci]"
+            git push origin main
+          fi
+
+      # Upload artifacts for 03-release.yml and verify job to consume
+      - name: 📤 Upload signatures artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: signatures
+          path: |
+            export/sha256sums.txt
+            export/b2sums.txt
+            export/thgtoa.pdf.sha256
+            export/thgtoa-dark.pdf.sha256
+            export/thgtoa.pdf.b2sum
+            export/thgtoa-dark.pdf.b2sum
+            export/thgtoa.pdf.asc
+            export/thgtoa-dark.pdf.asc
+            export/sha256sums.txt.asc
+            export/b2sums.txt.asc
+          if-no-files-found: error
+          retention-days: 90
+          compression-level: 0
+
+      - name: 📤 Upload signed PDFs artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: pdfs-signed
+          path: |
+            export/thgtoa.pdf
+            export/thgtoa-dark.pdf
+          if-no-files-found: warn
+          retention-days: 90
+          compression-level: 0
+
+  # Verify — runs after sign, surfaces results as a job summary
+  verify:
+    name: Verify hashes & signatures
+    runs-on: ubuntu-latest
+    needs: sign
+    # Always run so the summary is visible even if sign partially failed
+    if: always()
+
+    steps:
+      - name: 🛠️ Checkout scripts and public key
+        uses: actions/checkout@v4
+        with:
+          sparse-checkout: |
+            scripts/verify_pdf.py
+            pgp
+
+      - name: 📥 Download signatures artifact
+        uses: actions/download-artifact@v4
+        with:
+          name:         signatures
+          path:         export/
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: 📥 Download signed PDFs artifact
+        uses: actions/download-artifact@v4
+        with:
+          name:         pdfs-signed
+          path:         export/
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: 🔑 Install GPG and import public key
+        run: |
+          sudo apt-get update -qq
+          sudo apt-get install -y gnupg
+          gpg --import pgp/anonymousplanet-release.asc
+
+      - name: 🐍 Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.13"
+
+      - name: 🔍 Run verify_pdf.py
+        id: verify
+        run: |
+          # Capture output and exit code separately so we can write the
+          # summary regardless of whether verification passed or failed.
+          set +e
+          output=$(python scripts/verify_pdf.py --hashes --signatures --export-dir export 2>&1)
+          exit_code=$?
+          set -e
+
+          echo "exit_code=$exit_code" >> $GITHUB_OUTPUT
+
+          # ── Job summary ──────────────────────────────────────────────
+          {
+            if [ "$exit_code" -eq 0 ]; then
+              echo "## ✅ Verification passed"
+            else
+              echo "## ❌ Verification failed"
+            fi
+
+            echo ""
+            echo "**Run:** [\`${{ github.run_id }}\`](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}) &nbsp;·&nbsp; **Commit:** [\`${GITHUB_SHA::7}\`](${{ github.server_url }}/${{ github.repository }}/commit/${{ github.sha }}) &nbsp;·&nbsp; **By:** \`${{ github.actor }}\`"
+            echo ""
+            echo "### Script output"
+            echo '```'
+            echo "$output"
+            echo '```'
+            echo ""
+            echo "### Hashes"
+            echo '```'
+            echo "── SHA-256 ──────────────────────────────────────────────────────"
+            cat export/sha256sums.txt 2>/dev/null || echo "(not found)"
+            echo ""
+            echo "── BLAKE2b ──────────────────────────────────────────────────────"
+            cat export/b2sums.txt 2>/dev/null || echo "(not found)"
+            echo '```'
+          } >> $GITHUB_STEP_SUMMARY
+
+          # Propagate failure so the job is marked red if verification fails
+          exit $exit_code