Add gpg sign for devops bot

bitwarden · Jun 19, 2024 · eb021b2 · eb021b2
1 parent 70769e0
commit eb021b2
Showing 1 changed file with 27 additions and 0 deletions.
diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
@@ -51,6 +51,33 @@ jobs:
           VERSION=$(hatch version)
           echo "version=$VERSION" >> $GITHUB_OUTPUT
 
+      - name: Login to Azure - CI Subscription
+        uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
+        with:
+          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
+
+      - name: Retrieve secrets
+        id: retrieve-secrets
+        uses: bitwarden/gh-actions/get-keyvault-secrets@main
+        with:
+          keyvault: "bitwarden-ci"
+          secrets: "github-gpg-private-key,
+            github-gpg-private-key-passphrase,
+            github-pat-bitwarden-devops-bot-repo-scope"
+
+      - name: Import GPG key
+        uses: crazy-max/ghaction-import-gpg@01dd5d3ca463c7f10f7f4f7b4f177225ac661ee4 # v6.1.0
+        with:
+          gpg_private_key: ${{ steps.retrieve-secrets.outputs.github-gpg-private-key }}
+          passphrase: ${{ steps.retrieve-secrets.outputs.github-gpg-private-key-passphrase }}
+          git_user_signingkey: true
+          git_commit_gpgsign: true
+
+      - name: Setup git
+        run: |
+          git config --local user.email "[email protected]"
+          git config --local user.name "bitwarden-devops-bot"
+
       - name: Commit version bump
         env:
           OLD_VERSION: ${{ env.OLD_VERSION }}