Improved PGP and passphrase security by storing them on /tmp and wipi…

…ng them afterwards Signed-off-by: Itay Grudev <[email protected]>
icekom · Feb 22, 2024 · 001d787 · 001d787
1 parent 957c1fe
commit 001d787
Showing 1 changed file with 8 additions and 4 deletions.
diff --git a/.github/workflows/release-publish.yml b/.github/workflows/release-publish.yml
@@ -29,8 +29,8 @@ jobs:
 
       - name: Import PGP Private Key
         run: |
-          echo "${{ secrets.PGP_PRIVATE_KEY }}" | gpg --dearmor --output keyring.gpg
-          echo "${{ secrets.PGP_KEY_PASSPHRASE }}" > passphrase-file.txt
+          echo "${{ secrets.PGP_PRIVATE_KEY }}" | gpg --dearmor --output /tmp/keyring.gpg
+          echo "${{ secrets.PGP_KEY_PASSPHRASE }}" > /tmp/passphrase-file.txt
 
       - name: Set up Helm
         uses: azure/setup-helm@29960d0f5f19214b88e1d9ba750a9914ab0f1a2f # v4.0.0
@@ -42,13 +42,17 @@ jobs:
         env:
           CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
           CR_KEY: [email protected]
-          CR_KEYRING: keyring.gpg
-          CR_PASSPHRASE_FILE: passphrase-file.txt
+          CR_KEYRING: /tmp/keyring.gpg
+          CR_PASSPHRASE_FILE: /tmp/passphrase-file.txt
           CR_SIGN: true
           CR_SKIP_EXISTING: true
           CR_GENERATE_RELEASE_NOTES: true
           CR_RELEASE_NAME_TEMPLATE: "{{ .Name }}-v{{ .Version }}"
 
+      - name: Securely delete the PGP key and passphrase
+        if: always()
+        run: shred --remove=wipesync /tmp/keyring.gpg /tmp/passphrase-file.txt
+
       - name: Login to GitHub Container Registry
         uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
         with: