From d0192d9a72b3cd9d02bd435b7fb048616749a0f0 Mon Sep 17 00:00:00 2001
From: Aetherinox <aetherinox@proton.me>
Date: Tue, 13 May 2025 01:28:15 -0700
Subject: [PATCH] ci: update release workflow

---
 .github/workflows/release.yml | 24 ++++++++++++++++++------
 1 file changed, 18 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index e95ea96e..ebcc26e6 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -114,6 +114,8 @@ env:
     BOT_NAME_2:                     BinaryServ
     BOT_NAME_DEPENDABOT:            dependabot[bot]
     BOT_NAME_RENOVATE:              renovate[bot]
+    GPG_KEY_BASE64:                 ${{ secrets.ADMINSERV_GPG_KEY_B64 }}
+    GPG_KEY_PASSPHRASE:             ${{ secrets.ADMINSERV_GPG_PASSPHRASE }}
 
 # #
 #   Jobs
@@ -346,6 +348,22 @@ jobs:
                   echo "Tag already present: ${{ env.TAG_EXISTS }}"
                   echo "Tag already present: ${{ steps.task_release_tag_create.outputs.tag_exists }}"
 
+            # #
+            #   Release › GPG Key
+            # #
+
+            - name: 'Import signing key'
+              if: env.GPG_KEY_BASE64 != '' && env.GPG_KEY_PASSPHRASE == ''
+              run: |
+                  echo $GPG_KEY_BASE64 | base64 -di | gpg --import
+
+            - name: 'Import signing key and strip passphrase'
+              if: env.GPG_KEY_BASE64 != '' && env.GPG_KEY_PASSPHRASE != ''
+              run: |
+                  echo "$GPG_KEY_BASE64" | base64 -di > /tmp/signing-key.gpg
+                  echo "$GPG_KEY_PASSPHRASE" | gpg --pinentry-mode loopback --passphrase-fd 0 --import /tmp/signing-key.gpg
+                  (echo "$GPG_KEY_PASSPHRASE"; echo; echo) | gpg --command-fd 0 --pinentry-mode loopback --change-passphrase $(gpg --list-secret-keys --with-colons 2> /dev/null | grep '^sec:' | cut --delimiter ':' --fields 5 | tail -n 1)
+
             # #
             #   Release › Checksum › Stable
             # #
@@ -356,9 +374,6 @@ jobs:
               run: |
                   filename_zip="${{ env.PROJECT_NAME }}-${{ env.PACKAGE_VERSION }}.zip"
 
-                  #  import gpg key (base64)
-                  echo '${{ secrets.ADMINSERV_GPG_KEY_B64 }}' | base64 -d -i - | gpg --import --batch
-
                   #  get sha1 and sha256 for .zip and .gz files
                   find . -maxdepth 1 \( -name '*.zip' -o -name '*.gz' \) -printf '%P\n' | xargs -r sha1sum | gpg --digest-algo sha256 --clearsign > sha1sum.txt.asc
                   find . -maxdepth 1 \( -name '*.zip' -o -name '*.gz' \) -printf '%P\n' | xargs -r sha256sum | gpg --digest-algo sha256 --clearsign > sha256sum.txt.asc
@@ -389,9 +404,6 @@ jobs:
               run: |
                   filename_zip="${{ env.PROJECT_NAME }}-${{ env.PACKAGE_VERSION }}-rc.${{ inputs.VERSION_RC }}.zip"
 
-                  #  import gpg key (base64)
-                  echo '${{ secrets.ADMINSERV_GPG_KEY_B64 }}' | base64 -d -i - | gpg --import --batch
-
                   #  get sha1 and sha256 for .zip and .gz files
                   find . -maxdepth 1 \( -name '*.zip' -o -name '*.gz' \) -printf '%P\n' | xargs -r sha1sum | gpg --digest-algo sha256 --clearsign > sha1sum.txt.asc
                   find . -maxdepth 1 \( -name '*.zip' -o -name '*.gz' \) -printf '%P\n' | xargs -r sha256sum | gpg --digest-algo sha256 --clearsign > sha256sum.txt.asc