release cicd: separate staging and prod gpg keys

MyroTk · web-flow · commit 758f50933d7e · 2025-06-12T20:08:42.000-04:00
diff --git a/.github/workflows/sign_and_release.yml b/.github/workflows/sign_and_release.yml
@@ -493,7 +493,7 @@ jobs:
 
       - name: Set up GPG passphrase
         run: |
-          if [ "${{ inputs.release_environment }}" == "production" ]; then
+          if [ "${RELEASE_ENVIRONMENT}" == "production" ]; then
             if [ -z "${{ inputs.GPG_PASSPHRASE }}" ]; then
               echo "Error: GPG_PASSPHRASE is required for production releases"
               exit 1
@@ -512,9 +512,16 @@ jobs:
           fi
 
           echo "Processing GPG key..."
-          if ! aws secretsmanager get-secret-value --secret-id arn:aws:secretsmanager:us-east-1:446527654354:secret:altinity_${RELEASE_ENVIRONMENT}_gpg-Rqbe8S --query SecretString --output text | sed -e "s/^'//" -e "s/'$//" | jq -r '.altinity_${RELEASE_ENVIRONMENT}_gpg | @base64d' | gpg --quiet --batch --import >/dev/null 2>&1; then
-            echo "Failed to import GPG key"
-            exit 1
+          if [ "${RELEASE_ENVIRONMENT}" == "production" ]; then
+            if ! aws secretsmanager get-secret-value --secret-id arn:aws:secretsmanager:us-east-1:${{ secrets.SIGNING_PROD_SECRET_ID }} --query SecretString --output text | sed -e "s/^'//" -e "s/'$//" | jq -r '.altinity_prod_gpg | @base64d' | gpg --quiet --batch --import >/dev/null 2>&1; then
+              echo "Failed to import prod GPG key"
+              exit 1
+            fi
+          else
+            if ! aws secretsmanager get-secret-value --secret-id arn:aws:secretsmanager:us-east-1:${{ secrets.SIGNING_STAGING_SECRET_ID }} --query SecretString --output text | sed -e "s/^'//" -e "s/'$//" | jq -r '.altinity_staging_gpg | @base64d' | gpg --quiet --batch --import >/dev/null 2>&1; then
+              echo "Failed to import staging GPG key"
+              exit 1
+            fi
           fi
 
           gpg --quiet --list-secret-keys --with-keygrip >/dev/null 2>&1
