edit secrets

jakub-tldr · jakub-tldr · commit b99defe1ca03 · 2025-10-15T12:35:52.000+02:00
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -189,7 +189,7 @@ jobs:
           export PATH="/srv/github/defguard/.local/share/gem/ruby/3.3.0/bin:$PATH"
           COMPONENT=$([[ "${{ github.ref_name }}" == *"-"* ]] && echo "pre-release" || echo "release") # if tag contain "-" assume it's pre-release.
 
-          deb-s3 upload -l --bucket=apt.defguard.net --access-key-id=${{ secrets.AWS_ACCESS_KEY }} --secret-access-key=${{ secrets.AWS_SECRET_KEY }} --s3-region=eu-north-1 --no-fail-if-exists --codename=trixie --component="$COMPONENT" defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.deb
+          deb-s3 upload -l --bucket=apt.defguard.net --access-key-id=${{ secrets.AWS_ACCESS_KEY_APT }} --secret-access-key=${{ secrets.AWS_SECRET_KEY_APT }} --s3-region=eu-north-1 --no-fail-if-exists --codename=trixie --component="$COMPONENT" defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.deb
 
 
       - name: Run `packer init`
@@ -229,3 +229,43 @@ jobs:
       #     asset_path: defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.rpm
       #     asset_name: defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.rpm
       #     asset_content_type: application/octet-stream
+
+  apt-sign:
+    needs: 
+      - build-binaries
+    runs-on:
+      - self-hosted
+      - Linux
+      - X64
+    strategy:
+      fail-fast: false
+    steps:
+      - name: Sign APT repository on trixie 
+        run: |
+          export AWS_ACCESS_KEY_ID=${{ secrets.AWS_ACCESS_KEY_APT }}
+          export AWS_SECRET_ACCESS_KEY=${{ secrets.AWS_SECRET_KEY_APT }}
+          export AWS_REGION=eu-north-1
+          sudo apt update -y
+          sudo apt install -y awscli curl jq
+
+          #For trixie
+          aws s3 cp s3://apt.defguard.net/dists/trixie/Release .
+          curl -X POST "${{ secrets.DEFGUARD_SIGNING_URL }}?signature_type=both" \
+          -H "Authorization: Bearer ${{ secrets.DEFGUARD_SIGNING_API_KEY }}" \
+          -F "file=@Release" \
+          -o response.json
+          cat response.json | jq -r '.files["Release.gpg"].content' | base64 --decode > Release.gpg
+          cat response.json | jq -r '.files.Release.content' | base64 --decode > InRelease
+          aws s3 cp Release.gpg s3://apt.defguard.net/dists/trixie/ --acl public-read
+          aws s3 cp InRelease s3://apt.defguard.net/dists/trixie/ --acl public-read
+
+          #For bookworm
+          aws s3 cp s3://apt.defguard.net/dists/bookworm/Release .
+          curl -X POST "${{ secrets.DEFGUARD_SIGNING_URL }}?signature_type=both" \
+          -H "Authorization: Bearer ${{ secrets.DEFGUARD_SIGNING_API_KEY }}" \
+          -F "file=@Release" \
+          -o response.json
+          cat response.json | jq -r '.files["Release.gpg"].content' | base64 --decode > Release.gpg
+          cat response.json | jq -r '.files.Release.content' | base64 --decode > InRelease
+          aws s3 cp Release.gpg s3://apt.defguard.net/dists/bookworm/ --acl public-read
+          aws s3 cp InRelease s3://apt.defguard.net/dists/bookworm/ --acl public-read
