test release

Author: masterkain

.github/workflows/release.yml

@@ -6,61 +6,61 @@ on:
 jobs:
   release:
     permissions:
-      contents: write    # for Releases/index.yaml
+      contents: write    # for GitHub Releases / index.yaml
       packages: write    # for GHCR
     runs-on: ubuntu-latest
 
     steps:
-      # 1. Checkout
+      # 1) Checkout
       - name: Checkout
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
 
-      # 2. Configure Git
+      # 2) Configure Git
       - name: Configure Git
         run: |
           git config user.name  "$GITHUB_ACTOR"
           git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
 
-      # 3. Install Helm
+      # 3) Install Helm CLI
       - name: Install Helm
         uses: azure/setup-helm@v4.3.0
 
-      # 4. Import your ASCII-armored secret key (contains both public & private)
+      # 4) Import your ASCII-armored secret key
       - name: Import GPG private key
         run: |
           echo "${{ secrets.GPG_PRIVATE_KEY }}" \
             | gpg --batch --yes --import
-        # Expects secrets.GPG_PRIVATE_KEY = output of:
-        #   gpg --armor --export-secret-keys <KEYID> :contentReference[oaicite:5]{index=5}
+        # imports both public & private material :contentReference[oaicite:1]{index=1}
 
-      # 5. Enable loopback pinentry so --passphrase-file works in batchmode
-      - name: Enable GPG loopback pinentry
-        run: |
-          # Allow loopback in agent and gpg itself
-          printf "%s\n" "allow-loopback-pinentry" \
-            >> ~/.gnupg/gpg-agent.conf
-          printf "%s\n" "pinentry-mode loopback" \
-            >> ~/.gnupg/gpg.conf
-          # Restart the agent to pick up changes
-          gpgconf --kill gpg-agent
-        # Without this, GPG in batchmode cannot read passphrases :contentReference[oaicite:6]{index=6}
-
-      # 6. Export legacy keyring files that Helm expects
+      # 5) Export legacy keyrings for Helm provenance
       - name: Export legacy .gpg keyrings
         run: |
           mkdir -p ~/.gnupg
-          # Export public keys into legacy pubring.gpg
+          # Public keyring:
           gpg --batch --yes --export "${{ secrets.CR_KEY }}" \
             > ~/.gnupg/pubring.gpg
-          # Export secret keys into legacy secring.gpg
+          # Secret keyring:
           gpg --batch --yes --export-secret-keys "${{ secrets.CR_KEY }}" \
             > ~/.gnupg/secring.gpg
           ls -l ~/.gnupg/pubring.gpg ~/.gnupg/secring.gpg
-        # Helm’s provenance tooling looks for these hard-coded paths :contentReference[oaicite:7]{index=7}
+        # Helm looks for these files by default :contentReference[oaicite:2]{index=2}
+
+      # 6) Install gpg-preset-passphrase and cache the passphrase
+      - name: Cache GPG passphrase in agent
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y gnupg2-utils
+          # Grab the first keygrip from your secret keyring
+          KEYGRIP=$(gpg --with-keygrip -K "${{ secrets.CR_KEY }}" \
+                    | awk '/Keygrip/ { print $3; exit }')
+          # Preset the passphrase into gpg-agent
+          echo "${{ secrets.GPG_PASSPHRASE }}" \
+            | gpg-preset-passphrase --preset --passphrase-fd 0 "$KEYGRIP"
+        # gpg-preset-passphrase caches your passphrase so gpg can sign non-interactively :contentReference[oaicite:3]{index=3}
 
-      # 7. Package & sign each chart
+      # 7) Package & sign charts (no more batchmode errors)
       - name: Package & sign charts
         shell: bash
         run: |
@@ -70,31 +70,30 @@ jobs:
               --sign \
               --key "${{ secrets.CR_KEY }}" \
               --keyring ~/.gnupg/secring.gpg \
-              --passphrase-file <(echo "${{ secrets.GPG_PASSPHRASE }}") \
               --destination .cr-release-packages
           done
-        # Now GPG will read the passphrase and keyring non-interactively :contentReference[oaicite:8]{index=8}
+        # Since agent has the passphrase, no prompts occur :contentReference[oaicite:4]{index=4}
 
-      # 8. Publish the signed charts (no re-packaging)
+      # 8) Publish the signed charts (skip repackaging)
       - name: Publish signed charts
         uses: helm/chart-releaser-action@v1.7.0
         with:
           skip_existing:  true
           skip_packaging: true
         env:
           CR_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          CR_SIGN:  false   # Already signed above :contentReference[oaicite:9]{index=9}
+          CR_SIGN:  false    # already signed
 
-      # 9. Login to GHCR for OCI pushes
+      # 9) Login to GHCR for OCI pushes
       - name: Login to GHCR
         uses: docker/login-action@v3
         with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
+          registry:   ghcr.io
+          username:   ${{ github.actor }}
+          password:   ${{ secrets.GITHUB_TOKEN }}
 
-      # 10. Push OCI charts to GHCR
+      # 10) Push OCI charts to GHCR
       - name: Push Charts to GHCR
         shell: bash
         run: |
-          for
+          for pkg in .cr-release-packages/*; do