ci(gh-actions/update-flake-lock): Enable GPG commit signing

PetarKirov · PetarKirov · commit 442ab11fa1c4 · 2025-08-06T00:29:05.000+03:00
diff --git a/.github/workflows/reusable-update-flake-lock.yml b/.github/workflows/reusable-update-flake-lock.yml
@@ -14,6 +14,11 @@ on:
         default: ''
         required: false
         type: string
+      sign-commits:
+        description: 'Enable GPG commit signing'
+        default: false
+        required: false
+        type: boolean
 
     secrets:
       NIX_GITHUB_TOKEN:
@@ -31,6 +36,9 @@ on:
       CREATE_PR_APP_PRIVATE_KEY:
         description: Private key of the GitHub App used for opening pull requests.
         required: true
+      GPG_SIGNING_KEY:
+        description: GPG private key used to sign commits
+        required: false
 
     outputs:
       pr-url:
@@ -61,6 +69,12 @@ jobs:
           trusted-public-keys: ${{ vars.TRUSTED_PUBLIC_KEYS }}
           substituters: ${{ vars.SUBSTITUTERS }}
 
+      - name: Configure GPG Key
+        env:
+          GPG_SIGNING_KEY: ${{ secrets.GPG_SIGNING_KEY }}
+        run: |
+          echo -n "$GPG_SIGNING_KEY" | base64 --decode | gpg --import
+
       - name: Run `nix flake update`
         id: update-lockfile
         run: |
