build-git-installers: publish gpg public key

ldennington · mjcheetham · commit cca04465ddc9 · 2025-03-17T11:34:01.000Z
Update build-git-installers workflow to publish `microsoft/git`'s GPG public
key as part of each release. Add explanation for how to use this key to verify
the Debian package's signature to the README.
diff --git a/.github/workflows/build-git-installers.yml b/.github/workflows/build-git-installers.yml
@@ -635,11 +635,16 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: write
+      id-token: write # required for Azure login via OIDC
     needs:
       - create-linux-artifacts
       - create-macos-artifacts
       - windows_artifacts
       - prereqs
+    env:
+      AZURE_VAULT: ${{ secrets.AZURE_VAULT }}
+      GPG_PUBLIC_KEY_SECRET_NAME: ${{ secrets.GPG_PUBLIC_KEY_SECRET_NAME }}
+    environment: release
     if: |
       success() ||
         (needs.create-linux-artifacts.result == 'skipped' &&
@@ -682,6 +687,20 @@ jobs:
           name: linux-artifacts
           path: deb-package
 
+      - name: Log into Azure
+        uses: azure/login@v2
+        with:
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+      - name: Download GPG public key signature file
+        run: |
+          az keyvault secret show --name "$GPG_PUBLIC_KEY_SECRET_NAME" \
+            --vault-name "$AZURE_VAULT" --query "value" --output tsv |
+            base64 -d >msft-git-public.asc
+          mv msft-git-public.asc deb-package
+
       - uses: actions/github-script@v6
         with:
           script: |
