fix: use MINISIGN_PASSPHRASE secret for password-protected keys#17
Merged
ramonclaudio merged 3 commits intomainfrom Sep 7, 2025
Merged
fix: use MINISIGN_PASSPHRASE secret for password-protected keys#17ramonclaudio merged 3 commits intomainfrom
ramonclaudio merged 3 commits intomainfrom
Conversation
The publish workflow now checks if MINISIGN_PRIVATE_KEY secret exists before attempting to decode it. If the secret is not set or empty, the workflow will skip minisign operations with a warning rather than failing the entire build. This allows the workflow to complete successfully even without minisign configured, while still generating other security artifacts like GPG signatures, SBOMs, and SLSA attestations.
The workflow now attempts to sign with minisign but continues without failing if the key requires a password (which can't be provided in CI). This allows the workflow to complete successfully even with password- protected keys, while still generating other security artifacts.
The workflow now pipes the MINISIGN_PASSPHRASE secret to minisign for signing operations. This allows using password-protected minisign keys in CI by providing the password via GitHub secrets. Required secrets: - MINISIGN_PRIVATE_KEY: Base64-encoded minisign private key - MINISIGN_PASSPHRASE: Password for the minisign key
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes the publish workflow to properly handle password-protected minisign keys using the
MINISIGN_PASSPHRASEsecret.Problem
The workflow was failing with
Password: get_password()error because the minisign private key is password-protected and the workflow couldn't provide the password in a non-interactive CI environment.Solution
MINISIGN_PASSPHRASEsecret to minisign for all signing operationsMINISIGN_ASK_PASS=0to prevent interactive password promptsRequired Secrets
The workflow now requires:
MINISIGN_PRIVATE_KEY: Base64-encoded minisign private keyMINISIGN_PASSPHRASE: Password for the minisign key (plain text)Testing
With both secrets configured, the workflow will: