From 84347346538b00666d0c03308153ba308770c653 Mon Sep 17 00:00:00 2001
From: RMNCLDYO <hi@rmncldyo.com>
Date: Sun, 7 Sep 2025 11:23:08 -0400
Subject: [PATCH 1/3] fix: add graceful handling for missing minisign secret

The publish workflow now checks if MINISIGN_PRIVATE_KEY secret exists
before attempting to decode it. If the secret is not set or empty,
the workflow will skip minisign operations with a warning rather than
failing the entire build.

This allows the workflow to complete successfully even without minisign
configured, while still generating other security artifacts like GPG
signatures, SBOMs, and SLSA attestations.
---
 .github/workflows/publish.yml | 27 ++++++++++++++++++++-------
 1 file changed, 20 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 2169d82..b661e04 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -74,12 +74,21 @@ jobs:
           
       - name: Setup minisign keys
         run: |
-          echo "${{ secrets.MINISIGN_PRIVATE_KEY }}" | base64 -d > minisign.key
-          chmod 600 minisign.key
+          if [ -n "${{ secrets.MINISIGN_PRIVATE_KEY }}" ]; then
+            echo "${{ secrets.MINISIGN_PRIVATE_KEY }}" | base64 -d > minisign.key
+            chmod 600 minisign.key
+          else
+            echo "::warning::MINISIGN_PRIVATE_KEY secret not set, skipping minisign signature"
+            touch minisign.key.skip
+          fi
         
       - name: Sign package with minisign
         run: |
-          minisign -Sm "$PACKAGE_FILE" -s minisign.key -t "create-claude npm package v$VERSION - $(date -u +%Y-%m-%d)"
+          if [ ! -f minisign.key.skip ]; then
+            minisign -Sm "$PACKAGE_FILE" -s minisign.key -t "create-claude npm package v$VERSION - $(date -u +%Y-%m-%d)"
+          else
+            echo "::warning::Skipping minisign signature generation"
+          fi
           
       - name: Import GPG key
         uses: crazy-max/ghaction-import-gpg@01dd5d3ca463c7f10f7f4f7b4f177225ac661ee4 # v6.1.0
@@ -120,22 +129,26 @@ jobs:
           
       - name: Sign all SBOMs and attestations
         run: |
-          # Sign all SBOM files with both minisign and GPG
+          # Sign all SBOM files with both minisign and GPG (if keys available)
           for sbom in create-claude-$VERSION.sbom.* create-claude-$VERSION.ms-spdx.json; do
             if [ -f "$sbom" ]; then
               echo "Signing $sbom"
-              minisign -Sm "$sbom" -s minisign.key -t "SBOM for create-claude v$VERSION"
+              if [ ! -f minisign.key.skip ]; then
+                minisign -Sm "$sbom" -s minisign.key -t "SBOM for create-claude v$VERSION"
+              fi
               gpg --armor --detach-sign --output "$sbom.asc" "$sbom"
             fi
           done
           
           # Find and sign any GitHub attestation files
-          find . -name "*.intoto.jsonl" -exec minisign -Sm {} -s minisign.key -t "SLSA Attestation for create-claude v$VERSION" \;
+          if [ ! -f minisign.key.skip ]; then
+            find . -name "*.intoto.jsonl" -exec minisign -Sm {} -s minisign.key -t "SLSA Attestation for create-claude v$VERSION" \;
+          fi
           find . -name "*.intoto.jsonl" -exec gpg --armor --detach-sign --output {}.asc {} \;
           
       - name: Cleanup sensitive files
         run: |
-          rm -f minisign.key
+          rm -f minisign.key minisign.key.skip
           
       - name: Publish with provenance to NPM
         run: npm publish --provenance --access public

From 36391b3b9efd1d165f557b9485de063c919b9ce4 Mon Sep 17 00:00:00 2001
From: RMNCLDYO <hi@rmncldyo.com>
Date: Sun, 7 Sep 2025 11:32:20 -0400
Subject: [PATCH 2/3] fix: handle password-protected minisign keys gracefully

The workflow now attempts to sign with minisign but continues without
failing if the key requires a password (which can't be provided in CI).
This allows the workflow to complete successfully even with password-
protected keys, while still generating other security artifacts.
---
 .github/workflows/publish.yml | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index b661e04..09968ac 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -85,7 +85,13 @@ jobs:
       - name: Sign package with minisign
         run: |
           if [ ! -f minisign.key.skip ]; then
-            minisign -Sm "$PACKAGE_FILE" -s minisign.key -t "create-claude npm package v$VERSION - $(date -u +%Y-%m-%d)"
+            # Try to sign, but don't fail if key requires password
+            if minisign -Sm "$PACKAGE_FILE" -s minisign.key -t "create-claude npm package v$VERSION - $(date -u +%Y-%m-%d)" 2>/dev/null; then
+              echo "✓ Successfully signed package with minisign"
+            else
+              echo "::warning::Minisign signing failed (key may require password). Continuing without minisign signature."
+              touch minisign.key.skip
+            fi
           else
             echo "::warning::Skipping minisign signature generation"
           fi

From e8b94b02ffc44d9453aa592f987670eaeff8966f Mon Sep 17 00:00:00 2001
From: RMNCLDYO <hi@rmncldyo.com>
Date: Sun, 7 Sep 2025 11:34:11 -0400
Subject: [PATCH 3/3] fix: use MINISIGN_PASSPHRASE secret for
 password-protected keys

The workflow now pipes the MINISIGN_PASSPHRASE secret to minisign
for signing operations. This allows using password-protected minisign
keys in CI by providing the password via GitHub secrets.

Required secrets:
- MINISIGN_PRIVATE_KEY: Base64-encoded minisign private key
- MINISIGN_PASSPHRASE: Password for the minisign key
---
 .github/workflows/publish.yml | 15 ++++++---------
 1 file changed, 6 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 09968ac..3c2abf8 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -85,13 +85,10 @@ jobs:
       - name: Sign package with minisign
         run: |
           if [ ! -f minisign.key.skip ]; then
-            # Try to sign, but don't fail if key requires password
-            if minisign -Sm "$PACKAGE_FILE" -s minisign.key -t "create-claude npm package v$VERSION - $(date -u +%Y-%m-%d)" 2>/dev/null; then
-              echo "✓ Successfully signed package with minisign"
-            else
-              echo "::warning::Minisign signing failed (key may require password). Continuing without minisign signature."
-              touch minisign.key.skip
-            fi
+            # Use MINISIGN_PASSPHRASE environment variable for the password
+            export MINISIGN_ASK_PASS=0
+            echo "${{ secrets.MINISIGN_PASSPHRASE }}" | minisign -Sm "$PACKAGE_FILE" -s minisign.key -t "create-claude npm package v$VERSION - $(date -u +%Y-%m-%d)"
+            echo "✓ Successfully signed package with minisign"
           else
             echo "::warning::Skipping minisign signature generation"
           fi
@@ -140,7 +137,7 @@ jobs:
             if [ -f "$sbom" ]; then
               echo "Signing $sbom"
               if [ ! -f minisign.key.skip ]; then
-                minisign -Sm "$sbom" -s minisign.key -t "SBOM for create-claude v$VERSION"
+                echo "${{ secrets.MINISIGN_PASSPHRASE }}" | minisign -Sm "$sbom" -s minisign.key -t "SBOM for create-claude v$VERSION"
               fi
               gpg --armor --detach-sign --output "$sbom.asc" "$sbom"
             fi
@@ -148,7 +145,7 @@ jobs:
           
           # Find and sign any GitHub attestation files
           if [ ! -f minisign.key.skip ]; then
-            find . -name "*.intoto.jsonl" -exec minisign -Sm {} -s minisign.key -t "SLSA Attestation for create-claude v$VERSION" \;
+            find . -name "*.intoto.jsonl" -exec sh -c 'echo "${{ secrets.MINISIGN_PASSPHRASE }}" | minisign -Sm "$1" -s minisign.key -t "SLSA Attestation for create-claude v$VERSION"' _ {} \;
           fi
           find . -name "*.intoto.jsonl" -exec gpg --armor --detach-sign --output {}.asc {} \;