Skip to content

fix: use MINISIGN_PASSPHRASE secret for password-protected keys #17

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ramonclaudio merged 3 commits into from
Sep 7, 2025
Merged

fix: use MINISIGN_PASSPHRASE secret for password-protected keys #17

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
8434734
fix: add graceful handling for missing minisign secret
ramonclaudio Sep 7, 2025
36391b3
fix: handle password-protected minisign keys gracefully
ramonclaudio Sep 7, 2025
e8b94b0
fix: use MINISIGN_PASSPHRASE secret for password-protected keys
ramonclaudio Sep 7, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 23 additions & 7 deletions .github/workflows/publish.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -74,12 +74,24 @@ jobs:

- name: Setup minisign keys
run: |
echo "${{ secrets.MINISIGN_PRIVATE_KEY }}" | base64 -d > minisign.key
chmod 600 minisign.key
if [ -n "${{ secrets.MINISIGN_PRIVATE_KEY }}" ]; then
echo "${{ secrets.MINISIGN_PRIVATE_KEY }}" | base64 -d > minisign.key
chmod 600 minisign.key
else
echo "::warning::MINISIGN_PRIVATE_KEY secret not set, skipping minisign signature"
touch minisign.key.skip
fi

- name: Sign package with minisign
run: |
minisign -Sm "$PACKAGE_FILE" -s minisign.key -t "create-claude npm package v$VERSION - $(date -u +%Y-%m-%d)"
if [ ! -f minisign.key.skip ]; then
# Use MINISIGN_PASSPHRASE environment variable for the password
export MINISIGN_ASK_PASS=0
echo "${{ secrets.MINISIGN_PASSPHRASE }}" | minisign -Sm "$PACKAGE_FILE" -s minisign.key -t "create-claude npm package v$VERSION - $(date -u +%Y-%m-%d)"
echo "✓ Successfully signed package with minisign"
else
echo "::warning::Skipping minisign signature generation"
fi

- name: Import GPG key
uses: crazy-max/ghaction-import-gpg@01dd5d3ca463c7f10f7f4f7b4f177225ac661ee4 # v6.1.0
Expand Down Expand Up @@ -120,22 +132,26 @@ jobs:

- name: Sign all SBOMs and attestations
run: |
# Sign all SBOM files with both minisign and GPG
# Sign all SBOM files with both minisign and GPG (if keys available)
for sbom in create-claude-$VERSION.sbom.* create-claude-$VERSION.ms-spdx.json; do
if [ -f "$sbom" ]; then
echo "Signing $sbom"
minisign -Sm "$sbom" -s minisign.key -t "SBOM for create-claude v$VERSION"
if [ ! -f minisign.key.skip ]; then
echo "${{ secrets.MINISIGN_PASSPHRASE }}" | minisign -Sm "$sbom" -s minisign.key -t "SBOM for create-claude v$VERSION"
fi
gpg --armor --detach-sign --output "$sbom.asc" "$sbom"
fi
done

# Find and sign any GitHub attestation files
find . -name "*.intoto.jsonl" -exec minisign -Sm {} -s minisign.key -t "SLSA Attestation for create-claude v$VERSION" \;
if [ ! -f minisign.key.skip ]; then
find . -name "*.intoto.jsonl" -exec sh -c 'echo "${{ secrets.MINISIGN_PASSPHRASE }}" | minisign -Sm "$1" -s minisign.key -t "SLSA Attestation for create-claude v$VERSION"' _ {} \;
fi
find . -name "*.intoto.jsonl" -exec gpg --armor --detach-sign --output {}.asc {} \;

- name: Cleanup sensitive files
run: |
rm -f minisign.key
rm -f minisign.key minisign.key.skip

- name: Publish with provenance to NPM
run: npm publish --provenance --access public
Expand Down