diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 3c2abf8..495823b 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -85,9 +85,8 @@ jobs: - name: Sign package with minisign run: | if [ ! -f minisign.key.skip ]; then - # Use MINISIGN_PASSPHRASE environment variable for the password - export MINISIGN_ASK_PASS=0 - echo "${{ secrets.MINISIGN_PASSPHRASE }}" | minisign -Sm "$PACKAGE_FILE" -s minisign.key -t "create-claude npm package v$VERSION - $(date -u +%Y-%m-%d)" + # Use -W flag to read password from stdin + echo "${{ secrets.MINISIGN_PASSPHRASE }}" | minisign -Sm "$PACKAGE_FILE" -s minisign.key -W -t "create-claude npm package v$VERSION - $(date -u +%Y-%m-%d)" echo "✓ Successfully signed package with minisign" else echo "::warning::Skipping minisign signature generation" @@ -137,7 +136,7 @@ jobs: if [ -f "$sbom" ]; then echo "Signing $sbom" if [ ! -f minisign.key.skip ]; then - echo "${{ secrets.MINISIGN_PASSPHRASE }}" | minisign -Sm "$sbom" -s minisign.key -t "SBOM for create-claude v$VERSION" + echo "${{ secrets.MINISIGN_PASSPHRASE }}" | minisign -Sm "$sbom" -s minisign.key -W -t "SBOM for create-claude v$VERSION" fi gpg --armor --detach-sign --output "$sbom.asc" "$sbom" fi @@ -145,7 +144,7 @@ jobs: # Find and sign any GitHub attestation files if [ ! -f minisign.key.skip ]; then - find . -name "*.intoto.jsonl" -exec sh -c 'echo "${{ secrets.MINISIGN_PASSPHRASE }}" | minisign -Sm "$1" -s minisign.key -t "SLSA Attestation for create-claude v$VERSION"' _ {} \; + find . -name "*.intoto.jsonl" -exec sh -c 'echo "${{ secrets.MINISIGN_PASSPHRASE }}" | minisign -Sm "$1" -s minisign.key -W -t "SLSA Attestation for create-claude v$VERSION"' _ {} \; fi find . -name "*.intoto.jsonl" -exec gpg --armor --detach-sign --output {}.asc {} \;