Skip to content

fix: use MINISIGN_PASS environment variable for password #19

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ramonclaudio merged 1 commit into from
Sep 7, 2025
Merged

fix: use MINISIGN_PASS environment variable for password #19

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 8 additions & 5 deletions .github/workflows/publish.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -85,9 +85,9 @@ jobs:
- name: Sign package with minisign
run: |
if [ ! -f minisign.key.skip ]; then
# Use MINISIGN_PASSPHRASE environment variable for the password
export MINISIGN_ASK_PASS=0
echo "${{ secrets.MINISIGN_PASSPHRASE }}" | minisign -Sm "$PACKAGE_FILE" -s minisign.key -t "create-claude npm package v$VERSION - $(date -u +%Y-%m-%d)"
# Export password as environment variable for minisign
export MINISIGN_PASS="${{ secrets.MINISIGN_PASSPHRASE }}"
minisign -Sm "$PACKAGE_FILE" -s minisign.key -t "create-claude npm package v$VERSION - $(date -u +%Y-%m-%d)"
echo "✓ Successfully signed package with minisign"
else
echo "::warning::Skipping minisign signature generation"
Expand Down Expand Up @@ -132,20 +132,23 @@ jobs:

- name: Sign all SBOMs and attestations
run: |
# Export password as environment variable for minisign
export MINISIGN_PASS="${{ secrets.MINISIGN_PASSPHRASE }}"

# Sign all SBOM files with both minisign and GPG (if keys available)
for sbom in create-claude-$VERSION.sbom.* create-claude-$VERSION.ms-spdx.json; do
if [ -f "$sbom" ]; then
echo "Signing $sbom"
if [ ! -f minisign.key.skip ]; then
echo "${{ secrets.MINISIGN_PASSPHRASE }}" | minisign -Sm "$sbom" -s minisign.key -t "SBOM for create-claude v$VERSION"
minisign -Sm "$sbom" -s minisign.key -t "SBOM for create-claude v$VERSION"
fi
gpg --armor --detach-sign --output "$sbom.asc" "$sbom"
fi
done

# Find and sign any GitHub attestation files
if [ ! -f minisign.key.skip ]; then
find . -name "*.intoto.jsonl" -exec sh -c 'echo "${{ secrets.MINISIGN_PASSPHRASE }}" | minisign -Sm "$1" -s minisign.key -t "SLSA Attestation for create-claude v$VERSION"' _ {} \;
find . -name "*.intoto.jsonl" -exec minisign -Sm {} -s minisign.key -t "SLSA Attestation for create-claude v$VERSION" \;
fi
find . -name "*.intoto.jsonl" -exec gpg --armor --detach-sign --output {}.asc {} \;

Expand Down