ci: sign commit when updating stable json file [skip ci] (#19498)

Signed-off-by: Rado <radoslav@dhis2.org>
dhis2 · Dec 16, 2024 · 0d2ff4e · 0d2ff4e
1 parent 9670543
commit 0d2ff4e
Showing 1 changed file with 23 additions and 11 deletions.
diff --git a/jenkinsfiles/stable b/jenkinsfiles/stable
@@ -165,17 +165,29 @@ pipeline {
                             --json-file ./downloads/v1/versions/stable.json
                         """
 
-                        sh 'git config  user.email "$GITHUB_EMAIL"'
-                        sh 'git config  user.name "$GITHUB_USER"'
-
-                        releasesBranch = "add-release-${imageTag}"
-
-                        sh "git checkout -b $releasesBranch"
-                        sh 'git add ./downloads/v1/versions/stable.json'
-                        sh "git diff-index --quiet HEAD || git commit -m \"chore: add version $imageTag to stable.json\""
-                        sh "git push https://${GITHUB_TOKEN}@github.com/$DHIS2_RELEASES_REPO"
-
-                        sh "gh pr create --head $releasesBranch --fill-first --reviewer Philip-Larsen-Donnelly,dhis2/devops"
+                        withCredentials([
+                            file(credentialsId: 'github-private-signing-key', variable: 'SIGNING_PRIVATE_KEY_PATH'),
+                            file(credentialsId: 'github-public-signing-key', variable: 'SIGNING_PUBLIC_KEY_PATH')
+                        ]) {
+                            sh 'cp $SIGNING_PRIVATE_KEY_PATH ~/.ssh/signing_key'
+                            sh 'cp $SIGNING_PUBLIC_KEY_PATH ~/.ssh/signing_key.pub'
+                            sh 'chmod --changes 600 ~/.ssh/signing_key ~/.ssh/signing_key.pub'
+
+                            sh 'git config user.email "$GITHUB_EMAIL"'
+                            sh 'git config user.name "$GITHUB_USER"'
+                            sh 'git config user.signingkey ~/.ssh/signing_key.pub'
+                            sh 'git config commit.gpgSign true'
+                            sh 'git config gpg.format ssh'
+
+                            releasesBranch = "add-release-${imageTag}"
+
+                            sh "git checkout -b $releasesBranch"
+                            sh 'git add ./downloads/v1/versions/stable.json'
+                            sh "git diff-index --quiet HEAD || git commit -S -m \"chore: add version $imageTag to stable.json\""
+                            sh 'git push https://$GITHUB_TOKEN@github.com/$DHIS2_RELEASES_REPO'
+
+                            sh "gh pr create --head $releasesBranch --fill-first --reviewer Philip-Larsen-Donnelly,dhis2/devops"
+                        }
                     }
                 }
             }