From 1a12355dc9cba93d9d6573048ee74166adb48d51 Mon Sep 17 00:00:00 2001
From: Mitchell Hashimoto <m@mitchellh.com>
Date: Thu, 24 Oct 2024 16:17:13 -0700
Subject: [PATCH] ci: add signing and tarball generation to release-tip
 workflow

---
 .github/workflows/release-tip.yml | 36 +++++++++++++++++++++++++++++++
 PACKAGING.md                      | 10 ++++++---
 nix/devShell.nix                  |  2 ++
 3 files changed, 45 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/release-tip.yml b/.github/workflows/release-tip.yml
index 0b8ddca93..df9bcaac7 100644
--- a/.github/workflows/release-tip.yml
+++ b/.github/workflows/release-tip.yml
@@ -84,6 +84,42 @@ jobs:
         run: |
           sentry-cli dif upload --project ghostty --wait dsym.zip
 
+  source-tarball:
+    if: |
+      ${{
+        github.event_name == 'workflow_dispatch' ||
+        (
+          github.event.workflow_run.conclusion == 'success' &&
+          github.repository_owner == 'ghostty-org' &&
+          github.ref_name == 'main'
+        )
+      }}
+    runs-on: namespace-profile-ghostty-md
+    steps:
+      - uses: actions/checkout@v4
+      - name: Create Tarball
+        run: git archive --format=tgz -o ghostty-source.tar.gz HEAD
+      - name: Sign Tarball
+        env:
+          MINISIGN_PASSWORD: ${{ secrets.MINISIGN_PASSWORD }}
+          MINISIGN_KEY: ${{ secrets.MINISIGN_KEY }}
+        run: |
+          echo $MINISIGN_KEY > minisign.key
+          echo $MINISIGN_PASSWORD | minisign -S \
+            -m ghostty-source.tar.gz \
+            -s minisign.key
+      - name: Update Release
+        uses: softprops/action-gh-release@v2
+        with:
+          name: 'Ghostty Tip ("Nightly")'
+          prerelease: true
+          tag_name: tip
+          target_commitish: ${{ github.sha }}
+          files: |
+            ghostty-source.tar.gz
+            ghostty-source.tar.gz.minisig
+          token: ${{ secrets.GH_RELEASE_TOKEN }}
+
   build-macos:
     if: |
       ${{
diff --git a/PACKAGING.md b/PACKAGING.md
index 77a64325d..5e6560c34 100644
--- a/PACKAGING.md
+++ b/PACKAGING.md
@@ -16,10 +16,14 @@ package Ghostty for distribution.
 
 Source tarballs with stable checksums are available on the
 [GitHub releases page](https://github.com/ghostty-org/ghostty/releases).
+Use the `ghostty-source.tar.gz` asset and _not the GitHub auto-generated
+source tarball_.
 
-> [!WARNING]
->
-> These are not currently signed with PGP. I'm working on this.
+Signature files are signed with [minisign](https://jedisct1.github.io/minisign/) using the following public key:
+
+```
+RWQlAjJC23149WL2sEpT/l0QKy7hMIFhYdQOFy0Z7z7PbneUgvlsnYcV
+```
 
 ## Zig Version
 
diff --git a/nix/devShell.nix b/nix/devShell.nix
index 34e109a05..7f0e206b7 100644
--- a/nix/devShell.nix
+++ b/nix/devShell.nix
@@ -47,6 +47,7 @@
   simdutf,
   zlib,
   alejandra,
+  minisign,
   pandoc,
   hyperfine,
   typos,
@@ -88,6 +89,7 @@ in
       [
         # For builds
         llvmPackages_latest.llvm
+        minisign
         ncurses
         pandoc
         pkg-config