ci: add signing and tarball generation to release-tip workflow

2025-08-02 14:57:31 +03:00 · 2024-10-24 16:17:13 -07:00
parent 4095b189ed
commit 1a12355dc9
3 changed files with 45 additions and 3 deletions
--- a/.github/workflows/release-tip.yml
+++ b/.github/workflows/release-tip.yml
@ -84,6 +84,42 @@ jobs:
        run: |
          sentry-cli dif upload --project ghostty --wait dsym.zip

+  source-tarball:
+    if: |
+      ${{
+        github.event_name == 'workflow_dispatch' ||
+        (
+          github.event.workflow_run.conclusion == 'success' &&
+          github.repository_owner == 'ghostty-org' &&
+          github.ref_name == 'main'
+        )
+      }}
+    runs-on: namespace-profile-ghostty-md
+    steps:
+      - uses: actions/checkout@v4
+      - name: Create Tarball
+        run: git archive --format=tgz -o ghostty-source.tar.gz HEAD
+      - name: Sign Tarball
+        env:
+          MINISIGN_PASSWORD: ${{ secrets.MINISIGN_PASSWORD }}
+          MINISIGN_KEY: ${{ secrets.MINISIGN_KEY }}
+        run: |
+          echo $MINISIGN_KEY > minisign.key
+          echo $MINISIGN_PASSWORD | minisign -S \
+            -m ghostty-source.tar.gz \
+            -s minisign.key
+      - name: Update Release
+        uses: softprops/action-gh-release@v2
+        with:
+          name: 'Ghostty Tip ("Nightly")'
+          prerelease: true
+          tag_name: tip
+          target_commitish: ${{ github.sha }}
+          files: |
+            ghostty-source.tar.gz
+            ghostty-source.tar.gz.minisig
+          token: ${{ secrets.GH_RELEASE_TOKEN }}
+
  build-macos:
    if: |
      ${{
--- a/PACKAGING.md
+++ b/PACKAGING.md
@ -16,10 +16,14 @@ package Ghostty for distribution.

 Source tarballs with stable checksums are available on the
 [GitHub releases page](https://github.com/ghostty-org/ghostty/releases).
+Use the `ghostty-source.tar.gz` asset and _not the GitHub auto-generated
+source tarball_.

-> [!WARNING]
->
-> These are not currently signed with PGP. I'm working on this.
+Signature files are signed with [minisign](https://jedisct1.github.io/minisign/) using the following public key:
+
+```
+RWQlAjJC23149WL2sEpT/l0QKy7hMIFhYdQOFy0Z7z7PbneUgvlsnYcV
+```

 ## Zig Version

--- a/nix/devShell.nix
+++ b/nix/devShell.nix
@ -47,6 +47,7 @@
  simdutf,
  zlib,
  alejandra,
+  minisign,
  pandoc,
  hyperfine,
  typos,
@ -88,6 +89,7 @@ in
      [
        # For builds
        llvmPackages_latest.llvm
+        minisign
        ncurses
        pandoc
        pkg-config