Sign release tarball with PGP key (#392)

diff --git a/.github/workflows/prod-deploy.yml b/.github/workflows/prod-deploy.yml
index a4d6d76a9888cf4f6819caab9aa5c3b46f38ce88..107abbc41778066c86f4985a67fa7b68b44f8cf8 100644 (file)
--- a/.github/workflows/prod-deploy.yml
+++ b/.github/workflows/prod-deploy.yml
@@ -25,11 +25,19 @@ jobs:
         run: echo ::set-output name=tag::${GITHUB_REF#refs/*/}
       - name: Create tar.gz
         run: tar -czvf cinny-${{ steps.vars.outputs.tag }}.tar.gz dist
+      - name: Sign tar.gz
+        uses: actionhippie/gpgsign@4e28208b142cae93e1582401dcda1cf79e4f72c0
+        with:
+          private_key: ${{ secrets.GNUPG_KEY }}
+          passphrase: ${{ secrets.GNUPG_PASSPHRASE }}
+          detach_sign: true
+          files: cinny-${{ steps.vars.outputs.tag }}.tar.gz
       - name: Upload tagged release
         uses: softprops/action-gh-release@1e07f4398721186383de40550babbdf2b84acfc5
         with:
           files: |
             cinny-${{ steps.vars.outputs.tag }}.tar.gz
+            cinny-${{ steps.vars.outputs.tag }}.tar.gz.asc
 
   push_to_dockerhub:
     name: Push Docker image to Docker Hub