chore: trigger ci

xiangyisss · xiangyisss · commit 9fefdfa6456c · 2025-06-20T15:42:12.000+02:00
diff --git a/.github/workflows/chart-release.yml b/.github/workflows/chart-release.yml
@@ -32,25 +32,27 @@ jobs:
           export GPG_TTY=$(tty)
           mkdir -p ~/.gnupg
           chmod 700 ~/.gnupg
-          echo "allow-loopback-pinentry" >> ~/.gnupg/gpg-agent.conf
+          
+          # Configure GPG for CI/batch mode
+          echo "allow-loopback-pinentry" > ~/.gnupg/gpg.conf
           echo "pinentry-mode loopback" >> ~/.gnupg/gpg.conf
+          echo "trust-model always" >> ~/.gnupg/gpg.conf
+          echo "batch" >> ~/.gnupg/gpg.conf
+          echo "no-tty" >> ~/.gnupg/gpg.conf
+          
+          echo "allow-loopback-pinentry" > ~/.gnupg/gpg-agent.conf
           chmod 600 ~/.gnupg/gpg-agent.conf ~/.gnupg/gpg.conf
           
           # Decode and import in one step (suppress base64 warnings)
           echo "${{ secrets.HELM_GPG_PRIVATE_KEY }}" | base64 -d 2>/dev/null | gpg --batch --import
           
-          # Trust the imported key using the full fingerprint
-          GPG_KEY_ID="${{ secrets.HELM_GPG_KEY_ID }}"
-          FULL_FINGERPRINT=$(gpg --list-secret-keys --keyid-format LONG --with-colons | grep fpr | head -1 | cut -d: -f10)
-          echo "Full fingerprint: $FULL_FINGERPRINT"
-          echo "$FULL_FINGERPRINT:6:" | gpg --batch --import-ownertrust
-          
-          # Export to format Helm expects
-          gpg --batch --export-secret-keys > ~/.gnupg/secring.gpg
-          
-          # List keys to verify import
+          # Verify key import (trust-model always is set in gpg.conf, so no ownertrust needed)
           echo "Imported GPG keys:"
           gpg --list-secret-keys --keyid-format LONG
+          
+          # Verify we can use the key for signing
+          GPG_KEY_ID="${{ secrets.HELM_GPG_KEY_ID }}"
+          echo "Key ID to use for signing: $GPG_KEY_ID"
 
       - name: Create GPG passphrase file
         run: |
@@ -68,10 +70,9 @@ jobs:
           for chart_dir in charts/*/; do
             if [ -f "$chart_dir/Chart.yaml" ]; then
               echo "Packaging and signing chart: $chart_dir"
-              # Package with signing using the KodeKloud method
-              helm package --sign "$chart_dir" \
+              # Package with signing - modern approach (no secring needed)
+              GNUPGHOME=~/.gnupg helm package --sign "$chart_dir" \
                 --key "$GPG_KEY_ID" \
-                --keyring ~/.gnupg/secring.gpg \
                 --passphrase-file gpg-passphrase.txt
             fi
           done
