diff --git a/.forgejo/actions/decrypt-release-secrets/action.yml b/.forgejo/actions/decrypt-release-secrets/action.yml index 9215130..cdf17ab 100644 --- a/.forgejo/actions/decrypt-release-secrets/action.yml +++ b/.forgejo/actions/decrypt-release-secrets/action.yml @@ -71,6 +71,11 @@ runs: nix_bin="$(resolve_nix_bin || true)" if [[ -n "$nix_bin" ]]; then local built + built="$("$nix_bin" --extra-experimental-features 'nix-command flakes' build --no-link "$ROOT#age" --print-out-paths 2>/dev/null | tail -n 1 || true)" + if [[ -n "$built" && -x "$built/bin/age" ]]; then + printf 'age:%s\n' "$built/bin/age" + return 0 + fi built="$("$nix_bin" --extra-experimental-features 'nix-command flakes' build --no-link "$ROOT#agenix" --print-out-paths 2>/dev/null | tail -n 1 || true)" if [[ -n "$built" && -x "$built/bin/agenix" ]]; then printf 'agenix:%s\n' "$built/bin/agenix" @@ -93,7 +98,11 @@ runs: decrypt_age_file() { local file_path="$1" if [[ "$decrypt_kind" == "agenix" ]]; then - "$decrypt_bin" --identity "$KEY" --decrypt "$file_path" + local agenix_path="$file_path" + if [[ "$file_path" == "$ROOT/"* ]]; then + agenix_path="${file_path#"$ROOT"/}" + fi + (cd "$ROOT" && "$decrypt_bin" --identity "$KEY" --decrypt "$agenix_path") else "$decrypt_bin" --decrypt -i "$KEY" "$file_path" fi diff --git a/evolution/proposals/BEP-0009-release-infrastructure-and-store-upload-pipeline.md b/evolution/proposals/BEP-0009-release-infrastructure-and-store-upload-pipeline.md index a5d4831..1bbbe26 100644 --- a/evolution/proposals/BEP-0009-release-infrastructure-and-store-upload-pipeline.md +++ b/evolution/proposals/BEP-0009-release-infrastructure-and-store-upload-pipeline.md @@ -75,6 +75,11 @@ The same change also makes the forge itself the release authority: release tags by the deployed forge. The v4 artifact actions assume GitHub's newer artifact service and fail on this Forgejo install before downstream signing/upload jobs can consume the staged Apple artifacts. +- The release secret decrypt action must be self-contained after the Nix + bootstrap step. Linux Namespace signing jobs install Nix at runtime, so the + bootstrap writes Nix profile directories to `GITHUB_PATH`, the decrypt action + resolves Nix from those profile paths, and the action builds `.#age` before + falling back to `.#agenix`. - Produce unsigned Apple validation artifacts when signing is absent, but require signing for an App Store requested iOS release and for a Sparkle tester release. Uploadable artifacts are produced only after provisioning profiles can be synced from App Store Connect credentials and the relevant Apple certificate is proven to match the selected Google KMS key. - Resolve release credentials through age/agenix before signed Apple lanes run. Forgejo secrets should carry only the runner age identity fallback and the Authentik WIF client secret until OpenBao can mint the runner token directly. App Store Connect keys and signing certificates live as sealed files under `secrets/`. - Persist the forge runner SSH key as `/var/lib/forgejo-runner-agent/age_keystore` and export `BURROW_RUNNER_AGE_IDENTITY_PATH` so jobs can resolve agenix identities without embedding long-lived material in every workflow. diff --git a/flake.nix b/flake.nix index 54da819..a3d4b59 100644 --- a/flake.nix +++ b/flake.nix @@ -341,6 +341,7 @@ EOF packages = { + age = pkgs.age; agenix = agenix.packages.${system}.agenix; burrow = burrowPkg; hcloud-upload-image = hcloudUploadImagePkg;