Skip to content

ci: unify RPM and DEB package signing onto a single key#470

Merged
nic-6443 merged 2 commits into
masterfrom
chore/unify-gpg-signing-secrets
Jul 13, 2026
Merged

ci: unify RPM and DEB package signing onto a single key#470
nic-6443 merged 2 commits into
masterfrom
chore/unify-gpg-signing-secrets

Conversation

@jarvis9443

@jarvis9443 jarvis9443 commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

Background

The RPM and DEB release pipelines used two separate sets of secrets (RPM_GPG_* vs DEB_GPG_*) for the same signing key. Since GitHub Actions secrets are write-only and not readable, maintainers who later set up the DEB pipeline could not reuse the original RPM key material and had to create a brand-new key to populate the DEB secrets. These newly created keys have expiration dates, and their expiry repeatedly breaks package repository signature verification (see apache/apisix#13689: the expiry of the signing key for repos.apiseven.com on 2026-07-08 caused all yum/apt installations to fail).

Changes

  • Both the RPM and DEB pipelines now consume the same RPM_GPG_PRIV_KEY / RPM_GPG_PASSPHRASE
  • The UID email address for the signing key (dev@apisix.apache.org, already public in KEYS and not sensitive information) is hardcoded directly into the workflow instead of being stored as a secret
  • Remove unused references: RPM_GPG_PUB_KEY and GPG_NAME, which are never read by the scripts

This change only affects workflow configurations and leaves utils/*.sh untouched, fundamentally eliminating the root cause that required repeated key regeneration from having two separate sets of secrets maintained independently.

Post-Merge Cleanup (Requires Repository/Org Administrator Actions)

After merging, delete the repository-level overriding secrets (RPM_GPG_*, DEB_GPG_*, GPG_MAIL, GPG_NAME), so the CI pipeline falls back to the org-level RPM_GPG_* — the original non-expiring dev@apisix.apache.org signing key. The online repository metadata will then need to be re-signed with this key for full recovery (this step is independent of this PR).

Ref: apache/apisix#13689

Summary by CodeRabbit

  • Chores
    • Updated package publishing workflows to use a consistent GPG signing identity.
    • Standardized DEB and RPM package signing around the shared release key configuration.
    • Improved signing configuration clarity for automated package repository updates.

The RPM and DEB publish pipelines used two independent secret sets
(RPM_GPG_* vs DEB_GPG_*) for what is, and should be, the same signing
key. Because Actions secrets are write-only, whoever wired up a second
pipeline could not reuse the first key's material and instead minted a
separate key just to populate the other secret — and those extra keys
carried expiry dates, so the package repo broke every time one lapsed.

Consolidate both pipelines onto the single RPM_GPG_PRIV_KEY /
RPM_GPG_PASSPHRASE secret and hardcode the signing key's uid email
(public, published in KEYS) instead of keeping it as a secret. This
removes the duplicate-secret trap so no future maintainer is nudged
into creating a per-pipeline key.

After this merges, the repo-level RPM_GPG_* / DEB_GPG_* / GPG_MAIL /
GPG_NAME overrides can be deleted so CI falls back to the org-level
RPM_GPG_* key.

Ref: apache/apisix#13689
@coderabbitai

coderabbitai Bot commented Jul 13, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 617e97bb-bfc3-413f-b12d-47e48b60d180

📥 Commits

Reviewing files that changed from the base of the PR and between 6e1e0a2 and afae498.

📒 Files selected for processing (2)
  • .github/workflows/publish-deb.yml
  • .github/workflows/publish.yml

📝 Walkthrough

Walkthrough

DEB and RPM publishing workflows now use dev@apisix.apache.org as the signing email and share RPM GPG private key and passphrase secrets. The DEB workflow includes comments describing the shared key and published key UID.

Changes

Shared GPG signing

Layer / File(s) Summary
Align DEB and RPM signing configuration
.github/workflows/publish-deb.yml, .github/workflows/publish.yml
DEB and RPM repository update steps use the fixed signing email and RPM GPG key material for temporary signing files; DEB comments document the shared key and KEYS UID email.

Estimated code review effort: 2 (Simple) | ~10 minutes

🚥 Pre-merge checks | ✅ 6
✅ Passed checks (6 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the main change: consolidating RPM and DEB signing onto one shared key.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
E2e Test Quality Review ✅ Passed PASS: This PR only rewires GitHub Actions signing secrets; no product path or E2E flow changed, and the updated env vars match the shell scripts.
Security Check ✅ Passed PASS: The PR only reuses existing GPG secrets in workflow files and hardcodes a non-sensitive UID email; no secret leakage, auth, DB, or TLS issues found.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch chore/unify-gpg-signing-secrets

Comment @coderabbitai help to get the list of available commands.

@nic-6443 nic-6443 merged commit 60fc95b into master Jul 13, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants