fix: remove GPG and run on spawn (#1426)

* fix: first pass remove gpg * fix: import key * fix: break validation * fix: fail ci * fix: make it the right signature file * fix: perhaps console * fix: cleanup * fix: io the import * fix: remove from container for now
2026-02-11 21:01:38 +00:00 · 2024-05-14 21:26:56 +07:00
parent b71af43c1e
commit 2791a5c4fe
6 changed files with 65 additions and 502 deletions
--- a/src/validate.ts
+++ b/src/validate.ts
@@ -1,7 +1,7 @@
+import {execSync} from 'node:child_process';
 import * as crypto from 'node:crypto';
 import * as fs from 'node:fs';
 import * as path from 'node:path';
-import * as gpg from 'gpg';

 import * as core from '@actions/core';
 import {request} from 'undici';
@@ -76,36 +76,43 @@ const verify = async (
      }
    };

-    const verifySignature = () => {
-      gpg.call('', [
+    const verifySignature = async () => {
+      const command = [
+        'gpg',
        '--logger-fd',
        '1',
        '--verify',
        path.join(__dirname, `${uploaderName}.SHA256SUM.sig`),
        path.join(__dirname, `${uploaderName}.SHA256SUM`),
-      ], async (err, verifyResult) => {
-        if (err) {
-          setFailure(`Codecov: Error importing pgp key: ${err.message}`, failCi);
-        }
-        core.info(verifyResult);
-        await validateSha();
-      });
+      ].join(' ');
+
+      try {
+        await execSync(command, {stdio: 'inherit'});
+      } catch (err) {
+        setFailure(`Codecov: Error verifying gpg signature: ${err.message}`, failCi);
+      }
    };

-    // Import gpg key
-    gpg.call('', [
-      '--logger-fd',
-      '1',
-      '--no-default-keyring',
-      '--import',
-      path.join(__dirname, 'pgp_keys.asc'),
-    ], async (err, importResult) => {
-      if (err) {
-        setFailure(`Codecov: Error importing pgp key: ${err.message}`, failCi);
+    const importKey = async () => {
+      const command = [
+        'gpg',
+        '--logger-fd',
+        '1',
+        '--no-default-keyring',
+        '--import',
+        path.join(__dirname, 'pgp_keys.asc'),
+      ].join(' ');
+
+      try {
+        await execSync(command, {stdio: 'inherit'});
+      } catch (err) {
+        setFailure(`Codecov: Error importing gpg key: ${err.message}`, failCi);
      }
-      core.info(importResult);
-      verifySignature();
-    });
+    };
+
+    await importKey();
+    await verifySignature();
+    await validateSha();
  } catch (err) {
    setFailure(`Codecov: Error validating uploader: ${err.message}`, failCi);
  }