feature: [INFRA-300] simple streamlined 'dropin' cicd pipeline with opinionated defaults #622

	name: GPG sign DEB
	on:
	workflow_dispatch:
	pull_request:
	branches:
	- main
	permissions: read-all
	jobs:
	sign-deb:
	runs-on: ${{ matrix.os }}
	strategy:
	matrix:
	os:
	- ubuntu-22.04
	#- ubuntu-24.04
	steps:
	- name: Harden the runner (Audit all outbound calls)
	uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
	with:
	egress-policy: audit

	- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
	- name: Check Ubuntu version
	# This action only supports Ubuntu 22.04. 24.04 has removed dpkg-sig
	run: \|
	if [[ "$(cat /etc/lsb-release \| grep DISTRIB_RELEASE)" != "22.04" ]]; then
	echo "This action only supports Ubuntu 22.04 due to the removal of dpkg-sig in 24.04"
	exit 1
	fi
	shell: bash
	- name: install dpkg-sig
	run: \|
	sudo apt-get update && sudo apt-get install dpkg-sig dpkg-dev -y
	- name: setup GPG
	uses: aerospike/shared-workflows/.github/actions/setup-gpg@489212b8911ea431131ed468599db705f0767274 # v3.0.0
	with:
	gpg-private-key: ${{ secrets.GPG_SECRET_KEY }}
	gpg-public-key: ${{ secrets.GPG_PUBLIC_KEY }}
	gpg-key-pass: ${{ secrets.GPG_PASS }}

	- name: GPG sign deb # gpg sign and verify deb packages
	env:
	GPG_TTY: /dev/null
	HOME: /home/runner
	GNUPGHOME: /home/runner/.gnupg
	run: \|
	# Ensure environment variables are exported
	export HOME="${HOME}"
	export GNUPGHOME="${GNUPGHOME}"

	# Sign the package
	dpkg-sig --sign builder --gpg-options "--batch --pinentry-mode loopback --passphrase-file $GNUPGHOME/passphrase" tests/*.deb
	# Verify the signature
	dpkg-sig --verify tests/*.deb

Provide feedback