fix: store AUR_KEY as base64 to prevent libcrypto newline corruption #9
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # ============================================================================== | |
| # .github/workflows/release.yml — cpp-gen | |
| # ============================================================================== | |
| # Release pipeline. Triggered automatically when a tag in the format | |
| # vX.Y.Z is pushed to the repository (e.g.: via `make release` or scripts/release.sh). | |
| # | |
| # Full flow: | |
| # git commit → scripts/release.sh → tag vX.Y.Z → this workflow → goreleaser | |
| # ↓ | |
| # binários + archives + GitHub Release | |
| # ↓ | |
| # (se AUR_KEY configurado) AUR push | |
| # | |
| # ── AUR secret setup ────────────────────────────────────────────────────────── | |
| # The AUR_KEY secret MUST be stored as base64 to avoid newline corruption. | |
| # GitHub Actions mangles multi-line secrets; base64 encodes them to a single | |
| # line that is decoded byte-for-byte back to the original key file. | |
| # | |
| # One-time setup — encode your AUR SSH private key and store it as AUR_KEY: | |
| # | |
| # Linux: base64 -w 0 ~/.ssh/aur > aur_key_b64.txt | |
| # macOS: base64 -i ~/.ssh/aur > aur_key_b64.txt | |
| # | |
| # Copy the content of aur_key_b64.txt and paste it as the AUR_KEY secret at: | |
| # Settings → Secrets and variables → Actions → New repository secret | |
| # ============================================================================== | |
| name: Release | |
| on: | |
| push: | |
| tags: | |
| - "v[0-9]+.[0-9]+.[0-9]+" # v1.2.3 | |
| - "v[0-9]+.[0-9]+.[0-9]+-*" # v1.2.3-beta.1 (pre-release) | |
| # Minimum permissions required for goreleaser to create the release | |
| permissions: | |
| contents: write # create releases and upload assets | |
| packages: write # publish packages (if needed in the future) | |
| jobs: | |
| # ── Goreleaser ─────────────────────────────────────────────────────────────── | |
| goreleaser: | |
| name: Release ${{ github.ref_name }} | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout (com histórico completo) | |
| uses: actions/checkout@v4 | |
| with: | |
| # fetch-depth 0 is required for goreleaser to generate the changelog | |
| # correctly from the full commit and tag history. | |
| fetch-depth: 0 | |
| - name: Setup Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version-file: go.mod | |
| cache: true | |
| - name: Verify dependencies | |
| run: | | |
| go mod verify | |
| go mod tidy | |
| git diff --exit-code go.mod go.sum | |
| # Runs tests before publishing — failure here aborts the release | |
| - name: Test | |
| run: go test -race ./... | |
| # Decodes the base64-encoded AUR_KEY secret into a proper PEM key file. | |
| # goreleaser v2 requires private_key to be a FILE PATH, not inline content. | |
| # Storing the key as base64 avoids the newline corruption that GitHub | |
| # Actions causes when expanding multi-line secrets — which triggers | |
| # "error in libcrypto" from OpenSSH when it tries to parse the key. | |
| - name: Setup AUR key | |
| id: aur | |
| env: | |
| AUR_KEY_B64: ${{ secrets.AUR_KEY }} | |
| run: | | |
| if [ -n "$AUR_KEY_B64" ]; then | |
| mkdir -p ~/.ssh | |
| echo "$AUR_KEY_B64" | base64 -d > ~/.ssh/aur_key | |
| chmod 600 ~/.ssh/aur_key | |
| # Validate the decoded key is parseable before proceeding | |
| if ssh-keygen -l -f ~/.ssh/aur_key > /dev/null 2>&1; then | |
| echo "has_key=true" >> "$GITHUB_OUTPUT" | |
| else | |
| echo "::error title=AUR_KEY inválida::A chave decodificada não é um arquivo de chave SSH válido." | |
| echo "::error title=AUR_KEY inválida::Verifique se o secret foi armazenado em base64 (veja o comentário no topo deste arquivo)." | |
| echo "has_key=false" >> "$GITHUB_OUTPUT" | |
| fi | |
| else | |
| echo "has_key=false" >> "$GITHUB_OUTPUT" | |
| echo "::warning title=AUR_KEY ausente::Publicação no AUR ignorada. Configure o secret AUR_KEY para habilitar." | |
| fi | |
| - name: Run goreleaser | |
| uses: goreleaser/goreleaser-action@v6 | |
| with: | |
| distribution: goreleaser | |
| version: "~> v2" | |
| args: >- | |
| release --clean | |
| ${{ steps.aur.outputs.has_key != 'true' && '--skip=aurs' || '' }} | |
| env: | |
| # GitHub token to create the release and upload assets. | |
| # GITHUB_TOKEN is automatically injected by Actions — no extra configuration needed. | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| # goreleaser v2 expects a FILE PATH for private_key, not inline key content. | |
| # Points to the file written and validated by the "Setup AUR key" step above. | |
| AUR_KEY: /home/runner/.ssh/aur_key | |
| # ── Completion notification ─────────────────────────────────────────────────── | |
| notify: | |
| name: Notify | |
| runs-on: ubuntu-latest | |
| needs: goreleaser | |
| if: always() | |
| steps: | |
| - name: Release succeeded | |
| if: needs.goreleaser.result == 'success' | |
| run: | | |
| echo "::notice title=Release publicada::cpp-gen ${{ github.ref_name }} foi publicada com sucesso!" | |
| echo "URL: https://github.com/${{ github.repository }}/releases/tag/${{ github.ref_name }}" | |
| - name: Release failed | |
| if: needs.goreleaser.result == 'failure' | |
| run: | | |
| echo "::error title=Falha na release::O goreleaser falhou para a tag ${{ github.ref_name }}." | |
| exit 1 |