sign the release checksum artifact

Author: rgl

.github/workflows/build.yml

@@ -7,7 +7,7 @@ jobs:
     steps:
       - name: Configure git
         run: git config --global core.autocrlf false
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 0
       - uses: actions/setup-go@v6
@@ -18,9 +18,16 @@ jobs:
         with:
           install: make tar zip unzip
           path-type: inherit
+      - name: Import GPG key
+        id: import_gpg
+        uses: crazy-max/ghaction-import-gpg@v6
+        with:
+          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
+          passphrase: ${{ secrets.GPG_PASSPHRASE }}
       - name: Build
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}
         run: msys2 ./ci-release.sh
       - name: Archive
         uses: actions/upload-artifact@v4

.goreleaser.yml

@@ -38,3 +38,13 @@ archives:
 checksum:
   name_template: '{{ .ProjectName }}_v{{ .Version }}_SHA256SUMS'
   algorithm: sha256
+signs:
+  - artifacts: checksum
+    args:
+      - --batch
+      - --local-user
+      - "{{ .Env.GPG_FINGERPRINT }}"
+      - --output
+      - ${signature}
+      - --detach-sign
+      - ${artifact}

README.md

@@ -14,7 +14,7 @@ Configure your packer template to require a [release version of the plugin](http
 packer {
   required_plugins {
     windows-update = {
-      version = "0.17.1"
+      version = "0.17.2"
       source  = "github.com/rgl/windows-update"
     }
   }

ci-release.sh

@@ -8,6 +8,9 @@ make update/provisioner.hcl2spec.go
 git diff --exit-code update/provisioner.hcl2spec.go \
   || (echo 'ERROR: You must re-generate update/provisioner.hcl2spec.go and commit the changes.' && exit 1)
 
+# point the msys2 user gpg home to the one managed by the crazy-max/ghaction-import-gpg github action.
+ln -s /c/Users/runneradmin/.gnupg ~/.gnupg
+
 # do the release.
 if [[ $GITHUB_REF == refs/tags/v* ]]; then
   make release