feat: GPG update script to auto fetch new keys and emergency force update

.github/workflows/update-gpg-keys.yml

@@ -0,0 +1,70 @@
+name: Update GPG keys
+permissions:
+  contents: write
+
+on:
+  workflow_dispatch:
+
+jobs:
+  update-gpg-keys:
+    runs-on: ubuntu-24.04-arm
+    strategy:
+      matrix:
+        branch:
+          - frawhide
+          - f44
+          - f43
+          - f42
+          - el10
+    container:
+      image: ghcr.io/terrapkg/builder:frawhide
+      options: --cap-add=SYS_ADMIN --privileged
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+          ssh-key: ${{ secrets.SSH_AUTHENTICATION_KEY }}
+
+      - name: Install SSH signing key & set up Git repository
+        run: |
+          mkdir -p ${{ runner.temp }}
+          echo "${{ secrets.SSH_SIGNING_KEY }}" > ${{ runner.temp }}/signing_key
+          chmod 0700 ${{ runner.temp }}/signing_key
+          git config --global --add safe.directory "$GITHUB_WORKSPACE"
+
+      - name: Update GPG keys
+        env: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          for branch in $(sed -n 's/- \(f.*\)/\1/p;s/- \(el.*\)/\1/p' .github/workflows/update-branch.yml | tr -d ' '); do
+            if [[ $branch == f* ]]; then
+              export releasever=${branch/f/}
+            else
+              export releasever=$branch
+            fi
+
+            curl -s https://repos.fyralabs.com/terra$releasever/key.asc > anda/terra/gpg-keys/RPM-GPG-KEY-terra$releasever
+            curl -s https://repos.fyralabs.com/terra$releasever-source/key.asc > anda/terra/gpg-keys/RPM-GPG-KEY-terra$releasever-source
+            if [[ $releasever != el* ]]; then
+              curl -s https://repos.fyralabs.com/terra$releasever-extras/key.asc > anda/terra/gpg-keys/RPM-GPG-KEY-terra$releasever-extras
+              curl -s https://repos.fyralabs.com/terra$releasever-extras-source/key.asc > anda/terra/gpg-keys/RPM-GPG-KEY-terra$releasever-extras-source
+              curl -s https://repos.fyralabs.com/terra$releasever-mesa/key.asc > anda/terra/gpg-keys/RPM-GPG-KEY-terra$releasever-mesa
+              curl -s https://repos.fyralabs.com/terra$releasever-mesa-source/key.asc > anda/terra/gpg-keys/RPM-GPG-KEY-terra$releasever-mesa-source
+              curl -s https://repos.fyralabs.com/terra$releasever-multimedia/key.asc > anda/terra/gpg-keys/RPM-GPG-KEY-terra$releasever-multimedia
+              curl -s https://repos.fyralabs.com/terra$releasever-multimedia-source/key.asc > anda/terra/gpg-keys/RPM-GPG-KEY-terra$releasever-multimedia-source
+              curl -s https://repos.fyralabs.com/terra$releasever-nvidia/key.asc > anda/terra/gpg-keys/RPM-GPG-KEY-terra$releasever-nvidia
+              curl -s https://repos.fyralabs.com/terra$releasever-nvidia-source/key.asc > anda/terra/gpg-keys/RPM-GPG-KEY-terra$releasever-nvidia-source
+            fi
+          done
+          anda update --filters keys=1 --labels branch=${{ matrix.branch }}
+
+      - name: Save
+        run: |
+          if [[ `git status --porcelain` ]]; then
+            git config user.name "Raboneko"
+            git config user.email "raboneko@fyralabs.com"
+            git config gpg.format "ssh"
+            git config user.signingkey "${{ runner.temp }}/signing_key"
+            git commit -S -a -m "bump(manual): terra-gpg-keys"
+            git push -u origin --all
+          fi

anda/terra/gpg-keys/anda.hcl

@@ -5,5 +5,6 @@ project pkg {
 	}
 	labels {
 		updbranch = 1
+		keys = 1
 	}
 }

anda/terra/gpg-keys/pre.rhai

@@ -0,0 +1,2 @@
+let dir = sub(`/[^/]+$`, "", __script_path);
+sh(`tar -czf keys.tar.gz RPM-GPG-KEY-terra*`, #{ "cwd": dir });

anda/terra/gpg-keys/terra-gpg-keys.spec

@@ -9,48 +9,7 @@ Requires:       filesystem >= 3.18-6
 License:        MIT
 URL:            https://terra.fyralabs.com
 # We aren't pulling keys from the origin URLs, since they shouldn't change and this is easier to audit.
-Source0:        RPM-GPG-KEY-terrarawhide
-Source1:        RPM-GPG-KEY-terrarawhide-extras
-Source2:        RPM-GPG-KEY-terrarawhide-extras-source
-Source3:        RPM-GPG-KEY-terrarawhide-mesa
-Source4:        RPM-GPG-KEY-terrarawhide-mesa-source
-Source5:        RPM-GPG-KEY-terrarawhide-multimedia
-Source6:        RPM-GPG-KEY-terrarawhide-multimedia-source
-Source7:        RPM-GPG-KEY-terrarawhide-nvidia
-Source8:        RPM-GPG-KEY-terrarawhide-nvidia-source
-Source9:        RPM-GPG-KEY-terrarawhide-source
-Source10:       RPM-GPG-KEY-terra42
-Source11:       RPM-GPG-KEY-terra42-extras
-Source12:       RPM-GPG-KEY-terra42-extras-source
-Source13:       RPM-GPG-KEY-terra42-mesa
-Source14:       RPM-GPG-KEY-terra42-mesa-source
-Source15:       RPM-GPG-KEY-terra42-multimedia
-Source16:       RPM-GPG-KEY-terra42-multimedia-source
-Source17:       RPM-GPG-KEY-terra42-nvidia
-Source18:       RPM-GPG-KEY-terra42-nvidia-source
-Source19:       RPM-GPG-KEY-terra42-source
-Source20:       RPM-GPG-KEY-terra43
-Source21:       RPM-GPG-KEY-terra43-extras
-Source22:       RPM-GPG-KEY-terra43-extras-source
-Source23:       RPM-GPG-KEY-terra43-mesa
-Source24:       RPM-GPG-KEY-terra43-mesa-source
-Source25:       RPM-GPG-KEY-terra43-multimedia
-Source26:       RPM-GPG-KEY-terra43-multimedia-source
-Source27:       RPM-GPG-KEY-terra43-nvidia
-Source28:       RPM-GPG-KEY-terra43-nvidia-source
-Source29:       RPM-GPG-KEY-terra43-source
-Source30:       RPM-GPG-KEY-terra44
-Source31:       RPM-GPG-KEY-terra44-extras
-Source32:       RPM-GPG-KEY-terra44-extras-source
-Source33:       RPM-GPG-KEY-terra44-mesa
-Source34:       RPM-GPG-KEY-terra44-mesa-source
-Source35:       RPM-GPG-KEY-terra44-multimedia
-Source36:       RPM-GPG-KEY-terra44-multimedia-source
-Source37:       RPM-GPG-KEY-terra44-nvidia
-Source38:       RPM-GPG-KEY-terra44-nvidia-source
-Source39:       RPM-GPG-KEY-terra44-source
-Source40:       RPM-GPG-KEY-terrael10
-Source41:       RPM-GPG-KEY-terrael10-source
+Source0:        keys.tar.gz
 BuildArch:      noarch
 
 Packager:       Terra Packaging Team <terra@fyralabs.com>
@@ -65,12 +24,13 @@ Summary:        Terra GPG keys for Mock
 Terra GPG key copies for use in Mock.
 
 %prep
+%autosetup -D -n .
 
 %build
 
 %install
 install -d -m 755 $RPM_BUILD_ROOT/etc/pki/rpm-gpg
-install -m 644 %{_sourcedir}/RPM-GPG-KEY* $RPM_BUILD_ROOT/etc/pki/rpm-gpg/
+install -m 644 ./RPM-GPG-KEY* $RPM_BUILD_ROOT/etc/pki/rpm-gpg/
 
 install -d -m 755 $RPM_BUILD_ROOT/etc/pki/mock
 install -m 644 %{_sourcedir}/RPM-GPG-KEY* $RPM_BUILD_ROOT/etc/pki/mock/

anda/terra/gpg-keys/update-gpg-keys.sh

@@ -0,0 +1,25 @@
+#!/usr/bin/bash
+
+for branch in $(sed -n 's/- \(f.*\)/\1/p;s/- \(el.*\)/\1/p' .github/workflows/update-branch.yml | tr -d ' '); do
+
+if [[ $branch == f* ]]; then
+  export releasever=${branch/f/}
+else
+  export releasever=$branch
+fi
+
+# Begin check hell to not strain our servers or waste CI time if a key already exists
+[ ! -f anda/terra/gpg-keys/RPM-GPG-KEY-terra$releasever ] && curl -s https://repos.fyralabs.com/terra$releasever/key.asc > anda/terra/gpg-keys/RPM-GPG-KEY-terra$releasever
+[ ! -f anda/terra/gpg-keys/RPM-GPG-KEY-terra$releasever-source ] && curl -s https://repos.fyralabs.com/terra$releasever-source/key.asc > anda/terra/gpg-keys/RPM-GPG-KEY-terra$releasever-source
+if [[ $releasever != el* ]]; then
+[ ! -f anda/terra/gpg-keys/RPM-GPG-KEY-terra$releasever-extras ] && curl -s https://repos.fyralabs.com/terra$releasever-extras/key.asc > anda/terra/gpg-keys/RPM-GPG-KEY-terra$releasever-extras
+[ ! -f anda/terra/gpg-keys/RPM-GPG-KEY-terra$releasever-extras-source ] && curl -s https://repos.fyralabs.com/terra$releasever-extras-source/key.asc > anda/terra/gpg-keys/RPM-GPG-KEY-terra$releasever-extras-source
+[ ! -f anda/terra/gpg-keys/RPM-GPG-KEY-terra$releasever-mesa ] && curl -s https://repos.fyralabs.com/terra$releasever-mesa/key.asc > anda/terra/gpg-keys/RPM-GPG-KEY-terra$releasever-mesa
+[ ! -f anda/terra/gpg-keys/RPM-GPG-KEY-terra$releasever-mesa-source ] && curl -s https://repos.fyralabs.com/terra$releasever-mesa-source/key.asc > anda/terra/gpg-keys/RPM-GPG-KEY-terra$releasever-mesa-source
+[ ! -f anda/terra/gpg-keys/RPM-GPG-KEY-terra$releasever-multimedia ] && curl -s https://repos.fyralabs.com/terra$releasever-multimedia/key.asc > anda/terra/gpg-keys/RPM-GPG-KEY-terra$releasever-multimedia
+[ ! -f anda/terra/gpg-keys/RPM-GPG-KEY-terra$releasever-multimedia-source ] && curl -s https://repos.fyralabs.com/terra$releasever-multimedia-source/key.asc > anda/terra/gpg-keys/RPM-GPG-KEY-terra$releasever-multimedia-source
+[ ! -f anda/terra/gpg-keys/RPM-GPG-KEY-terra$releasever-nvidia ] && curl -s https://repos.fyralabs.com/terra$releasever-nvidia/key.asc > anda/terra/gpg-keys/RPM-GPG-KEY-terra$releasever-nvidia
+[ ! -f anda/terra/gpg-keys/RPM-GPG-KEY-terra$releasever-nvidia-source ] && curl -s https://repos.fyralabs.com/terra$releasever-nvidia-source/key.asc > anda/terra/gpg-keys/RPM-GPG-KEY-terra$releasever-nvidia-source
+fi
+
+done

anda/terra/gpg-keys/update.rhai

@@ -1,8 +1,21 @@
 import "andax/bump_extras.rhai" as bump;
+import "andax/spec.rhai" as spec;
 
-open_file("anda/terra/gpg-keys/RELEASE.txt", "w").write(bump::as_bodhi_ver(labels.branch));
+let branch = bump::as_bodhi_ver(labels.branch);
 
+if branch.starts_with("F") {
+  branch.crop(1);
+  let releasever = branch;
+} else if branch.starts_with("EPEL") {
+  let releasever = labels.branch;
+  releasever.crop(2);
+}
+
+rpm.version(releasever);
+
+sh(`anda/terra/gpg-keys/update-gpg-keys.sh`, #{});
 let dir = sub(`/[^/]+$`, "", __script_path);
 if sh("[[ `git status " + dir + " --porcelain` ]] && exit 1 || exit 0", #{}).ctx.rc == 1 {
-    rpm.release();
+    let rel = spec::get_release(rpm).parse_int();
+    rpm.release(rel + 1);
 }