From ee5ca817573b83cacfa3709e0ae88c6263bc39c1 Mon Sep 17 00:00:00 2001
From: release-bot <release-bot@ci>
Date: Tue, 10 Feb 2026 15:47:42 +0100
Subject: [PATCH] ci: sign release commits with pgp key

---
 .gitea/scripts/create-release.sh | 14 +++++++++++---
 .gitea/workflows/release.yaml    |  2 ++
 2 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/.gitea/scripts/create-release.sh b/.gitea/scripts/create-release.sh
index 3281cca..1396557 100755
--- a/.gitea/scripts/create-release.sh
+++ b/.gitea/scripts/create-release.sh
@@ -73,11 +73,19 @@ mv "$tmp_changelog" CHANGELOG.md
 pnpm exec dprint fmt CHANGELOG.md
 
 # -------------------------------------------------------------------
-# 5. Create release commit
+# 5. Setup GPG signing
 # -------------------------------------------------------------------
-git config user.name "release-bot"
-git config user.email "release-bot@ci"
+echo "$BOT_PGP_PRIVATE_KEY" | base64 -d | gpg --batch --import --
+GPG_KEY_ID=$(gpg --list-secret-keys --keyid-format LONG nodarium-bot@max-richter.dev 2>/dev/null | grep sec | head -n1 | sed 's/.*\///' | tr -d ' ')
 
+git config user.name "nodarium-bot"
+git config user.email "nodarium-bot@max-richter.dev"
+git config user.signingkey "$GPG_KEY_ID"
+git config commit.gpgsign true
+
+# -------------------------------------------------------------------
+# 6. Create release commit
+# -------------------------------------------------------------------
 git add CHANGELOG.md $(find . -name package.json ! -path "*/node_modules/*")
 
 if git diff --cached --quiet; then
diff --git a/.gitea/workflows/release.yaml b/.gitea/workflows/release.yaml
index 76a93ae..212ce50 100644
--- a/.gitea/workflows/release.yaml
+++ b/.gitea/workflows/release.yaml
@@ -57,6 +57,8 @@ jobs:
       - name: 🚀 Create Release Commit
         if: gitea.ref_type == 'tag'
         run: ./.gitea/scripts/create-release.sh
+        env:
+          BOT_PGP_PRIVATE_KEY : ${{ secrets.BOT_PGP_PRIVATE_KEY }}
 
       - name: 🛠️ Build
         run: ./.gitea/scripts/build.sh