gha: Sign release tarballs and binary branch commits

.github/workflows/release.yml

@@ -13,7 +13,15 @@ jobs:
 
     steps:
       - name: Install dependencies
-        run: pacman --noconfirm -Syu && pacman --needed --noconfirm -S base-devel gzip bzip2 lzip zstd git autoconf automake nasm curl mtools llvm clang lld mingw-w64-gcc
+        run: pacman --noconfirm -Syu && pacman --needed --noconfirm -S base-devel gnupg gzip bzip2 lzip zstd git autoconf automake nasm curl mtools llvm clang lld mingw-w64-gcc
+
+      - name: Import GPG public key
+        run: gpg --batch --keyserver keyserver.ubuntu.com --recv-keys 05D29860D0A0668AAEFB9D691F3C021BECA23821
+
+      - name: Import GPG private key
+        run: echo "$MINTSUKI_PRIVATE_KEY" | gpg --batch --import
+        env:
+          MINTSUKI_PRIVATE_KEY: ${{ secrets.MINTSUKI_PRIVATE_KEY }}
 
       - name: Checkout code
         uses: actions/checkout@v4
@@ -21,7 +29,12 @@ jobs:
           fetch-depth: '0'
 
       - name: Git config
-        run: git config --global --add safe.directory "$GITHUB_WORKSPACE"
+        run: |
+          set -e
+          git config --global --add safe.directory "$GITHUB_WORKSPACE"
+          git config --global user.name 'Mintsuki'
+          git config --global user.email 'mintsuki@protonmail.com'
+          git config --global user.signingkey 05D29860D0A0668AAEFB9D691F3C021BECA23821
 
       - name: Get tag name
         run: echo "TAG_NAME=$(git describe --exact-match --tags $(git log -n1 --pretty='%h'))" >> $GITHUB_ENV
@@ -64,8 +77,7 @@ jobs:
 
       - name: Push binaries to binary branch
         run: |
-          git config user.name 'mintsuki'
-          git config user.email 'mintsuki@users.noreply.github.com'
+          set -e
           git remote set-url origin https://x-access-token:${{ secrets.GITHUB_TOKEN }}@github.com/limine-bootloader/limine.git
           git fetch --all
           git checkout $BRANCH_NAME-binary || git checkout --orphan $BRANCH_NAME-binary
@@ -73,7 +85,7 @@ jobs:
           cp -r build/bin/. ./
           rm -rf build
           git add -f .
-          git commit -m "Binary release $TAG_NAME"
+          git commit -m "Binary release $TAG_NAME" -S
           git push origin $BRANCH_NAME-binary
           git tag $TAG_NAME-binary
           git push origin $BRANCH_NAME-binary --tags
@@ -84,11 +96,28 @@ jobs:
       - name: Package release tarball
         run: ./bootstrap && ./configure --enable-all && make dist
 
+      - name: Sign release tarball
+        run: gpg --batch --default-key 05D29860D0A0668AAEFB9D691F3C021BECA23821 --detach-sign limine-*.tar.*
+
       - name: Create release notes
         run: |
-          echo "Changelog can be found [here](https://github.com/limine-bootloader/limine/releases/download/$TAG_NAME/ChangeLog)." > rel_notes.txt
-          echo "" >> rel_notes.txt
-          echo "Binary release can be found [here](https://github.com/limine-bootloader/limine/tree/$TAG_NAME-binary)." >> rel_notes.txt
+          cat <<'EOF' >rel_notes.txt
+          Changelog can be found [here](https://github.com/limine-bootloader/limine/releases/download/$TAG_NAME/ChangeLog).
+
+          Binary release can be found [here](https://github.com/limine-bootloader/limine/tree/$TAG_NAME-binary).
+
+          Tarballs are signed using key ID 05D29860D0A0668AAEFB9D691F3C021BECA23821 which can be obtained from the keyservers: keys.openpgp.org, keyring.debian.org, keyserver.ubuntu.com.
+
+          Import the public key with:
+          ```bash
+          gpg --keyserver <a keyserver from list above> --recv-keys 05D29860D0A0668AAEFB9D691F3C021BECA23821
+          ```
+
+          In order to verify the tarball with the given signature, do:
+          ```bash
+          gpg --verify <tarball sig file> <associated tarball>
+          ```
+          EOF
 
       - name: Release
         uses: softprops/action-gh-release@v2