Closed StevenMacias closed 1 year ago
Hi @StevenMacias Thank you for your merge request!
If I understand correctly the only goal for the new input is to pass it to a command. Did you try to pass the secret directly to the command?
...
with:
command: echo "${{secrets.SIGNING_KEY}}" | espsecure.py sign_data --version 2 --keyfile /dev/stdin --output ./build/my-project-signed.bin ./build/my-project.bin
Yes! That was my first approach and I found that only the echo
command is processed inside the docker container and the espsecure.py
returns the following error since it is executed on the Ubuntu machine:
/home/runner/work/_temp/844d939b-eabf-4bc6-be73-a14c9c435ace.sh: line 2: espsecure.py: command not found
write /dev/stdout: broken pipe
Error: Process completed with exit code 127.
I have tried to solve the issue with some quoting without success. That is why I finally end up creating a new input in your action and using a bash script. I am not an expert in YAML nor Docker so I might be missing a simpler way of overcoming this issue.
Thanks!
@StevenMacias, I'm sorry for the delay. The problem is with escaping the command. A PR https://github.com/espressif/esp-idf-ci-action/pull/27 should fix it.
Could you please try to use the PR branch in your workflow:
uses: espressif/esp-idf-ci-action@bugfix/git_inside_repo
The same problem also affected https://github.com/espressif/esp-idf-ci-action/issues/25.
It works now with the custom command:
command: echo "${{secrets.SIGNING_KEY}}" | espsecure.py sign_data --version 2 --keyfile /dev/stdin --output ./build/project-signed.bin ./build/project.bin
Thanks a lot! Do you know when this fix will be available in espressif/esp-idf-ci-action@v1
.
Happy new year! :fireworks: :tada:
@StevenMacias Great to hear!
There are better days than Friday December 30th, to release anything. We will update the tag on Monday or Tuesday.
Happy new year!
No hurries! I was just wondering if you have specific dates (monthly, quarterly, etc) for updating the tag. Thanks again!
@StevenMacias v1
is now default branch (instead of the tag) so you can use espressif/esp-idf-ci-action@v1
I'm closing this PR now, I you want to keep information about signing binaries with this action, you can add it to the wiki: https://github.com/espressif/esp-idf-ci-action/wiki
@kumekay Perfect! I would not mind documenting how to sign binaries with esp-idf-ci-action. However, it seems that the Wiki is not publicly available.
@StevenMacias Right, I apologize for my mistake. However, Github search is quite good, so it shouldn't be hard to find the example in this PR. I have added the for reference
. I hope this will be sufficient.
Thanks!
This PR allows to use the
espsecure.py
command together with GitHub Actions Secrets to generate signed binaries without sharing private keys among developers.I was not able to route my secret from my action to the docker container in the
esp-idf-ci-action
action. This PR allows to share the private key with the container without storing it in a file.What do you think? I have tested it with the following action and it works:
I have updated the README with relevant information on how to use the new
signing_secret
input.Thank a lot for your work!