Create a GPG key
This section guides you through creating a GPG key for the machine user that it will use to sign commits in the GitHub Actions workflows.
Step 1: Create a passphrase
Create a strong passphrase for the GPG key and add it to your team's 1Password vault.
Step 2: Install
Install GnuPG:
Step 3: Generate the GPG key
Run the following commands and replace the values with your own. The GITHUB_USERNAME and GITHUB_EMAIL values should match the machine user's GitHub profile.
export GNUPGHOME=$(mktemp -d -t gnupg_$(date +%Y%m%d%H%M)_XXX)
export GITHUB_USERNAME="ok-pirates-bot"
export GITHUB_EMAIL="ok-pirates-bot@oslo.kommune.no"
export IAC_REPO="oslokommune/pirates-iac"
Run GnuPG to Generate the key. When prompted, paste in the passphrase you created earlier:
gpg --batch --gen-key <<EOF
%echo Generating a GPG key
Key-Type: RSA
Key-Length: 4096
Subkey-Type: RSA
Subkey-Length: 4096
Name-Real: $GITHUB_USERNAME
Name-Email: $GITHUB_EMAIL
Expire-Date: 0
%ask-passphrase
%commit
%echo done
EOF
Step 4: Add the key and passphrase as a secret
Add the private key to the infrastructure repository as a secret:
gpg --armor --export-secret-key "$GITHUB_EMAIL" \
| gh secret set --repo "$IAC_REPO" GPG_PRIVATE_KEY_FOR_MACHINE_USER
Add the passphrase to the infrastructure repository as a secret:
? Paste your secret ***
✓ Set Actions secret GPG_PASSPHRASE_FOR_MACHINE_USER for oslokommune/pirates-iac
Step 5: Add the public key to the GitHub account
Copy the GPG public key to the clipboard:
Follow the official GitHub guide to add the GPG key to the machine user.
Step 6: Save in 1Password
Add the GPG public and private key to your team's 1Password vault:
gpg --armor --export "$GITHUB_EMAIL" | pbcopy
gpg --armor --export-secret-key "$GITHUB_EMAIL" | pbcopy
Step 7: Verify
Now that you've added both a PAT and a GPG key to the repository, you can try to trigger the chain of workflows again. It should now run without any errors.
You can now move on to the next section to set up the Terraform workflow.