From b925dc56cea67d3e0969fc15c2c9cc751875f003 Mon Sep 17 00:00:00 2001 From: ZDDC Date: Wed, 20 May 2026 10:08:49 -0500 Subject: [PATCH] build: source ZDDC_SIGNING_KEY from ~/.config/zddc-signing/env MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The Forgejo runner daemon (deploy-release.yml's host runner) starts non-interactively and doesn't source ~/.bashrc, so the signing key wasn't reaching ./build despite being available to interactive shells. The 0.0.18 stable cut surfaced this — the runner re-cuts at the tag and `sign_release_artifacts` failed with "ZDDC_SIGNING_KEY is unset" on every stable tag push. Match the ~/.bashrc auto-sourcing pattern used for ~/.config/{codeberg,forgejo,github}/env, but inside the build script. Self-sufficient for any execution context: interactive shell (already covered by bashrc), Forgejo runner (now covered), cron, anything else. Canonical operator setup (one-time): cat > ~/.config/zddc-signing/env < --- build | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/build b/build index 1875b8d..ac900e6 100755 --- a/build +++ b/build @@ -908,6 +908,15 @@ PIN_END # Sign artifacts + regenerate releases/index.html on stable cuts. # Beta cuts produce no public artifact, so nothing to sign or index. if [ "$RELEASE_CHANNEL" = "stable" ]; then + # Source ZDDC_SIGNING_KEY from ~/.config/zddc-signing/env if it + # isn't already in env. Mirrors ~/.bashrc's auto-sourcing pattern + # for ~/.config/{codeberg,forgejo,github}/env, but inside the + # build script so non-interactive callers (Forgejo runner daemon, + # cron, etc.) pick it up without needing systemd EnvironmentFile + # or workflow yaml. + if [ -z "${ZDDC_SIGNING_KEY:-}" ] && [ -f "$HOME/.config/zddc-signing/env" ]; then + . "$HOME/.config/zddc-signing/env" + fi echo "" echo "=== Signing release artifacts ===" sign_release_artifacts "$RELEASES_DIR"