OpenCHAMI
diff --git a/‎.github/workflows/ci.yml‎
Lines changed: 77 additions & 0 deletions b/‎.github/workflows/ci.yml‎
Lines changed: 77 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 93 additions & 0 deletions b/‎README.md‎
Lines changed: 93 additions & 0 deletions
diff --git a/‎actions/gpg-ephemeral-key/README.md‎
Lines changed: 100 additions & 0 deletions b/‎actions/gpg-ephemeral-key/README.md‎
Lines changed: 100 additions & 0 deletions
@@ -0,0 +1,77 @@
+name: CI
+
+on:
+  pull_request:
+  push:
+    branches: [ main ]
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: actionlint
+        uses: raven-actions/actionlint@v1
+
+  test-actions:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Generate ephemeral key
+        id: gpg
+        uses: ./actions/gpg-ephemeral-key
+        with:
+          subkey-armored: ${{ secrets.GPG_SUBKEY_B64 }}
+          comment: test-ci
+          cleanup: false
+    
+      - name: Create test file
+        run: echo "This is a test payload" > test.txt
+
+      - name: Sign test file with ephemeral key
+        run: |
+          GNUPGHOME="${{ steps.gpg.outputs.gnupg-home }}"
+          export GNUPGHOME
+          gpg --batch --yes --local-user "${{ steps.gpg.outputs.ephemeral-fingerprint }}" --output test.txt.sig --detach-sign test.txt
+          gpg --verify test.txt.sig test.txt
+
+      - name: Show trust chain
+        run: |
+          GNUPGHOME="${{ steps.gpg.outputs.gnupg-home }}"
+          export GNUPGHOME
+          echo "Ephemeral key fingerprint: ${{ steps.gpg.outputs.ephemeral-fingerprint }}"
+          gpg --list-keys --with-colons
+          gpg --list-sigs "${{ steps.gpg.outputs.ephemeral-fingerprint }}"
+          gpg --check-trustdb
+
+      - name: Install fpm and dependencies
+        run: |
+          sudo apt-get update -y
+          sudo apt-get install -y ruby ruby-dev build-essential rpm gnupg
+          gem install --user-install --no-document fpm
+          # Ensure Ruby gem bin dir is in PATH for future steps
+          echo "$(ruby -e 'print Gem.bindir')" >> $GITHUB_PATH
+
+      - name: Build dummy RPM
+        run: |
+          # Ensure Gem.bindir is in PATH so fpm can be found
+          export PATH="$(ruby -e 'print Gem.bindir'):$PATH"
+
+          # Show where fpm is
+          echo "Gem.bindir is: $(ruby -e 'print Gem.bindir')"
+          which /root/.local/share/gem/ruby/3.0.0/bin/fpm || { echo "ERROR: fpm not found"; exit 1; }
+          /root/.local/share/gem/ruby/3.0.0/bin/fpm --version
+          mkdir -p dist
+          echo 'dummy' > dist/dummy.txt
+          /root/.local/share/gem/ruby/3.0.0/bin/fpm -s dir -t rpm -n dummy --rpm-digest sha256 -v 0.1 dist/dummy.txt
+
+      - name: Sign dummy RPM using ephemeral key
+        id: sign
+        uses: ./actions/sign-rpm
+        with:
+          rpm-path: ./dummy-0.1-1.x86_64.rpm
+          gpg-fingerprint: ${{ steps.gpg.outputs.ephemeral-fingerprint }}
+          gnupg-home:      ${{ steps.gpg.outputs.gnupg-home }}
+
+      - name: Show verification
+        run: "echo \"Verification: ${{ steps.sign.outputs.verification }}\""
@@ -0,0 +1,93 @@
+# GitHub Actions Monorepo for `OpenCHAMI`
+
+Reusable GitHub Actions for CI/CD.
+
+## Structure
+
+- `actions/gpg-ephemeral-key`: Ephemeral key generation for RPM/GPG signing
+- `actions/sign-rpm`: RPM signing with ephemeral keys
+
+## Versioning & Usage
+
+Use major version tags for stability:
+
+```yaml
+- uses: OpenCHAMI/github-actions/actions/gpg-ephemeral-key@v1
+- uses: OpenCHAMI/github-actions/actions/sign-rpm@v1
+```
+
+Pin a commit SHA internally for maximum supply‑chain safety if desired.
+
+## Actions Overview
+
+### gpg-ephemeral-key
+Generates a short‑lived RSA key (default 3072‑bit, 1 day) using an isolated `GNUPGHOME`, signs it with a repo‑scoped subkey you provide, and outputs:
+- `ephemeral-fingerprint`
+- `ephemeral-public-key` (base64 of armored)
+- `gnupg-home` (path for downstream steps)
+
+### sign-rpm
+Signs an RPM using a provided GPG fingerprint (works with the ephemeral key output) and exposes signature verification output.
+
+## Security Model
+
+Trust chain: `Ephemeral Key ← Repo Subkey ← Offline Master Key`.
+
+Design principles:
+- Ephemeral keys reduce exposure window.
+- Repo subkeys are easily revocable & rotated.
+- Isolated `GNUPGHOME` avoids polluting runner defaults.
+- Optional cleanup to remove secrets post‑sign.
+
+Key expiration limits future signing only; existing signatures remain valid if the trust chain remains intact.
+
+## Example Workflow (Combined)
+
+```yaml
+jobs:
+  build-and-sign:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Generate ephemeral key
+        id: gpg
+        uses: OpenCHAMI/github-actions/actions/gpg-ephemeral-key@v1
+        with:
+          subkey-armored: ${{ secrets.GPG_SUBKEY_B64 }}
+          comment: build:${{ github.run_id }}
+          cleanup: false # keep for subsequent signing
+      - name: Build RPM
+        run: ./scripts/build-rpm.sh
+      - name: Sign RPM
+        id: sign
+        uses: OpenCHAMI/github-actions/actions/sign-rpm@v1
+        with:
+          rpm-path: dist/my.rpm
+          gpg-fingerprint: ${{ steps.gpg.outputs.ephemeral-fingerprint }}
+          gnupg-home: ${{ steps.gpg.outputs.gnupg-home }}
+      - name: (Optional) Cleanup GNUPGHOME
+        if: always()
+        run: rm -rf "${{ steps.gpg.outputs.gnupg-home }}"
+```
+
+## Continuous Integration
+
+A future CI workflow will:
+- Lint action metadata (actionlint)
+- Perform a matrix test invoking each action
+- Validate RPM signing round‑trip
+
+## Rotation & Revocation
+
+1. Revoke and replace repo subkeys periodically.
+2. Update `GPG_SUBKEY_B64` secret.
+3. Tag a new release if behavior changes.
+
+## Contributing
+
+- Open issues for feature requests.
+- Submit PRs with accompanying test workflow updates.
+
+## License
+
+MIT
@@ -0,0 +1,100 @@
+# 🛡️ GPG Ephemeral Key Generator
+
+This GitHub composite action generates a new ephemeral GPG key on every build, signs it using a repo‑scoped subkey, and exports the fingerprint and public key. It’s designed for use in CI pipelines where artifacts need secure signing without long‑lived keys in GitHub Actions.
+
+---
+
+## 🔧 How It Works
+
+- Generates a short‑lived RSA key (default RSA‑3072, expiration 1 day)
+- Signs it with your repo‑specific subkey (stored as `GPG_SUBKEY_B64`)
+- Returns:
+  - `ephemeral-fingerprint` → use to sign artifacts
+  - `ephemeral-public-key` → base64-encoded armored public key
+  - `gnupg-home` → isolated GNUPGHOME path for downstream steps
+
+---
+
+## 📦 Inputs
+
+| Name             | Required | Description |
+|------------------|----------|-------------|
+| `subkey-armored` | ✅       | Base64‑encoded ASCII‑armored GPG subkey (secret) used to sign the ephemeral key |
+| `name`           | ❌       | Name for the ephemeral key (default: Ephemeral Key) |
+| `comment`        | ❌       | Metadata like build ID, ref, etc. A random suffix is appended |
+| `email`          | ❌       | Email for ephemeral key (default: ci@build.local) |
+| `key-length`     | ❌       | RSA key length (default: 3072) |
+| `expire-days`    | ❌       | Expiration in days (default: 1) |
+| `cleanup`        | ❌       | If `true`, remove GNUPGHOME after export (default: false) |
+
+---
+
+## 🔑 Outputs
+
+| Name                    | Description |
+|-------------------------|-------------|
+| `ephemeral-fingerprint` | Fingerprint of the generated ephemeral key |
+| `ephemeral-public-key`  | Base64‑encoded ASCII‑armored public key |
+| `gnupg-home`            | Path to isolated GNUPGHOME for subsequent actions |
+
+---
+
+## 🛠️ Setup (Per Repo)
+
+1. Create a GPG subkey tied to this repository, signed by your org's offline master key.
+2. Export it (subkey only):
+   ```bash
+   gpg --export-secret-subkeys --armor > repo-subkey.asc
+   base64 < repo-subkey.asc | tr -d '\n' > subkey.b64
+   ```
+3. Store as a GitHub Secret in your repo:
+   `GPG_SUBKEY_B64` = contents of `subkey.b64`
+
+## ✅ Example: Prove Signing Works
+
+```yaml
+jobs:
+  test-ephemeral-signing:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Generate ephemeral key
+        id: gpg
+        uses: OpenCHAMI/github-actions/actions/gpg-ephemeral-key@v1
+        with:
+          subkey-armored: ${{ secrets.GPG_SUBKEY_B64 }}
+          comment: "build:${{ github.run_id }}"
+          key-length: '3072'
+          expire-days: '1'
+          cleanup: false
+
+      - name: Sign and verify a test file
+        run: |
+          GNUPGHOME="${{ steps.gpg.outputs.gnupg-home }}"; export GNUPGHOME
+          echo "hello" > test.txt
+          gpg --batch --yes --local-user "${{ steps.gpg.outputs.ephemeral-fingerprint }}" --detach-sign --output test.txt.sig test.txt
+          gpg --verify test.txt.sig test.txt
+
+      - name: Show trust chain
+        run: |
+          GNUPGHOME="${{ steps.gpg.outputs.gnupg-home }}"; export GNUPGHOME
+          echo "Ephemeral: ${{ steps.gpg.outputs.ephemeral-fingerprint }}"
+          gpg --list-keys --with-colons
+          gpg --list-sigs "${{ steps.gpg.outputs.ephemeral-fingerprint }}"
+
+      - name: Cleanup
+        if: always()
+        run: rm -rf "${{ steps.gpg.outputs.gnupg-home }}"
+```
+
+## 🔐 Security Notes
+
+- Ephemeral key is short‑lived; expiration limits future signing, not validation of past signatures.
+- Subkey is repo‑scoped, easy to rotate/revoke.
+- Use the isolated `GNUPGHOME` to avoid polluting runner defaults; set `cleanup: true` when possible.
+- Trust chain: `Ephemeral key ← Repo subkey ← Offline master key`.
+
+## 📝 License
+
+MIT