Fix release build again (#1400)

* Fix build again

* Recommend (r)age over minisign password

* Dry-run the entire release process

* Reorg a bit so dry-run works

* Fix secret name

* Add check on age key

* Pass secrets down

* Use a cross-platform "date"

* Delete signing key artifact to be extra safe

* Last little bits

.github/scripts/ephemeral-crate.sh

@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+
+set -euxo pipefail
+
+cat >> crates/bin/Cargo.toml <<EOF
+[package.metadata.binstall.signing]
+algorithm = "minisign"
+pubkey = "$(tail -n1 minisign.pub)"
+EOF
+
+cp minisign.pub crates/bin/minisign.pub
+

.github/scripts/ephemeral-gen.sh

@@ -2,21 +2,12 @@
 
 set -euxo pipefail
 
-cargo binstall -y rsign2
+cargo binstall -y rsign2 rage
 rsign generate -f -W -p minisign.pub -s minisign.key
 
-cat >> crates/bin/Cargo.toml <<EOF
-[package.metadata.binstall.signing]
-algorithm = "minisign"
-pubkey = "$(tail -n1 minisign.pub)"
-EOF
-
-echo "public=$(tail -n1 minisign.pub)" >> "$GITHUB_OUTPUT"
-cp minisign.pub crates/bin/minisign.pub
-
 set +x
 echo "::add-mask::$(tail -n1 minisign.key)"
-echo "private=$(tail -n1 minisign.key)" >> "$GITHUB_OUTPUT"
 set -x
 
+rage --encrypt --recipient "$AGE_KEY_PUBLIC" --output minisign.key.age minisign.key
 rm minisign.key

.github/scripts/ephemeral-sign.sh

@@ -2,14 +2,15 @@
 
 set -euo pipefail
 
-echo "untrusted comment: rsign encrypted secret key" > minisign.key
-cat >> minisign.key <<< "$SIGNING_KEY"
+[[ -z "$AGE_KEY_SECRET" ]] && { echo "!!! Empty age key secret !!!"; exit 1; }
+cat >> age.key <<< "$AGE_KEY_SECRET"
 
 set -x
 
-cargo binstall -y rsign2
+cargo binstall -y rsign2 rage
+rage --decrypt --identity age.key --output minisign.key minisign.key.age
 
-ts=$(date --utc --iso-8601=seconds)
+ts=$(node -e 'console.log((new Date).toISOString())')
 git=$(git rev-parse HEAD)
 comment="gh=$GITHUB_REPOSITORY git=$git ts=$ts run=$GITHUB_RUN_ID"
 
@@ -17,3 +18,4 @@ for file in "$@"; do
     rsign sign -W -s minisign.key -x "$file.sig" -t "$comment" "$file"
 done
 
+rm age.key minisign.key