From 90a3fd91ddd1f930282d751edf3b9656679bacb3 Mon Sep 17 00:00:00 2001
From: Richard Tibbles <richard@learningequality.org>
Date: Fri, 20 Mar 2026 18:35:57 -0700
Subject: [PATCH] fix: extract GPG_KEY_ID from imported key instead of
 requiring a secret

There is no GPG_KEY_ID secret configured. Extract the key ID from the
imported GPG_SIGNING_KEY using gpg --list-secret-keys --with-colons
and pass it via GITHUB_ENV.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .github/workflows/build_debian.yml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/build_debian.yml b/.github/workflows/build_debian.yml
index 583e87d..56d0a4d 100644
--- a/.github/workflows/build_debian.yml
+++ b/.github/workflows/build_debian.yml
@@ -75,11 +75,14 @@ jobs:
           echo -n "${{ secrets.GPG_SIGNING_KEY }}" | base64 --decode | gpg --import --no-tty --batch --yes
           echo "allow-loopback-pinentry" >> ~/.gnupg/gpg-agent.conf
           gpgconf --kill gpg-agent
+          # Extract key ID from imported key so we don't need a separate secret
+          GPG_KEY_ID=$(gpg --list-secret-keys --keyid-format long --with-colons | grep ^sec | head -1 | cut -d: -f5)
+          echo "GPG_KEY_ID=$GPG_KEY_ID" >> "$GITHUB_ENV"
+          echo "Imported GPG key: $GPG_KEY_ID"
       - name: Sign and upload package
         if: steps.check_source.outputs.already_uploaded != 'true'
         env:
           GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
-          GPG_KEY_ID: ${{ secrets.GPG_KEY_ID }}
         run: make sign-and-upload
       - name: Cleanup credentials
         if: always()