From 91c915924bce958a25d32a914e6635f15bd2ff15 Mon Sep 17 00:00:00 2001
From: Lessley <lessleydennington@gmail.com>
Date: Tue, 24 Oct 2023 15:45:05 -0600
Subject: [PATCH] build-git-installers: publish gpg public key

Update build-git-installers workflow to publish `microsoft/git`'s GPG public
key as part of each release. Add explanation for how to use this key to verify
the Debian package's signature to the README.
---
 .github/workflows/build-git-installers.yml | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/.github/workflows/build-git-installers.yml b/.github/workflows/build-git-installers.yml
index 8d6be1430c..047e6e7348 100644
--- a/.github/workflows/build-git-installers.yml
+++ b/.github/workflows/build-git-installers.yml
@@ -587,6 +587,10 @@ jobs:
       - create-macos-artifacts
       - windows_artifacts
       - prereqs
+    env:
+      AZURE_VAULT: ${{ secrets.AZURE_VAULT }}
+      GPG_PUBLIC_KEY_SECRET_NAME: ${{ secrets.GPG_PUBLIC_KEY_SECRET_NAME }}
+    environment: release
     if: |
       success() ||
         (needs.create-linux-artifacts.result == 'skipped' &&
@@ -616,6 +620,19 @@ jobs:
         with:
           name: linux-artifacts
           path: deb-package
+
+      - name: Log into Azure
+        uses: azure/login@v1
+        with:
+          creds: ${{ secrets.AZURE_CREDENTIALS }}
+
+      - name: Download GPG public key signature file
+        run: |
+          az keyvault secret show --name "$GPG_PUBLIC_KEY_SECRET_NAME" \
+            --vault-name "$AZURE_VAULT" --query "value" \
+            | sed -e 's/^"//' -e 's/"$//' | base64 -d >msft-git-public.asc
+          mv msft-git-public.asc deb-package
+
       - uses: actions/github-script@v6
         with:
           script: |