chore(ci): add workflow to validate gpg/ folders content (#36)

Author: aduh95

.github/workflows/ci.yml

@@ -58,5 +58,46 @@ jobs:
               curl --fail --silent "https://nodejs.org/dist/${VERSION}/SHASUMS256.txt.asc" \
               | gpgv --keyring=./pubring.kbx
             }
+
+  lint-pubring:
+    if: github.event.pull_request.draft == false
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+        with:
+          fetch-depth: 0  # We need 0 to validate the git commit signatures.
+          persist-credentials: false
+
+      - name: Check if there are any keyring changes
+        id: keyring-changes
+        run: |
+          git diff --exit-code --quiet ${{ github.event_name == 'push' && github.event.before || 'HEAD^' }} -- gpg/ || echo "HAS_CHANGED=true" >> "$GITHUB_OUTPUT"
+          git diff --exit-code --quiet ${{ github.event_name == 'push' && github.event.before || 'HEAD^' }} -- gpg-only-active-keys/ || echo "HAS_ACTIVE_CHANGED=true" >> "$GITHUB_OUTPUT"
+
+      - name: Export pubring content
+        run: |
+          for dir in gpg gpg-only-active-keys; do
+            gpg --no-default-keyring --keyring "$dir/pubring.kbx" --list-keys --with-colons > "$dir/all-keys.list"
+            gpg --no-default-keyring --keyring "$dir/pubring.kbx" --export --armor > "$dir/all-keys.asc"
+            git add "$dir/all-keys.list" "$dir/all-keys.asc"
+          done
+      - name: Re-generate gpg folders
+        run: |
+          ./generate-gpg-dir.sh
+          for dir in gpg gpg-only-active-keys; do
+            gpg --no-default-keyring --keyring "$dir/pubring.kbx" --list-keys --with-colons > "$dir/all-keys.list"
+            gpg --no-default-keyring --keyring "$dir/pubring.kbx" --export --armor > "$dir/all-keys.asc"
+          done
+      - run: git diff --exit-code -- gpg/all-keys.list gpg/all-keys.asc gpg-only-active-keys/all-keys.list gpg-only-active-keys/all-keys.asc
+
+      - name: Validate that all non-v0.x releases can be verified using the keyring
+        if: steps.keyring-changes.outputs.HAS_CHANGED == 'true'
+        run: |
+          curl -fs https://nodejs.org/dist/index.json \
+          | jq -er '.[].version | select(startswith("v0.") | not)' \
+          | while read -r VERSION; do
+              echo "Checking $VERSION..."
+              curl -fs "https://nodejs.org/dist/${VERSION}/SHASUMS256.txt.asc" \
+              | gpgv --keyring="gpg/pubring.kbx"
           done
         shell: bash # See https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference, we want the pipefail option.

generate-gpg-dir.sh

@@ -0,0 +1,31 @@
+#!/bin/sh
+
+set -ex
+
+GNUPGHOME=${1:-"$(cd "$(dirname "$0")"; pwd)/gpg"}
+ONLY_ACTIVE_KEYS=${2:-"$GNUPGHOME-only-active-keys"}
+
+if [ -d "$GNUPGHOME" ]; then
+  # If folder exists, move it to a temp dir
+  # Removing it could be dangerous
+  TRASH=$(mktemp -d)
+  mv "$GNUPGHOME" "$TRASH"
+fi
+if [ -d "$ONLY_ACTIVE_KEYS" ]; then
+  # If folder exists, move it to a temp dir
+  # Removing it could be dangerous
+  TRASH=$(mktemp -d)
+  mv "$ONLY_ACTIVE_KEYS" "$TRASH"
+fi
+
+mkdir -p "$GNUPGHOME"
+
+awk -F'`' '/^<!-- Active releasers keys -->$/,/^<!-- .Active releasers keys -->$/ {if($1 == "  [") print substr($3, 3, length($3) - 3) }' README.md | while read -r KEY_PATH; do
+  GNUPGHOME="$GNUPGHOME" gpg --import "$KEY_PATH"
+done
+
+cp -R "$GNUPGHOME" "$ONLY_ACTIVE_KEYS"
+
+awk -F'`' '/^<!-- Retired keys -->$/,/^<!-- .Retired keys -->$/ {if($1 == "  [") print substr($3, 3, length($3) - 3) }' README.md | while read -r KEY_PATH; do
+  GNUPGHOME="$GNUPGHOME" gpg --import "$KEY_PATH"
+done