From 789b77aad4f4286fe136f1aa7de2863a7bbbb4a8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Philippe=20No=C3=ABl?= <philippemnoel@gmail.com>
Date: Mon, 9 Sep 2024 16:46:48 -0700
Subject: [PATCH] Properly handle PGP key

---
 .github/workflows/paradedb-publish-helm-chart.yml | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/paradedb-publish-helm-chart.yml b/.github/workflows/paradedb-publish-helm-chart.yml
index 12d05913f..f3f8fb258 100644
--- a/.github/workflows/paradedb-publish-helm-chart.yml
+++ b/.github/workflows/paradedb-publish-helm-chart.yml
@@ -75,12 +75,12 @@ jobs:
           PGP_PASSPHRASE: "${{ secrets.PARADEDB_PGP_PASSPHRASE }}"
         run: |
           IFS=""
-          echo "$PGP_PRIVATE_KEY" | gpg --dearmor --verbose > $HOME/secring.gpg
-          echo "$PGP_PASSPHRASE" > $HOME/passphrase.txt
+          echo "$PGP_PRIVATE_KEY" | gpg --dearmor --verbose > /tmp/secring.gpg
+          echo "$PGP_PASSPHRASE" > /tmp/passphrase.txt
 
           # Tell chart-releaser-action where to find the key and its passphrase
-          echo "CR_KEYRING=$HOME/secring.gpg" >> "$GITHUB_ENV"
-          echo "CR_PASSPHRASE_FILE=$HOME/passphrase.txt" >> "$GITHUB_ENV"
+          echo "CR_KEYRING=/tmp/secring.gpg" >> "$GITHUB_ENV"
+          echo "CR_PASSPHRASE_FILE=/tmp/passphrase.txt" >> "$GITHUB_ENV"
 
       - name: Run chart-releaser
         uses: helm/chart-releaser-action@v1.6.0
@@ -103,3 +103,7 @@ jobs:
             /repos/paradedb/helm-charts/actions/variables/CHART_VERSION_PATCH \
             -f name='CHART_VERSION_PATCH' \
             -f value='${{ steps.set_versions.outputs.new_chart_version_patch }}'
+
+      - name: Securely Delete the PGP Key and Passphrase
+        if: always()
+        run: shred --remove=wipesync /tmp/secring.gpg /tmp/passphrase.txt