From 5d3cc52edfae066617f67e477a4b0c22504dec39 Mon Sep 17 00:00:00 2001
From: "Jorge O. Castro" <jorge.castro@gmail.com>
Date: Tue, 18 Jun 2024 18:47:53 -0400
Subject: [PATCH] Revert "Revert "feat: Add kernel signer to sign Fedora kernel
 with ublue's keys for secure boot"" (#1406)

Co-authored-by: RJ Trujillo <rjtrujillo@protonmail.ch>
Co-authored-by: RJ Trujillo <eyecantcu@pm.me>
---
 .github/workflows/reusable-build.yml | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/.github/workflows/reusable-build.yml b/.github/workflows/reusable-build.yml
index 92080adba09..49b90c9d3f2 100644
--- a/.github/workflows/reusable-build.yml
+++ b/.github/workflows/reusable-build.yml
@@ -78,6 +78,7 @@ jobs:
               echo "AKMODS_FLAVOR=asus" >> $GITHUB_ENV
           elif [[ "${{ matrix.image_flavor }}" =~ "surface" ]]; then
               echo "AKMODS_FLAVOR=surface" >> $GITHUB_ENV
+              echo "KERNEL_SUFFIX=surface" >> $GITHUB_ENV
           else
               echo "AKMODS_FLAVOR=main" >> $GITHUB_ENV
           fi
@@ -144,14 +145,18 @@ jobs:
              if [[ "$IS_LATEST_VERSION" == "true" ]] && \
                 [[ "$IS_STABLE_VERSION" == "true" ]]; then
                  BUILD_TAGS+=("testing")
+                 echo "DEFAULT_TAG=testing" >> $GITHUB_ENV
              elif [[ "$IS_GTS_VERSION" == "true" ]]; then
                  BUILD_TAGS+=("gts-testing")
+                 echo "DEFAULT_TAG=gts-testing" >> $GITHUB_ENV
              fi
           elif [[ "$IS_LATEST_VERSION" == "true" ]] && \
                [[ "$IS_STABLE_VERSION" == "true" ]]; then
               BUILD_TAGS+=("latest")
+              echo "DEFAULT_TAG=latest" >> $GITHUB_ENV
           elif [[ "$IS_GTS_VERSION" == "true" ]]; then
               BUILD_TAGS+=("gts")
+              echo "DEFAULT_TAG=gts" >> $GITHUB_ENV
           fi
 
           if [[ "${{ github.event_name }}" == "pull_request" ]]; then
@@ -160,6 +165,7 @@ jobs:
                   echo "${TAG}"
               done
               alias_tags=("${COMMIT_TAGS[@]}")
+              echo "DEFAULT_TAG=${SHA_SHORT}-${FEDORA_VERSION}" >> $GITHUB_ENV
           else
               alias_tags=("${BUILD_TAGS[@]}")
           fi
@@ -221,6 +227,17 @@ jobs:
           extra-args: |
             --target=${{ env.TARGET_NAME }}
 
+      - name: Sign kernel
+        uses: ublue-os/kernel-signer@v0.2.3
+        with:
+          image: ${{ steps.build_image.outputs.image }}
+          default-tag: ${{ env.DEFAULT_TAG }}
+          privkey: ${{ secrets.AKMOD_PRIVKEY_20230518 }}
+          pubkey: /etc/pki/akmods/certs/akmods-ublue.der
+          tags: ${{ steps.build_image.outputs.tags }}
+          kernel_suffix: ${{ env.KERNEL_SUFFIX }}
+          strip: false
+
       # Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR.
       # https://github.com/macbre/push-to-ghcr/issues/12
       - name: Lowercase Registry