feat(nfpm): also allow $NFPM_PASSPHRASE (#4633)

refs #4630 Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>
2025-01-18 03:56:52 +02:00 · 2024-02-19 08:51:30 -03:00 · 2024-02-19 08:51:30 -03:00 · d9e9e82ca7
commit d9e9e82ca7
parent a9c76d7655
3 changed files with 40 additions and 31 deletions
--- a/internal/pipe/nfpm/nfpm.go
+++ b/internal/pipe/nfpm/nfpm.go
@ -503,22 +503,18 @@ func destinations(contents files.Contents) []string {
 }

 func getPassphraseFromEnv(ctx *context.Context, packager string, nfpmID string) string {
-	var passphrase string
-
 	nfpmID = strings.ToUpper(nfpmID)
-	packagerSpecificPassphrase := ctx.Env[fmt.Sprintf(
-		"NFPM_%s_%s_PASSPHRASE",
-		nfpmID,
-		packager,
-	)]
-	if packagerSpecificPassphrase != "" {
-		passphrase = packagerSpecificPassphrase
-	} else {
-		generalPassphrase := ctx.Env[fmt.Sprintf("NFPM_%s_PASSPHRASE", nfpmID)]
-		passphrase = generalPassphrase
+	for _, k := range []string{
+		fmt.Sprintf("NFPM_%s_%s_PASSPHRASE", nfpmID, packager),
+		fmt.Sprintf("NFPM_%s_PASSPHRASE", nfpmID),
+		"NFPM_PASSPHRASE",
+	} {
+		if v, ok := ctx.Env[k]; ok {
+			return v
+		}
 	}

-	return passphrase
+	return ""
 }

 func termuxPrefixedDir(dir string) string {
--- a/internal/pipe/nfpm/nfpm_test.go
+++ b/internal/pipe/nfpm/nfpm_test.go
@ -986,6 +986,14 @@ func TestDebSpecificConfig(t *testing.T) {
 		)
 	})

+	t.Run("global passphrase set", func(t *testing.T) {
+		ctx := setupContext(t)
+		ctx.Env = map[string]string{
+			"NFPM_PASSPHRASE": "hunter2",
+		}
+		require.NoError(t, Pipe{}.Run(ctx))
+	})
+
 	t.Run("general passphrase set", func(t *testing.T) {
 		ctx := setupContext(t)
 		ctx.Env = map[string]string{
--- a/www/docs/customization/nfpm.md
+++ b/www/docs/customization/nfpm.md
@ -355,12 +355,8 @@ nfpms:
      # The package is signed if a key_file is set
      signature:
        # PGP secret key file path (can also be ASCII-armored).
-        # The passphrase is taken from the environment variable
-        # `$NFPM_ID_RPM_PASSPHRASE` with a fallback to `$NFPM_ID_PASSPHRASE`,
-        # where ID is the id of the current nfpm config.
-        # The id will be transformed to uppercase.
-        # E.g. If your nfpm id is 'default' then the rpm-specific passphrase
-        # should be set as `$NFPM_DEFAULT_RPM_PASSPHRASE`
+        #
+        # See "Signing key passphrases" below for more information.
        #
        # Templates: allowed.
        key_file: "{{ .Env.GPG_KEY_PATH }}"
@ -399,12 +395,8 @@ nfpms:
      # The package is signed if a key_file is set
      signature:
        # PGP secret key file path (can also be ASCII-armored).
-        # The passphrase is taken from the environment variable
-        # `$NFPM_ID_DEB_PASSPHRASE` with a fallback to `$NFPM_ID_PASSPHRASE`,
-        # where ID is the id of the current nfpm config.
-        # The id will be transformed to uppercase.
-        # E.g. If your nfpm id is 'default' then the deb-specific passphrase
-        # should be set as `$NFPM_DEFAULT_DEB_PASSPHRASE`
+        #
+        # See "Signing key passphrases" below for more information.
        #
        # Templates: allowed.
        key_file: "{{ .Env.GPG_KEY_PATH }}"
@ -426,12 +418,8 @@ nfpms:
      # The package is signed if a key_file is set
      signature:
        # PGP secret key file path (can also be ASCII-armored).
-        # The passphrase is taken from the environment variable
-        # `$NFPM_ID_APK_PASSPHRASE` with a fallback to `$NFPM_ID_PASSPHRASE`,
-        # where ID is the id of the current nfpm config.
-        # The id will be transformed to uppercase.
-        # E.g. If your nfpm id is 'default' then the apk-specific passphrase
-        # should be set as `$NFPM_DEFAULT_APK_PASSPHRASE`
+        #
+        # See "Signing key passphrases" below for more information.
        #
        # Templates: allowed.
        key_file: "{{ .Env.GPG_KEY_PATH }}"
@ -468,6 +456,23 @@ nfpms:

    Fields marked with "overridable" can be overridden for any format.

+## Signing key passphrases
+
+GoReleaser will try to get the password from the following environment
+variables, in the following order of preference:
+
+1. `$NFPM_[ID]_[FORMAT]_PASSPHRASE`
+1. `$NFPM_[ID]_PASSPHRASE`
+1. `$NFPM_PASSPHRASE`
+
+Basically, it'll start from the most specific to the most generic.
+Also, `[ID]` is the uppercase `id` value, and `[FORMAT]` is the uppercase format
+(`deb`, `rpm`, etc).
+
+So, if your `nfpms.id` is `default`, then the deb-specific passphrase
+will be set `$NFPM_DEFAULT_DEB_PASSPHRASE`. GoReleaser will try that, then
+`$NFPM_DEFAULT_PASSPHRASE`, and finally, `$NFPM_PASSPHRASE`.
+
 ## A note about Termux

 Termux is the same format as `deb`, the differences are: