From 722053ff4ff000081ad10063ad4f05cf4ae48b1e Mon Sep 17 00:00:00 2001
From: yxxhero <aiopsclub@163.com>
Date: Tue, 9 Jun 2026 06:48:40 +0800
Subject: [PATCH] Add public key to release assets for offline verification

Signed-off-by: yxxhero <aiopsclub@163.com>
---
 .github/workflows/release.yaml | 8 ++++++++
 README.md                      | 3 ++-
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 4959ed8c..d1c8009e 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -66,6 +66,14 @@ jobs:
           args: release --clean ${{ env.flags }}
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      -
+        name: Export and upload public key
+        if: ${{ startsWith(github.ref, 'refs/tags/v') }}
+        run: |
+          gpg --export --armor "${{ secrets.GPG_FINGERPRINT }}" > pubkey.asc
+          gh release upload ${{ github.ref_name }} pubkey.asc
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
   provenance-smoke-test:
     runs-on: ubuntu-latest
diff --git a/README.md b/README.md
index 0f54974c..a3241623 100644
--- a/README.md
+++ b/README.md
@@ -53,7 +53,8 @@ helm plugin install https://github.com/databus23/helm-diff/releases/latest/downl
 For offline/airgapped environments, download the public key from the GitHub release assets on a connected machine, transfer it, and import it locally:
 
 ```shell
-gpg --import <public-key.asc>
+curl -sL https://github.com/databus23/helm-diff/releases/latest/download/pubkey.asc -o pubkey.asc
+gpg --import pubkey.asc
 ```
 
 The public key fingerprint is published in the notes for each GitHub release.