ci: use specific key for signing

.allowed_signers

@@ -3,3 +3,4 @@ aaron@bolddaemon.com sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5z
 aaron@bolddaemon.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC74Cw0fk2g/Fzo2a5bJ+Tw6mEjbGR1/yx0HBt/p3R30
 aaron@bolddaemon.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDM2k2C6Ufx5RNf4qWA9BdQHJfAkskOaqEWf8yjpySwH Nix Manager
 aaron@bolddaemon.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIACUwXo7HdoPI9vAMzcbYuXRgsbHA2otn0zF1zsaaj40 nixos ci
+aaron@bolddaemon.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIlVMdlJxNwsBAb6UUA0hqSwpbMA23L+UzRgkiodpOGq CI Signing

bin/ci

@@ -8,7 +8,7 @@ CMD=${1:-""}
 
 eval $(keychain --eval --agents ssh --inherit any)
 
-git config user.signingkey /run/secrets/ci_ed25519_key
+git config user.signingkey /run/secrets/ci_signing_ed25519_key
 git config commit.gpgsign true
 git config gpg.ssh.allowedSignersFile .allowed_signers
 

configs/ci.nix

@@ -44,6 +44,14 @@ in with lib; {
         mode = "444";
         owner = config.xinCI.user;
       };
+      ci_signing_ed25519_key = {
+        mode = "400";
+        owner = config.xinCI.user;
+      };
+      ci_signing_ed25519_pub = {
+        mode = "444";
+        owner = config.xinCI.user;
+      };
       bin_cache_priv_key = {
         mode = "400";
         owner = "root";