ci: add basic job to check new key additions and removals

.gitlab-ci.yml

+image: archlinux:latest
+
+stages:
+  - lint
+
+variables:
+  PACMAN_CACHE: "${CI_PROJECT_DIR}/.pacman/pkg"
+
+cache:
+  paths:
+    - .pacman/pkg
+  key: ${CI_JOB_NAME}
+
+check-new-key:
+  stage: lint
+  needs: []
+  script:
+    - install -d "${PACMAN_CACHE}"
+    - pacman -Syu --needed --noconfirm --cachedir "${PACMAN_CACHE}" git grep hopenpgp-tools sequoia-keyring-linter
+    - ./.gitlab/check-keyids-change
+  only:
+    refs:
+      - merge_requests
+    changes:
+      - master-keyids
+      - packager-keyids

.gitlab/check-keyids-change

+#!/bin/bash
+set -eo pipefail
+
+if [[ -z "${CI_MERGE_REQUEST_DIFF_BASE_SHA}" ]]; then
+	echo "CI_MERGE_REQUEST_DIFF_BASE_SHA is not set"
+	exit 1
+fi
+
+GNUPGHOME="$(mktemp -d --tmpdir archlinux-keyring-XXXXXXXXX)"
+export GNUPGHOME
+trap 'rm -rf $GNUPGHOME' EXIT INT TERM QUIT
+
+for NEW_KEY in $(git diff --color=never "${CI_MERGE_REQUEST_DIFF_BASE_SHA}" -- master-keyids packager-keyids | grep -oP '^\+(\K[A-Z0-9]{40})'); do
+	echo "Receive gpg key ${NEW_KEY} ..."
+	gpg --recv "${NEW_KEY}"
+
+	echo "Export gpg key ${NEW_KEY} ..."
+	gpg --export "${NEW_KEY}" > "${GNUPGHOME}/${NEW_KEY}"
+
+	echo "Lint gpg key ${NEW_KEY} via hokey..."
+	hokey lint < "${GNUPGHOME}/${NEW_KEY}"
+	echo "Lint gpg key ${NEW_KEY} via sq-keyring-linter..."
+	sq-keyring-linter "${GNUPGHOME}/${NEW_KEY}"
+done
+
+for REMOVED_KEY in $(git diff --color=never "${CI_MERGE_REQUEST_DIFF_BASE_SHA}" -- packager-keyids | grep -oP '^\-(\K[A-Z0-9]{40})'); do
+	echo "Check if removed packager key ${REMOVED_KEY} is added to revoked keys..."
+	git diff --color=never "${CI_MERGE_REQUEST_DIFF_BASE_SHA}" -- packager-revoked-keyids | grep -E "^\+${REMOVED_KEY}\s"
+
+	echo "Receive gpg key ${REMOVED_KEY} ..."
+	gpg --recv "${REMOVED_KEY}"
+
+	SHORT_KEYID="${REMOVED_KEY:24:16}"
+	echo "Check if key ${SHORT_KEYID} is still used by a package..."
+	if pacman -Sii | grep -m1 "${SHORT_KEYID}"; then
+		exit 1
+	fi
+done