ci: reject tags if not signed by Matthew Holt's key (#3932)

* ci: reject tags if not signed by Matthew Holt's key * ci: don't reject tags if an intermediate commits are not signed
author: Mohammed Al Sahaf <msaa1990@gmail.com> 2020-12-29 22:52:13 +0300
committer: GitHub <noreply@github.com> 2020-12-29 12:52:13 -0700
commit: 2b90cdba52e2a4f160cdef829425bc01fbaa0d04 (patch)
tree: 814269dc14b2d710cf82509f613a61e75831d225 /.github/workflows
parent: 635f075f187ac73c65e6939b8402494469a4d627 (diff)
1 files changed, 10 insertions, 0 deletions
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 763c9e2..a51a35d 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -53,6 +53,16 @@ jobs:
         echo "::set-output name=tag_patch::${TAG_PATCH}"
         echo "::set-output name=tag_special::${TAG_SPECIAL}"
 
+    - name: Validate commits and tag signatures
+      run: |
+        
+        # Import Matt Holt's key
+        curl 'https://github.com/mholt.gpg' | gpg --import
+
+        echo "Verifying the tag: ${{ steps.vars.outputs.version_tag }}"
+        # tags are only accepted if signed by Matt's key
+        git verify-tag "${{ steps.vars.outputs.version_tag }}" || exit 1
+
     - name: Cache the build cache
       uses: actions/cache@v2
       with:
author	Mohammed Al Sahaf <msaa1990@gmail.com>	2020-12-29 22:52:13 +0300
committer	GitHub <noreply@github.com>	2020-12-29 12:52:13 -0700
commit	2b90cdba52e2a4f160cdef829425bc01fbaa0d04 (patch)
tree	814269dc14b2d710cf82509f613a61e75831d225 /.github/workflows
parent	635f075f187ac73c65e6939b8402494469a4d627 (diff)