diff options
| author | Mohammed Al Sahaf <msaa1990@gmail.com> | 2020-12-29 22:52:13 +0300 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-12-29 12:52:13 -0700 |
| commit | 2b90cdba52e2a4f160cdef829425bc01fbaa0d04 (patch) | |
| tree | 814269dc14b2d710cf82509f613a61e75831d225 /.github | |
| parent | 635f075f187ac73c65e6939b8402494469a4d627 (diff) | |
ci: reject tags if not signed by Matthew Holt's key (#3932)
* ci: reject tags if not signed by Matthew Holt's key
* ci: don't reject tags if an intermediate commits are not signed
Diffstat (limited to '.github')
| -rw-r--r-- | .github/workflows/release.yml | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 763c9e2..a51a35d 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -53,6 +53,16 @@ jobs: echo "::set-output name=tag_patch::${TAG_PATCH}" echo "::set-output name=tag_special::${TAG_SPECIAL}" + - name: Validate commits and tag signatures + run: | + + # Import Matt Holt's key + curl 'https://github.com/mholt.gpg' | gpg --import + + echo "Verifying the tag: ${{ steps.vars.outputs.version_tag }}" + # tags are only accepted if signed by Matt's key + git verify-tag "${{ steps.vars.outputs.version_tag }}" || exit 1 + - name: Cache the build cache uses: actions/cache@v2 with: |