From 2b90cdba52e2a4f160cdef829425bc01fbaa0d04 Mon Sep 17 00:00:00 2001 From: Mohammed Al Sahaf Date: Tue, 29 Dec 2020 22:52:13 +0300 Subject: ci: reject tags if not signed by Matthew Holt's key (#3932) * ci: reject tags if not signed by Matthew Holt's key * ci: don't reject tags if an intermediate commits are not signed --- .github/workflows/release.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 763c9e2..a51a35d 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -53,6 +53,16 @@ jobs: echo "::set-output name=tag_patch::${TAG_PATCH}" echo "::set-output name=tag_special::${TAG_SPECIAL}" + - name: Validate commits and tag signatures + run: | + + # Import Matt Holt's key + curl 'https://github.com/mholt.gpg' | gpg --import + + echo "Verifying the tag: ${{ steps.vars.outputs.version_tag }}" + # tags are only accepted if signed by Matt's key + git verify-tag "${{ steps.vars.outputs.version_tag }}" || exit 1 + - name: Cache the build cache uses: actions/cache@v2 with: -- cgit v1.2.3