From 942e926a581046223ffc3db56b65180770ad0604 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ivan=20Stankovi=C4=87?= <ivan.stankovic@wire.com>
Date: Tue, 21 Jan 2025 17:35:43 +0100
Subject: [PATCH] ci: enforce signed tags

---
 .github/workflows/publish-android.yml | 2 ++
 .github/workflows/publish-jvm.yml     | 2 ++
 .github/workflows/publish-swift.yml   | 2 ++
 .github/workflows/publish-wasm.yml    | 2 ++
 4 files changed, 8 insertions(+)

diff --git a/.github/workflows/publish-android.yml b/.github/workflows/publish-android.yml
index de7f321211..d59d2a80a0 100644
--- a/.github/workflows/publish-android.yml
+++ b/.github/workflows/publish-android.yml
@@ -26,6 +26,8 @@ jobs:
     needs: build-android
     steps:
       - uses: actions/checkout@v4
+      - name: ensure the tag is signed
+        run: git cat-file -p ${{ github.ref_name }} | grep -q -- '-----BEGIN PGP SIGNATURE-----'
       - name: set up jdk 17
         uses: actions/setup-java@v4
         with:
diff --git a/.github/workflows/publish-jvm.yml b/.github/workflows/publish-jvm.yml
index b61047345a..9c325408f7 100644
--- a/.github/workflows/publish-jvm.yml
+++ b/.github/workflows/publish-jvm.yml
@@ -26,6 +26,8 @@ jobs:
     runs-on: macos-latest
     steps:
       - uses: actions/checkout@v4
+      - name: ensure the tag is signed
+        run: git cat-file -p ${{ github.ref_name }} | grep -q -- '-----BEGIN PGP SIGNATURE-----'
       - name: setup rust
         uses: actions-rust-lang/setup-rust-toolchain@v1  # this implicitly caches Rust tools and build artifacts
         with:
diff --git a/.github/workflows/publish-swift.yml b/.github/workflows/publish-swift.yml
index 22e2c7eac2..8982d3d15d 100644
--- a/.github/workflows/publish-swift.yml
+++ b/.github/workflows/publish-swift.yml
@@ -25,6 +25,8 @@ jobs:
         with:
           xcode-version: '14.3.1'
       - uses: actions/checkout@v4
+      - name: ensure the tag is signed
+        run: git cat-file -p ${{ github.ref_name }} | grep -q -- '-----BEGIN PGP SIGNATURE-----'
       - name: "setup rust"
         uses: actions-rust-lang/setup-rust-toolchain@v1  # this implicitly caches Rust tools and build artifacts
         with:
diff --git a/.github/workflows/publish-wasm.yml b/.github/workflows/publish-wasm.yml
index c84bd29c15..2d2813a737 100644
--- a/.github/workflows/publish-wasm.yml
+++ b/.github/workflows/publish-wasm.yml
@@ -22,6 +22,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+      - name: ensure the tag is signed
+        run: git cat-file -p ${{ github.ref_name }} | grep -q -- '-----BEGIN PGP SIGNATURE-----'
       - uses: actions-rust-lang/setup-rust-toolchain@v1
         with:
           target: wasm32-unknown-unknown