From aee108dd902c90dab2ed477a063d8ba80759dffc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ivan=20Stankovi=C4=87?= <ivan.stankovic@wire.com>
Date: Wed, 22 Jan 2025 13:36:03 +0100
Subject: [PATCH] ci: make sure the tag being pushed is both annotated and
 signed

Just using '-p' would simply pretty-print the referenced commit for
unannotated tags, which would then pass the check since we require
signed commits. So make sure the tag really is annotated and signed.
---
 .github/workflows/publish-android.yml | 2 +-
 .github/workflows/publish-jvm.yml     | 2 +-
 .github/workflows/publish-swift.yml   | 2 +-
 .github/workflows/publish-wasm.yml    | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/publish-android.yml b/.github/workflows/publish-android.yml
index d59d2a80a0..641e8026d9 100644
--- a/.github/workflows/publish-android.yml
+++ b/.github/workflows/publish-android.yml
@@ -27,7 +27,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - name: ensure the tag is signed
-        run: git cat-file -p ${{ github.ref_name }} | grep -q -- '-----BEGIN PGP SIGNATURE-----'
+        run: git cat-file tag ${{ github.ref_name }} | grep -q -- '-----BEGIN PGP SIGNATURE-----'
       - name: set up jdk 17
         uses: actions/setup-java@v4
         with:
diff --git a/.github/workflows/publish-jvm.yml b/.github/workflows/publish-jvm.yml
index 9c325408f7..796675db29 100644
--- a/.github/workflows/publish-jvm.yml
+++ b/.github/workflows/publish-jvm.yml
@@ -27,7 +27,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - name: ensure the tag is signed
-        run: git cat-file -p ${{ github.ref_name }} | grep -q -- '-----BEGIN PGP SIGNATURE-----'
+        run: git cat-file tag ${{ github.ref_name }} | grep -q -- '-----BEGIN PGP SIGNATURE-----'
       - name: setup rust
         uses: actions-rust-lang/setup-rust-toolchain@v1  # this implicitly caches Rust tools and build artifacts
         with:
diff --git a/.github/workflows/publish-swift.yml b/.github/workflows/publish-swift.yml
index 8982d3d15d..60e23c9f25 100644
--- a/.github/workflows/publish-swift.yml
+++ b/.github/workflows/publish-swift.yml
@@ -26,7 +26,7 @@ jobs:
           xcode-version: '14.3.1'
       - uses: actions/checkout@v4
       - name: ensure the tag is signed
-        run: git cat-file -p ${{ github.ref_name }} | grep -q -- '-----BEGIN PGP SIGNATURE-----'
+        run: git cat-file tag ${{ github.ref_name }} | grep -q -- '-----BEGIN PGP SIGNATURE-----'
       - name: "setup rust"
         uses: actions-rust-lang/setup-rust-toolchain@v1  # this implicitly caches Rust tools and build artifacts
         with:
diff --git a/.github/workflows/publish-wasm.yml b/.github/workflows/publish-wasm.yml
index 2d2813a737..d072b26155 100644
--- a/.github/workflows/publish-wasm.yml
+++ b/.github/workflows/publish-wasm.yml
@@ -23,7 +23,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - name: ensure the tag is signed
-        run: git cat-file -p ${{ github.ref_name }} | grep -q -- '-----BEGIN PGP SIGNATURE-----'
+        run: git cat-file tag ${{ github.ref_name }} | grep -q -- '-----BEGIN PGP SIGNATURE-----'
       - uses: actions-rust-lang/setup-rust-toolchain@v1
         with:
           target: wasm32-unknown-unknown