ci: make sure the tag being pushed is both annotated and signed

Just using '-p' would simply pretty-print the referenced commit for unannotated tags, which would then pass the check since we require signed commits. So make sure the tag really is annotated and signed.
wireapp · Jan 22, 2025 · d4e0e75 · d4e0e75
1 parent ed6a8ab
commit d4e0e75
Show file tree

Hide file tree

Showing 4 changed files with 4 additions and 4 deletions.
diff --git a/.github/workflows/publish-android.yml b/.github/workflows/publish-android.yml
@@ -27,7 +27,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - name: ensure the tag is signed
-        run: git cat-file -p ${{ github.ref_name }} | grep -q -- '-----BEGIN PGP SIGNATURE-----'
+        run: git cat-file tag ${{ github.ref_name }} | grep -q -- '-----BEGIN PGP SIGNATURE-----'
       - name: set up jdk 17
         uses: actions/setup-java@v4
         with:

diff --git a/.github/workflows/publish-jvm.yml b/.github/workflows/publish-jvm.yml
@@ -27,7 +27,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - name: ensure the tag is signed
-        run: git cat-file -p ${{ github.ref_name }} | grep -q -- '-----BEGIN PGP SIGNATURE-----'
+        run: git cat-file tag ${{ github.ref_name }} | grep -q -- '-----BEGIN PGP SIGNATURE-----'
       - name: setup rust
         uses: actions-rust-lang/setup-rust-toolchain@v1  # this implicitly caches Rust tools and build artifacts
         with:

diff --git a/.github/workflows/publish-swift.yml b/.github/workflows/publish-swift.yml
@@ -26,7 +26,7 @@ jobs:
           xcode-version: '14.3.1'
       - uses: actions/checkout@v4
       - name: ensure the tag is signed
-        run: git cat-file -p ${{ github.ref_name }} | grep -q -- '-----BEGIN PGP SIGNATURE-----'
+        run: git cat-file tag ${{ github.ref_name }} | grep -q -- '-----BEGIN PGP SIGNATURE-----'
       - name: "setup rust"
         uses: actions-rust-lang/setup-rust-toolchain@v1  # this implicitly caches Rust tools and build artifacts
         with:

diff --git a/.github/workflows/publish-wasm.yml b/.github/workflows/publish-wasm.yml
@@ -23,7 +23,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - name: ensure the tag is signed
-        run: git cat-file -p ${{ github.ref_name }} | grep -q -- '-----BEGIN PGP SIGNATURE-----'
+        run: git cat-file tag ${{ github.ref_name }} | grep -q -- '-----BEGIN PGP SIGNATURE-----'
       - uses: actions-rust-lang/setup-rust-toolchain@v1
         with:
           target: wasm32-unknown-unknown