Merge pull request #76 from fluxcd/verify-signed-tag

Add check for PGP signed tags to release workflow
fluxcd · Jun 30, 2023 · 7c3a1cd · 7c3a1cd
2 parents 92736d7 + b5c9798
commit 7c3a1cd
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -33,6 +33,11 @@ jobs:
         uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
       - name: Setup Kustomize
         uses: fluxcd/pkg/actions/kustomize@main
+      - name: Verify signed release
+        if: startsWith(github.ref, 'refs/tags/v')
+        run: |
+          git -P show ${{ github.event.inputs.tag }} | grep -q 'PGP SIGNATURE' || \
+          { echo "No PGP signature found for tag ${{ github.event.inputs.tag }}. Aborting release process..."; exit 1; }
       - name: Prepare
         id: prep
         run: |