From becf25d9869e91b213c5e6b09ded216523db35c7 Mon Sep 17 00:00:00 2001
From: Ruben Nijveld <ruben@tweedegolf.com>
Date: Fri, 29 Mar 2024 14:26:50 +0100
Subject: [PATCH] Make sure the to release commit is signed

---
 .github/workflows/packaging.yaml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/.github/workflows/packaging.yaml b/.github/workflows/packaging.yaml
index 7f39ae9bf..315b3bbce 100644
--- a/.github/workflows/packaging.yaml
+++ b/.github/workflows/packaging.yaml
@@ -98,6 +98,13 @@ jobs:
           toolchain: "stable"
           components: "llvm-tools"
 
+      - name: Check that the release commit is verified
+        run: |
+          commit_url="${{ github.api_url }}/repos/${{ github.repository }}/commits/${{ github.sha }}"
+          json_accept_header="Accept: application/vnd.github+json"
+          auth_bearer_header="Authorization: Bearer ${{ github.token }}"
+          test "$(curl -sf -H "$json_accept_header" -H "$auth_bearer_header" "$commit_url" | jq .verification.verified)" == "true"
+
       - name: Read the version from the manifest file
         run: echo "release_version=$(cargo read-manifest --manifest-path ntpd/Cargo.toml | jq -r .version)" >> "$GITHUB_ENV"