From f8a9e6052680c8a096aa223e7e9461c6b6f6be60 Mon Sep 17 00:00:00 2001
From: Hayden Blauzvern <hblauzvern@google.com>
Date: Wed, 6 Mar 2024 22:31:18 +0000
Subject: [PATCH 1/2] Check tag exists on main on release

This mitigates the risk of a tag being generated and pushed off of a
branch.

Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
---
 .github/workflows/java-build-for-release.yml | 26 +++++++++++++++++++-
 1 file changed, 25 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/java-build-for-release.yml b/.github/workflows/java-build-for-release.yml
index 98ca1fec..abe49417 100644
--- a/.github/workflows/java-build-for-release.yml
+++ b/.github/workflows/java-build-for-release.yml
@@ -5,10 +5,34 @@ on:
       # if you change this pattern, make sure jobs.strip-tag still works
       - 'release/java/v[0-9]+.[0-9]+.[0-9]+'
 jobs:
+  check-tag-main:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout all branches
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          fetch-depth: 0
+
+      - name: Verify tag on branch
+        # Check main is one of the branches where the tagged commit exists
+        run: |
+          branches=$(git branch --contains ${{ github.ref }}) --format "%(refname:short)"
+          found=false
+          for b in $raw; do
+            if [ "$x" = "main" ]; then
+              found=true
+            fi
+          done
+          if [ "$found" = false ]; then
+            exit 1
+          fi
+
   ci:
+    needs: [check-tag-main]
     uses: ./.github/workflows/java-build.yml
 
   strip-tag:
+    needs: [check-tag-main]
     runs-on: ubuntu-latest
     outputs:
       version: ${{ steps.version.outputs.version }}
@@ -21,7 +45,7 @@ jobs:
 
   build:
     runs-on: ubuntu-latest
-    needs: [ci, strip-tag]
+    needs: [ci, strip-tag, check-tag-main]
     outputs:
       hashes: ${{ steps.hash.outputs.hashes }}
     steps:

From 867ea60ff9cb2f27384fed91bfaa28af6eff5cd9 Mon Sep 17 00:00:00 2001
From: Hayden Blauzvern <hblauzvern@google.com>
Date: Wed, 6 Mar 2024 22:57:12 +0000
Subject: [PATCH 2/2] feedback

Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
---
 .github/workflows/java-build-for-release.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/java-build-for-release.yml b/.github/workflows/java-build-for-release.yml
index abe49417..b2f6f4fc 100644
--- a/.github/workflows/java-build-for-release.yml
+++ b/.github/workflows/java-build-for-release.yml
@@ -16,10 +16,10 @@ jobs:
       - name: Verify tag on branch
         # Check main is one of the branches where the tagged commit exists
         run: |
-          branches=$(git branch --contains ${{ github.ref }}) --format "%(refname:short)"
+          branches=($(git branch --contains ${{ github.ref }} --format "%(refname:short)"))
           found=false
-          for b in $raw; do
-            if [ "$x" = "main" ]; then
+          for b in "${branches[@]}"; do
+            if [ "$b" = "main" ]; then
               found=true
             fi
           done