summaryrefslogtreecommitdiffhomepage
path: root/.github
diff options
context:
space:
mode:
authorMohammed Al Sahaf <[email protected]>2020-12-29 22:52:13 +0300
committerGitHub <[email protected]>2020-12-29 12:52:13 -0700
commit2b90cdba52e2a4f160cdef829425bc01fbaa0d04 (patch)
tree814269dc14b2d710cf82509f613a61e75831d225 /.github
parent635f075f187ac73c65e6939b8402494469a4d627 (diff)
downloadcaddy-2b90cdba52e2a4f160cdef829425bc01fbaa0d04.tar.gz
caddy-2b90cdba52e2a4f160cdef829425bc01fbaa0d04.zip
ci: reject tags if not signed by Matthew Holt's key (#3932)
* ci: reject tags if not signed by Matthew Holt's key * ci: don't reject tags if an intermediate commits are not signed
Diffstat (limited to '.github')
-rw-r--r--.github/workflows/release.yml10
1 files changed, 10 insertions, 0 deletions
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 763c9e202..a51a35dde 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -53,6 +53,16 @@ jobs:
echo "::set-output name=tag_patch::${TAG_PATCH}"
echo "::set-output name=tag_special::${TAG_SPECIAL}"
+ - name: Validate commits and tag signatures
+ run: |
+
+ # Import Matt Holt's key
+ curl 'https://github.com/mholt.gpg' | gpg --import
+
+ echo "Verifying the tag: ${{ steps.vars.outputs.version_tag }}"
+ # tags are only accepted if signed by Matt's key
+ git verify-tag "${{ steps.vars.outputs.version_tag }}" || exit 1
+
- name: Cache the build cache
uses: actions/cache@v2
with: