verify tagging in release, tighten up global perms

bckohan · bckohan · commit f9ebe4f67c5f · 2025-02-24T14:54:10.000-08:00
diff --git a/.github/workflows/debug.yml b/.github/workflows/debug.yml
@@ -1,5 +1,8 @@
 name: Debug
 
+permissions:
+    contents: read
+
 on:
   workflow_dispatch:
     inputs:
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -1,5 +1,8 @@
 name: Lint
 
+permissions:
+  contents: read
+  
 on:
   push:
   pull_request:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -65,6 +65,14 @@ jobs:
         # verify version
         just verify_version $TAG_NAME
 
+        # check that github has marked the tag as verified
+        export TAG_URL=`curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" https://api.github.com/repos/${{ github.repository_owner }}/${{ github.repository }}/git/refs/tags/$TAG_NAME | jq -r ".object.url"`
+        result=$(curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" "$TAG_URL" | jq -r ".verification.verified")
+        if [ "$result" != "true" ]; then
+          echo "Error: Tag verification failed." >&2
+          exit 1
+        fi
+
         # export the release version
         echo "RELEASE_VERSION=${TAG_NAME}" >> $GITHUB_ENV 
     - name: Build the binary wheel and a source tarball
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -1,5 +1,8 @@
 name: Test
 
+permissions:
+  contents: read
+  
 on:
   push:
   pull_request:
diff --git a/justfile b/justfile
@@ -206,7 +206,6 @@ coverage:
 run +ARGS:
     uv run {{ ARGS }}
 
-
 # validate the given version string against the lib version
 [script]
 validate_version VERSION:
@@ -219,6 +218,6 @@ validate_version VERSION:
 
 # issue a relase for the given semver string (e.g. 2.1.0)
 release VERSION:
-    @just _validate_version {{ VERSION }}
+    @just validate_version {{ VERSION }}
     git tag -s v{{ VERSION }} -m "{{ VERSION }} Release"
     git push origin {{ VERSION }}
