Merge pull request #76 from fluxcd/verify-signed-tag

Add check for PGP signed tags to release workflow

Author: stefanprodan

.github/workflows/release.yaml

@@ -33,6 +33,11 @@ jobs:
         uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
       - name: Setup Kustomize
         uses: fluxcd/pkg/actions/kustomize@main
+      - name: Verify signed release
+        if: startsWith(github.ref, 'refs/tags/v')
+        run: |
+          git -P show ${{ github.event.inputs.tag }} | grep -q 'PGP SIGNATURE' || \
+          { echo "No PGP signature found for tag ${{ github.event.inputs.tag }}. Aborting release process..."; exit 1; }
       - name: Prepare
         id: prep
         run: |