fix(ci): sign auto-tags via GitHub API and handle missing seed tag

persimmon16 · web-flow · commit 6f57f18b658e · 2026-04-01T11:35:16.000-04:00
Two fixes for the Release Auto-Tag workflow:

1. Bootstrap support: when no v*.*.* tags exist, seed from v0.0.0
   so the first auto-tag creates v0.0.1 instead of failing.

2. Signed tags: replace lightweight `git tag` + `git push` with
   GitHub's Git database API (gh api git/tags + git/refs), which
   creates annotated tag objects signed by the token identity.
   Tags now show as "Verified" in the GitHub UI.
diff --git a/.github/workflows/release-auto-tag.yml b/.github/workflows/release-auto-tag.yml
@@ -29,13 +29,17 @@ jobs:
         run: |
           latest=$(git tag -l 'v*.*.*' --sort=-v:refname | head -1)
           if [ -z "$latest" ]; then
-            echo "::error::No existing v*.*.* tags found"
-            exit 1
+            echo "No existing tags — seeding from v0.0.0"
+            latest="v0.0.0"
           fi
           echo "Latest tag: $latest"
 
-          # Skip if no new commits since the latest tag
-          commit_count=$(git rev-list "${latest}..HEAD" --count)
+          # Skip if no new commits since the latest tag (unless seeding)
+          if git rev-parse "$latest" >/dev/null 2>&1; then
+            commit_count=$(git rev-list "${latest}..HEAD" --count)
+          else
+            commit_count=$(git rev-list HEAD --count)
+          fi
           echo "Commits since $latest: $commit_count"
           if [ "$commit_count" -eq 0 ]; then
             echo "No new commits since $latest — skipping tag creation"
@@ -56,17 +60,34 @@ jobs:
           echo "next=$next" >> "$GITHUB_OUTPUT"
           echo "Next tag: $next"
 
-      - name: Create and push tag
+      - name: Create signed tag via GitHub API
         if: steps.version.outputs.skip != 'true'
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          TAG: ${{ steps.version.outputs.next }}
         run: |
-          git tag ${{ steps.version.outputs.next }}
-          git push origin ${{ steps.version.outputs.next }}
+          SHA=$(git rev-parse HEAD)
+
+          # Create annotated tag object (GitHub signs it with the token identity)
+          gh api "repos/${{ github.repository }}/git/tags" \
+            -f tag="$TAG" \
+            -f message="Release $TAG" \
+            -f object="$SHA" \
+            -f type=commit
+
+          # Create the ref pointing to the tag object
+          gh api "repos/${{ github.repository }}/git/refs" \
+            -f ref="refs/tags/$TAG" \
+            -f sha="$SHA"
+
+          echo "Created verified tag $TAG at $SHA"
 
       - name: Trigger Release Tag workflow
         if: steps.version.outputs.skip != 'true'
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          TAG: ${{ steps.version.outputs.next }}
         run: |
           gh workflow run release-tag.yml \
             --ref main \
-            -f tag=${{ steps.version.outputs.next }}
+            -f tag="$TAG"
