Sign github tags created by release command

[LNSD]

Motivations

The creation (and push) of Git tags is automated by the release-plz release command. The newly created tags are not signed, so they appear in the GitHub UI as "unverified":

• Would you like to implement this feature? Yes

Proposed Solution

Currently, there's no GitHub API that supports signing git tags (see this GitHub discussion), despite a REST API exists to create signed/verified commits using the GitHub token.

To sign tags in the CI using git's --sign option, we could use an environment variable (e.g., GPG_SIGNING_KEY) to pass a GPG sub-key ID to the release command. This environment variable can be optional and keep the current behavior if not provided.

Of course, this would require the GPG key to be imported in the action container's GPG keyring using, for instance, the Import GPG action.

[MarcoIeni]

a REST API exists to create signed/verified commits using the GitHub token.

We are already using this, right?
Is this useful to create signed tags, too?

[LNSD]

We are already using this, right?
Is this useful to create signed tags, too?

I meant that there is no API to create signed tags. The only way to do this is to use the regular signing mechanism, i.e., GPG, to sign the commits.

[MarcoIeni]

I see.

I wonder how release-please sings tags. https://github.com/googleapis/release-please/tags 🤔

[LNSD]

I see.

I wonder how release-please sings tags. googleapis/release-please/tags 🤔

I think they are using an external in-house-built service. At least, that is what the .kokoro/ directory files suggests to me.

[MarcoIeni]

I see.

Of course, this would require the GPG key to be imported in the action container's GPG keyring using, for instance, the Import GPG action.

Can't this be done by the user before running the release-plz action?
Release-plz can add the -s to the git tag if it detects that a gpg key is configured (I guess if the following is present in the .gitconfig:

[tag]
    gpgSign = true

what do you think?