ci: abort workflow if latest repo tag does not match with running tag ref

protects against a maintainer creating a downgrading version tag, and
uploading artifacts with that version

this check is only ran via workflow dispatch on the tag

Signed-off-by: strawberry <strawberry@puppygock.gay>
This commit is contained in:
strawberry 2024-05-05 02:10:47 -04:00 committed by June
parent 56f1d8be1f
commit 91ff6a36a4

View file

@ -46,6 +46,18 @@ jobs:
- name: Sync repository
uses: actions/checkout@v4
- name: Tag comparison check
if: startsWith('refs/tags/v', github.ref)
run: |
# Tag mismatch with latest repo tag check to prevent potential downgrades
LATEST_TAG=$(git describe --tags `git rev-list --tags --max-count=1`)
if [ $LATEST_TAG != ${{ github.ref_name }} ]; then
echo '# WARNING: Attempting to run this workflow for a tag that is not the latest repo tag. Aborting.'
echo '# WARNING: Attempting to run this workflow for a tag that is not the latest repo tag. Aborting.' >> $GITHUB_STEP_SUMMARY
exit 1
fi
- name: Install Nix
uses: DeterminateSystems/nix-installer-action@main