ci: abort workflow if latest repo tag does not match with running tag ref
protects against a maintainer creating a downgrading version tag, and uploading artifacts with that version this check is only ran via workflow dispatch on the tag Signed-off-by: strawberry <strawberry@puppygock.gay>
This commit is contained in:
parent
56f1d8be1f
commit
91ff6a36a4
1 changed files with 12 additions and 0 deletions
12
.github/workflows/ci.yml
vendored
12
.github/workflows/ci.yml
vendored
|
@ -46,6 +46,18 @@ jobs:
|
|||
- name: Sync repository
|
||||
uses: actions/checkout@v4
|
||||
|
||||
- name: Tag comparison check
|
||||
if: startsWith('refs/tags/v', github.ref)
|
||||
run: |
|
||||
# Tag mismatch with latest repo tag check to prevent potential downgrades
|
||||
LATEST_TAG=$(git describe --tags `git rev-list --tags --max-count=1`)
|
||||
|
||||
if [ $LATEST_TAG != ${{ github.ref_name }} ]; then
|
||||
echo '# WARNING: Attempting to run this workflow for a tag that is not the latest repo tag. Aborting.'
|
||||
echo '# WARNING: Attempting to run this workflow for a tag that is not the latest repo tag. Aborting.' >> $GITHUB_STEP_SUMMARY
|
||||
exit 1
|
||||
fi
|
||||
|
||||
- name: Install Nix
|
||||
uses: DeterminateSystems/nix-installer-action@main
|
||||
|
||||
|
|
Loading…
Add table
Reference in a new issue