From 91ff6a36a4e4fa8543af8caad29b4ca385a1ded7 Mon Sep 17 00:00:00 2001
From: strawberry <strawberry@puppygock.gay>
Date: Sun, 5 May 2024 02:10:47 -0400
Subject: [PATCH] ci: abort workflow if latest repo tag does not match with
 running tag ref

protects against a maintainer creating a downgrading version tag, and
uploading artifacts with that version

this check is only ran via workflow dispatch on the tag

Signed-off-by: strawberry <strawberry@puppygock.gay>
---
 .github/workflows/ci.yml | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index a976461e..13a97664 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -46,6 +46,18 @@ jobs:
             - name: Sync repository
               uses: actions/checkout@v4
 
+            - name: Tag comparison check
+              if: startsWith('refs/tags/v', github.ref)
+              run: |
+                  # Tag mismatch with latest repo tag check to prevent potential downgrades
+                  LATEST_TAG=$(git describe --tags `git rev-list --tags --max-count=1`)
+
+                  if [ $LATEST_TAG != ${{ github.ref_name }} ]; then
+                    echo '# WARNING: Attempting to run this workflow for a tag that is not the latest repo tag. Aborting.'
+                    echo '# WARNING: Attempting to run this workflow for a tag that is not the latest repo tag. Aborting.' >> $GITHUB_STEP_SUMMARY
+                    exit 1
+                  fi
+
             - name: Install Nix
               uses: DeterminateSystems/nix-installer-action@main