Avoid inherited tag signing in release script#63
Merged
Conversation
|
anmarchenko
approved these changes
Jul 1, 2026
There was a problem hiding this comment.
More details
The PR correctly adds --no-sign to both tag creation commands (lines 297–298), ensuring lightweight tags are created regardless of global tag.gpgsign configuration. Validated that: (1) the flag syntax is correct and overrides gpgsign config, (2) force-update behavior is preserved with -f, and (3) script syntax passes bash -n validation. No behavioral regressions detected.
📊 Validated against 4 scenarios · Open Bits AI session
🤖 Datadog Autotest · Commit 3ce56a9 · What is Autotest? · Any feedback? Reach out in #autotest
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
--no-signto the release script's immutable and moving-majorgit tagcommands.Why
The release script creates lightweight action tags and then pushes them to GitHub. If a developer has
tag.gpgsign=truein their Git config, plaingit tag <tag> <sha>is interpreted as a signed annotated tag creation instead of the lightweight tag the script expects.That changes the command contract and can fail with
fatal: no tag message?because the script does not provide an annotated tag message. Passing--no-signmakes the script's existing lightweight-tag behavior explicit and keeps global Git config from changing release behavior.This also applies to the moving major tag, since
v3is intentionally force-updated and should follow the same explicit tag creation semantics as before.Validation
bash -n scripts/release-action.shgit verify-commit HEAD