From c392ea087f922a6ad5197fbaa659168fe0610d03 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Juan=20Antonio=20Fern=C3=A1ndez=20de=20Alba?= Date: Thu, 16 Jul 2026 11:54:40 +0200 Subject: [PATCH] release: verify commits through GitHub --- scripts/release-orb.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/scripts/release-orb.sh b/scripts/release-orb.sh index 504bb94..8c59069 100755 --- a/scripts/release-orb.sh +++ b/scripts/release-orb.sh @@ -144,8 +144,9 @@ if ! git merge-base --is-ancestor "$latest_tag" "$target_sha"; then exit 1 fi -if ! git verify-commit "$target_sha"; then - echo "Release commit '$target_sha' does not have a valid signature." >&2 +commit_verified=$(gh api "repos/$repo/commits/$target_sha" --jq '.commit.verification.verified') +if [[ "$commit_verified" != "true" ]]; then + echo "Release commit '$target_sha' does not have a signature verified by GitHub." >&2 exit 1 fi