@@ -25,35 +25,41 @@ jobs:
2525 uses : actions/checkout@v4
2626 with :
2727 ref : ${{ github.ref }}
28- path : src/github.com/containerd/containerd
28+ # check out to the repository root (workspace) so forks don't depend on upstream paths
29+ path : .
30+ fetch-depth : 0
31+ fetch-tags : true
2932
3033 - name : Check signature
3134 run : |
3235 releasever=${{ github.ref }}
3336 releasever="${releasever#refs/tags/}"
34- TAGCHECK=$(git tag -v ${releasever} 2>&1 >/dev/null) ||
35- echo "${TAGCHECK}" | grep -q "error" && {
37+ # Only enforce strict signature verification when running in the canonical upstream repository.
38+ # For forks, skip strict GPG verification because CI may not have the public keys.
39+ if [ "${{ github.repository }}" = "containerd/containerd" ]; then
40+ if ! git tag -v "${releasever}"; then
3641 echo "::error::tag ${releasever} is not a signed tag. Failing release process."
3742 exit 1
38- } || {
39- echo "Tag ${releasever} is signed."
40- exit 0
41- }
42- working-directory : src/github.com/containerd/containerd
43+ fi
44+ echo "Tag ${releasever} is signed."
45+ else
46+ echo "Running in fork (${GITHUB_REPOSITORY}); skipping strict tag signature verification."
47+ fi
48+ working-directory : .
4349
4450 - name : Release content
4551 id : contentrel
4652 run : |
4753 RELEASEVER=${{ github.ref }}
4854 echo "stringver=${RELEASEVER#refs/tags/api/v}" >> $GITHUB_OUTPUT
4955 git tag -l ${RELEASEVER#refs/tags/} -n20000 | tail -n +3 | cut -c 5- >release-notes.md
50- working-directory : src/github.com/containerd/containerd
56+ working-directory : .
5157
5258 - name : Save release notes
5359 uses : actions/upload-artifact@v4
5460 with :
5561 name : containerd-release-notes
56- path : src/github.com/containerd/containerd/ release-notes.md
62+ path : release-notes.md
5763
5864 release :
5965 name : Create containerd Release
6874 uses : actions/download-artifact@v4
6975 with :
7076 path : builds
71- - name : Create Release
77+ - name : Prepare release token check
78+ id : tokencheck
79+ run : |
80+ # Determine whether a RELEASE_TOKEN secret is provided; expose result as an output
81+ if [ -n "${{ secrets.RELEASE_TOKEN }}" ]; then
82+ echo "use_release_token=true" >> $GITHUB_OUTPUT
83+ else
84+ echo "use_release_token=false" >> $GITHUB_OUTPUT
85+ fi
86+ name : Create Release (with RELEASE_TOKEN)
87+ if : ${{ steps.tokencheck.outputs.use_release_token == 'true' }}
88+ uses : softprops/action-gh-release@v2
89+ with :
90+ token : ${{ secrets.RELEASE_TOKEN }}
91+ fail_on_unmatched_files : true
92+ name : containerd API ${{ needs.check.outputs.stringver }}
93+ draft : false
94+ make_latest : false
95+ prerelease : ${{ contains(github.ref, 'beta') || contains(github.ref, 'rc') }}
96+ body_path : ./builds/containerd-release-notes/release-notes.md
97+
98+ - name : Create Release (with GITHUB_TOKEN)
99+ if : ${{ steps.tokencheck.outputs.use_release_token == 'false' }}
72100 uses : softprops/action-gh-release@v2
73101 with :
74102 token : ${{ secrets.GITHUB_TOKEN }}
0 commit comments