Revert "Refactor GitHub Actions workflows to improve tag handling and signature verification for forks"

dinoallo · dinoallo · commit fc32cecf61b1 · 2025-11-18T15:54:40.000+08:00
This reverts commit 0280c9b.
diff --git a/.github/workflows/api-release.yml b/.github/workflows/api-release.yml
@@ -25,41 +25,35 @@ jobs:
         uses: actions/checkout@v4
         with:
           ref: ${{ github.ref }}
-          # check out to the repository root (workspace) so forks don't depend on upstream paths
-          path: .
-          fetch-depth: 0
-          fetch-tags: true
+          path: src/github.com/containerd/containerd
 
       - name: Check signature
         run: |
           releasever=${{ github.ref }}
           releasever="${releasever#refs/tags/}"
-          # Only enforce strict signature verification when running in the canonical upstream repository.
-          # For forks, skip strict GPG verification because CI may not have the public keys.
-          if [ "${{ github.repository }}" = "containerd/containerd" ]; then
-            if ! git tag -v "${releasever}"; then
+          TAGCHECK=$(git tag -v ${releasever} 2>&1 >/dev/null) ||
+          echo "${TAGCHECK}" | grep -q "error" && {
               echo "::error::tag ${releasever} is not a signed tag. Failing release process."
               exit 1
-            fi
-            echo "Tag ${releasever} is signed."
-          else
-            echo "Running in fork (${GITHUB_REPOSITORY}); skipping strict tag signature verification."
-          fi
-        working-directory: .
+          } || {
+              echo "Tag ${releasever} is signed."
+              exit 0
+          }
+        working-directory: src/github.com/containerd/containerd
 
       - name: Release content
         id: contentrel
         run: |
           RELEASEVER=${{ github.ref }}
           echo "stringver=${RELEASEVER#refs/tags/api/v}" >> $GITHUB_OUTPUT
           git tag -l ${RELEASEVER#refs/tags/} -n20000 | tail -n +3 | cut -c 5- >release-notes.md
-        working-directory: .
+        working-directory: src/github.com/containerd/containerd
 
       - name: Save release notes
         uses: actions/upload-artifact@v4
         with:
           name: containerd-release-notes
-          path: release-notes.md
+          path: src/github.com/containerd/containerd/release-notes.md
 
   release:
     name: Create containerd Release
@@ -74,29 +68,7 @@ jobs:
         uses: actions/download-artifact@v4
         with:
           path: builds
-      - name: Prepare release token check
-        id: tokencheck
-        run: |
-          # Determine whether a RELEASE_TOKEN secret is provided; expose result as an output
-          if [ -n "${{ secrets.RELEASE_TOKEN }}" ]; then
-            echo "use_release_token=true" >> $GITHUB_OUTPUT
-          else
-            echo "use_release_token=false" >> $GITHUB_OUTPUT
-          fi
-      - name: Create Release (with RELEASE_TOKEN)
-        if: ${{ steps.tokencheck.outputs.use_release_token == 'true' }}
-        uses: softprops/action-gh-release@v2
-        with:
-          token: ${{ secrets.RELEASE_TOKEN }}
-          fail_on_unmatched_files: true
-          name: containerd API ${{ needs.check.outputs.stringver }}
-          draft: false
-          make_latest: false
-          prerelease: ${{ contains(github.ref, 'beta') || contains(github.ref, 'rc') }}
-          body_path: ./builds/containerd-release-notes/release-notes.md
-
-      - name: Create Release (with GITHUB_TOKEN)
-        if: ${{ steps.tokencheck.outputs.use_release_token == 'false' }}
+      - name: Create Release
         uses: softprops/action-gh-release@v2
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -32,38 +32,35 @@ jobs:
         uses: actions/checkout@v4
         with:
           ref: ${{ github.ref }}
-          path: .
+          path: src/github.com/containerd/containerd
 
       - name: Check signature
         run: |
           releasever=${{ github.ref }}
           releasever="${releasever#refs/tags/}"
-          # Only enforce strict signature verification when running in the canonical upstream repository.
-          # For forks, skip strict GPG verification because CI may not have the public keys.
-          if [ "${{ github.repository }}" = "containerd/containerd" ]; then
-            if ! git tag -v "${releasever}"; then
+          TAGCHECK=$(git tag -v ${releasever} 2>&1 >/dev/null) ||
+          echo "${TAGCHECK}" | grep -q "error" && {
               echo "::error::tag ${releasever} is not a signed tag. Failing release process."
               exit 1
-            fi
-            echo "Tag ${releasever} is signed."
-          else
-            echo "Running in fork (${GITHUB_REPOSITORY}); skipping strict tag signature verification."
-          fi
-        working-directory: .
+          } || {
+              echo "Tag ${releasever} is signed."
+              exit 0
+          }
+        working-directory: src/github.com/containerd/containerd
 
       - name: Release content
         id: contentrel
         run: |
           RELEASEVER=${{ github.ref }}
           echo "stringver=${RELEASEVER#refs/tags/v}" >> $GITHUB_OUTPUT
           git tag -l ${RELEASEVER#refs/tags/} -n20000 | tail -n +3 | cut -c 5- >release-notes.md
-        working-directory: .
+        working-directory: src/github.com/containerd/containerd
 
       - name: Save release notes
         uses: actions/upload-artifact@v4
         with:
           name: containerd-release-notes
-          path: release-notes.md
+          path: src/github.com/containerd/containerd/release-notes.md
 
   build:
     name: Build Release Binaries
@@ -103,7 +100,7 @@ jobs:
           # See https://github.com/containerd/containerd/issues/5098 for the context.
           repository: ${{ github.repository }}
           ref: ${{ github.ref }}
-          path: .
+          path: src/github.com/containerd/containerd
 
       - name: Setup buildx instance
         uses: docker/setup-buildx-action@v3
@@ -126,14 +123,14 @@ jobs:
 
           # Remove symlinks since we don't want these in the release Artifacts
           find ./releases/ -maxdepth 1 -type l | xargs rm
-        working-directory: .
+        working-directory: src/github.com/containerd/containerd
         env:
           PLATFORM: ${{ matrix.dockerfile-platform }}
       - name: Save Artifacts
         uses: actions/upload-artifact@v4
         with:
           name: release-tars-${{env.PLATFORM_CLEAN}}
-          path: releases/*.tar.gz*
+          path: src/github.com/containerd/containerd/releases/*.tar.gz*
 
   release:
     name: Create containerd Release
