Check tag exists on main on release

This mitigates the risk of a tag being generated and pushed off of a branch. Signed-off-by: Hayden Blauzvern <[email protected]>
haydentherapper · Mar 6, 2024 · 7e85003 · 7e85003
1 parent f40ffbf
commit 7e85003
Showing 1 changed file with 25 additions and 1 deletion.
diff --git a/.github/workflows/java-build-for-release.yml b/.github/workflows/java-build-for-release.yml
@@ -5,10 +5,34 @@ on:
       # if you change this pattern, make sure jobs.strip-tag still works
       - 'release/java/v[0-9]+.[0-9]+.[0-9]+'
 jobs:
+  check-tag-main:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout all branches
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          fetch-depth: 0
+
+      - name: Verify tag on branch
+        # Check main is one of the branches where the tagged commit exists
+        run: |
+          branches=$(git branch --contains ${{ github.ref }}) --format "%(refname:short)"
+          found=false
+          for b in $raw; do
+            if [ "$x" = "main" ]; then
+              found=true
+            fi
+          done
+          if [ "$found" = false ]; then
+            exit 1
+          fi
+
   ci:
+    needs: [check-tag-main]
     uses: ./.github/workflows/java-build.yml
 
   strip-tag:
+    needs: [check-tag-main]
     runs-on: ubuntu-latest
     outputs:
       version: ${{ steps.version.outputs.version }}
@@ -21,7 +45,7 @@ jobs:
 
   build:
     runs-on: ubuntu-latest
-    needs: [ci, strip-tag]
+    needs: [ci, strip-tag, check-tag-main]
     outputs:
       hashes: ${{ steps.hash.outputs.hashes }}
     steps: