From fcf9c8f1ac4e753ca6b2a4e5c2350c8fcc760805 Mon Sep 17 00:00:00 2001
From: Adrian Dvergsdal <github.com@konto.atmoz.no>
Date: Wed, 15 Jul 2020 22:24:28 +0200
Subject: [PATCH] Verify either commit or tag

---
 .github/workflows/docker-image.yml | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml
index 1e86202..269fd28 100644
--- a/.github/workflows/docker-image.yml
+++ b/.github/workflows/docker-image.yml
@@ -21,7 +21,12 @@ jobs:
       # Only allow commits signed by owner
       - name: Verify commit signature
         run: |
-          if git verify-commit --raw HEAD 2>&1 | grep -e VALIDSIG | grep -q "$GPG_KEY_FINGERPRINT"; then
+          verify_head() {
+            ( git verify-commit --raw HEAD || git verify-tag --raw $(git tag --points-at HEAD) ) 2>&1 \
+              | grep -e VALIDSIG | grep -q "$1"
+          }
+
+          if verify_head "$GPG_KEY_FINGERPRINT"; then
             echo "Verified signature from $GPG_KEY_FINGERPRINT"
           else
             echo "Missing signature by $GPG_KEY_FINGERPRINT"