Description
Rationale
While binary releases and SHA-256SUMS files are already signed, Git tags for versioned releases remain unsigned. Signed tags provide an immutable, verifiable anchor in the commit history, allowing downstream consumers to confirm the exact source used to build a release and strengthening our software-supply-chain story.
Proposed change
1. Tag-signing workflow
• All future tags that represent official releases (major, minor, patch, and security) are created with git tag -s -m "" .
• The same GPG key used in the GoReleaser signs block (referenced by GPG_FINGERPRINT) signs the tag.
• GoReleaser’s git_tag step already creates tags—add git_push: false and let a small wrapper script sign & push.
2. GitHub branch protection / rules
• Enable “Require signed commits” on the main branch to ensure any future tag points at a verified commit.
• Add a Branch Rule with “Restrict who can push to matching branches” so that only the release automation user or maintainers with the GPG key can push tags.
• Optional: create a Repository Rule (“Tag name pattern”) matching v* that requires tags to be signed (GitHub’s ruleset UI → Create → Tag protection rule).
3. CI enforcement
• Extend the terraform-provider-checks workflow with a job that runs git tag --verify $(git describe --exact-match --tags) and fails if the tag is unsigned.
• For PRs, ensure the workflow skips gracefully when no tag is present.
Acceptance criteria
• New release tags display the green “Verified” badge on GitHub.
• CI fails if an unsigned v* tag is pushed.
• Release documentation (RELEASE.md) is updated with the signed-tag procedure.
Reference
GitHub instructions for signed tags: https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-tags