Enable signed tags for releases #858
Description
We should enable signed Git tags for all releases.
Motivation
Our current process is:
- Navigate to the GitHub Releases UI
- Create a new release
- GitHub auto-generates a tag as part of that flow
This produces unsigned tags, which breaks provenance guarantees and prevents downstream consumers from validating our release lineage.
Constraints
- We do not want to manage long-term key infrastructure ourselves.
- We still rely on GitHub’s auto-generated release notes, so the workflow change must preserve or replicate that functionality.
- The GitHub UI release flow cannot produce signed tags, so our workflow must change.
Proposed Direction
We need a release workflow where:
- A signed tag is created first (likely automated), without requiring us to store or manage private keys.
- A release is created from the signed tag (via automation or the UI).
- Auto-generated release notes continue to work (via GitHub’s API or manual release creation after the tag exists).
Open Questions
- Should we use GitHub Actions signing (ephemeral OIDC-backed keys via
gitsign/Sigstore) to produce signed tags? - Should tags be created by a dedicated, manually-triggered workflow?
- How do we integrate GitHub’s release-notes generator while avoiding regressions?
Acceptance Criteria
- All new release tags are cryptographically signed.
- No long-term key management burden.
- Release notes remain auto-generated or equivalent.
- The release process remains simple and predictable.