From ea0fd6dde9fc058c84ef2260bdc6f40c34f7baaa Mon Sep 17 00:00:00 2001
From: Casey Buto <cbuto@d2iq.com>
Date: Wed, 20 Sep 2023 12:38:21 -0400
Subject: [PATCH] ci: use ci token instead of repo token for pushing tags

---
 .github/workflows/create-dev-tag.yml | 30 ++++++++++++++++------------
 1 file changed, 17 insertions(+), 13 deletions(-)

diff --git a/.github/workflows/create-dev-tag.yml b/.github/workflows/create-dev-tag.yml
index a3d91204f4..01a7a74b93 100644
--- a/.github/workflows/create-dev-tag.yml
+++ b/.github/workflows/create-dev-tag.yml
@@ -9,9 +9,7 @@ on:
 env:
   GOWORK: off
   GOPRIVATE: github.com/mesosphere
-
-permissions:
-  contents: write
+  GITHUB_TOKEN: ${{ secrets.MESOSPHERECI_USER_TOKEN }}
 
 jobs:
   create-dev-tag:
@@ -23,9 +21,9 @@ jobs:
       matrix:
         branch:
           - main
-          - release-2.4
-          - release-2.5
-          - release-2.6
+#          - release-2.4
+#          - release-2.5
+#          - release-2.6
 
     steps:
       - name: Checkout
@@ -35,11 +33,22 @@ jobs:
           depth: 0
 
       - name: Configure git for private repo access
-        run: git config --global url.https://$GH_ACCESS_TOKEN@github.com/.insteadOf https://github.com/
+        run: git config --global url.https://$GITHUB_TOKEN@github.com/.insteadOf https://github.com/
 
       - name: Setup asdf
         uses: asdf-vm/actions/setup@v2
 
+      - name: Import GPG key
+        uses: crazy-max/ghaction-import-gpg@v4
+        with:
+          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
+          passphrase: ${{ secrets.GPG_PASSPHRASE }}
+          git_user_signingkey: true
+          git_commit_gpgsign: true
+          git_push_gpgsign: false
+          git_committer_email: "ci-mergebot@d2iq.com"
+          git_committer_name: "ci-mergebot"
+
       - name: Generate tag
         run: |
           # Overriding a variable that causes a conflict in legacy
@@ -47,14 +56,9 @@ jobs:
           export GITHUB_REPOSITORY="kommander-applications"
           OUT=$(make repo.dev.tag)
           echo "TAG=$(echo ${OUT##* })" >> $GITHUB_ENV
-        env:
-          GITHUB_TOKEN: ${{ secrets.MESOSPHERECI_USER_TOKEN }}
 
       - name: Create tag
-        run: |
-          git config --global user.email "ci-mergebot@d2iq.com"
-          git config --global user.name "ci-mergebot"
-          git tag -m "${{ env.TAG }}" ${{ env.TAG }}
+        run: git tag -s -f -m "${{ env.TAG }}" ${{ env.TAG }}
 
       - name: Push tag
         run: git push --force --tags origin ${{ env.TAG }}