fix(ci): fetch-tags on tag-introspection checkouts so signed annotated tags pass

Branimir Rakic · cursoragent · Branimir Rakic · commit 2b9322633ea2 · 2026-05-16T00:09:07.000+02:00
The `Validate release candidate` job in `release.yml` and the `Require
signed annotated tag` job in `npm-publish.yml` both use `actions/checkout`
to materialise the pushed tag, then run `git cat-file -t &lt;tag&gt;` to verify
the tag is annotated (and `git cat-file -p &lt;tag&gt;` to grep for a PGP/SSH
signature block).

`actions/checkout@v4` does not fetch annotated tag OBJECTS by default —
it materialises the tag as a synthetic lightweight ref pointing at the
commit. So `git cat-file -t &lt;tag&gt;` returns `commit` instead of `tag`,
and the structural signed-tag gate rejects legitimately signed tags
with "Tag is a lightweight ref ... lightweight tags cannot carry a
signature".

This was the failure mode on `v10.0.0-rc.8`: the tag was correctly
created with `git tag -s` (annotated, SSH-signed) and `git ls-remote`
on the remote shows it as a tag object whose `^{}` peels to the merge
commit. But the workflow's runner saw it as lightweight because
`fetch-tags: true` was missing from the checkout.

Setting `fetch-tags: true` makes actions/checkout actually download the
annotated tag object alongside the commit, so `git cat-file -t` returns
the expected `tag` and the signature-block grep can read the body.

Author intent (from the existing comments in release.yml around line 100)
is unambiguous: the structural check is meant to PASS for annotated
signed tags and only REJECT lightweight or unsigned tags. This fix
restores that intended behaviour.

Co-authored-by: Cursor &lt;cursoragent@cursor.com&gt;
diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml
@@ -227,6 +227,13 @@ jobs:
         uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           fetch-depth: 1
+          # `fetch-tags: true` so the annotated tag OBJECT (not just the
+          # ref) is materialised on the runner. Without this,
+          # actions/checkout creates a synthetic lightweight ref pointing
+          # at the commit, and `git cat-file -t <tag>` returns `commit`
+          # instead of `tag` — defeating the signed-annotated-tag check
+          # below for legitimately signed tags.
+          fetch-tags: true
           persist-credentials: false
 
       - name: Validate tag is annotated and signed
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -56,6 +56,13 @@ jobs:
           # `fetch-depth: 0` so we can verify the tag's commit ancestry
           # against `main` below (origin/main must be locally walkable).
           fetch-depth: 0
+          # `fetch-tags: true` so the annotated tag OBJECT (not just the
+          # ref) is materialised on the runner. Without this,
+          # actions/checkout creates a synthetic lightweight ref pointing
+          # at the commit, and `git cat-file -t <tag>` returns `commit`
+          # instead of `tag` — defeating the structural signed-tag check
+          # below for legitimately signed annotated tags.
+          fetch-tags: true
           persist-credentials: false
       - name: Validate tag format
         run: |
