Enhance release tagging and CI/CD robustness

- Add explicit target commit support to create-release-tag.sh
- Show commit details before tagging for verification
- Add user confirmation before proceeding with tag creation
- Improve GitHub Actions tag verification with explicit tag fetching
- Add debugging information for tag verification process

These changes ensure signed tags point to the exact intended commit
and provide better visibility into the release process.

Author: CorruptedAesthetic

.github/workflows/publish.yml

@@ -27,6 +27,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0  # Fetch all history for tag verification
+          fetch-tags: true  # Explicitly fetch all tags
 
       # Verify tag signature for release builds
       - name: Verify tag signature
@@ -44,6 +45,17 @@ jobs:
             exit 1
           fi
           
+          # Ensure the tag exists and is available locally
+          echo "🔍 Checking if tag exists locally..."
+          if ! git tag -l | grep -q "^$TAG$"; then
+            echo "⚠️  Tag not found locally, fetching..."
+            git fetch origin "refs/tags/$TAG:refs/tags/$TAG"
+          fi
+          
+          # Show tag information for debugging
+          echo "📋 Tag information:"
+          git show --no-patch --format="  Type: %s%n  Author: %an <%ae>%n  Date: %ai" "$TAG" || echo "Could not show tag info"
+          
           # Verify the tag signature (will fail if tag is unsigned or signature is bad)
           if git verify-tag "$TAG"; then
             echo "✅ Tag signature verified successfully"

create-release-tag.sh

@@ -31,13 +31,15 @@ print_error() {
 
 # Check arguments
 if [ $# -lt 1 ]; then
-    print_error "Usage: $0 <version> [message]"
+    print_error "Usage: $0 <version> [message] [commit]"
     echo "Example: $0 0.4.3 'Enhanced CI/CD with security features'"
+    echo "         $0 0.4.3 'Release 0.4.3' abc123def  # tag specific commit"
     exit 1
 fi
 
 VERSION="$1"
 MESSAGE="${2:-Fennel node v$VERSION}"
+TARGET_COMMIT="${3:-HEAD}"  # Default to HEAD if no commit specified
 
 # Validate version format
 if [[ ! "$VERSION" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
@@ -65,6 +67,25 @@ if ! git diff --quiet || ! git diff --staged --quiet; then
     fi
 fi
 
+# Show current commit information
+CURRENT_COMMIT=$(git rev-parse $TARGET_COMMIT)
+if [ "$TARGET_COMMIT" = "HEAD" ]; then
+    print_status "Target commit (HEAD): $CURRENT_COMMIT"
+else
+    print_status "Target commit: $CURRENT_COMMIT"
+fi
+print_status "Commit details:"
+git show --no-patch --format="  %H - %s (%an, %ar)" $TARGET_COMMIT
+
+echo ""
+print_status "This tag will point to the above commit."
+read -p "Proceed with tagging this commit? (Y/n): " -n 1 -r
+echo
+if [[ $REPLY =~ ^[Nn]$ ]]; then
+    print_status "Tagging cancelled."
+    exit 0
+fi
+
 # Check GPG setup
 print_status "Checking GPG configuration..."
 if ! git config user.signingkey &>/dev/null; then
@@ -77,7 +98,7 @@ print_success "Using GPG key: $SIGNING_KEY"
 
 # Create the signed tag
 print_status "Creating signed tag..."
-if git tag -s "$TAG_NAME" -m "$MESSAGE"; then
+if git tag -s "$TAG_NAME" -m "$MESSAGE" "$TARGET_COMMIT"; then
     print_success "Signed tag created: $TAG_NAME"
 else
     print_error "Failed to create signed tag"