Git tag created by TagBot was not signed with GPG

[junyuan-chen]

I set up the TagBot in a way that should result in a release with the green "verified" badge from GitHub. However, I just released a newer version of my package and was surprised that the Git tag was not signed.
(git verify-tag returns error: no signature found)

The GPG signing worked as expected in the past months for two earlier releases I made via TagBot. I didn't change any setting for TagBot or anything with the GitHub secrets. So, I wonder whether it could be an issue with TagBot itself.

(In case it is helpful, the link to the package is here: https://github.com/JuliaDiffinDiffs/DiffinDiffsBase.jl)

---

Update:
I have force pushed a tag that is signed locally to GitHub to replace the unsigned one.
Yet, I am still curious why the GPG sign was not done automatically.

[christopher-dG]

Hm, if you're interested in helping debug this, you could set the ACTIONS_STEP_DEBUG repo secret to true, delete your tag/release, and run TagBot again to see some extra output. Otherwise I don't have much to go on here.

edit: #192 is the only PR that has landed in the last few months, and it doesn't touch any GPG-relevant code. However it did bump the patch version onpython-gnupg, so that could have caused a new bug. In particular, this commit looks very relevant.

edit 2: upon a bit of investigation, this may have been caused by the Docker image moving from Alpine to Debian, Git/GPG seem to be behaving a bit strangely on Debian, not respecting tag.gpgsign and user.signingkey configs...

[christopher-dG]

Ahhhhhhhhhhh Debian is on an old Git v2.20.1, which does not yet support tag.gpgsign. 😞 Will find a workaround!
More reason to one day do something about #51.