Release `v2.333.1` is based on an unsigned commit


Hi,

I noticed that the commit 6792966801e8925346735b68c03bf9f347af4646, associated with the `v2.333.1` release tag does not have a GPG signature.

In contrast, most commits in the repository, especially those associated with releases; appear to be signed (e.g., using GitHub's default signing key:  `RSA key B5690EEEBB952194`).

### To reproduce

```
  git clone git@github.com:actions/runner.git
  cd runner
  git fetch --tags origin v2.333.1
  git show --show-signature v2.333.1
# no GPG signature present
```

This does not report a valid GPG signature for the commit.

For comparison, previous releases such as `v2.333.0` appear to be based on signed commits.

### Question

Is this expected/intentional?

### Context

Relying on signed commits for releases helps provide an additional level of assurance around the authenticity of the code being distributed.

Thanks!



Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Release `v2.333.1` is based on an unsigned commit #4323

To reproduce

Question

Context

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Release v2.333.1 is based on an unsigned commit #4323

Description

To reproduce

Question

Context

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions

Release `v2.333.1` is based on an unsigned commit #4323