[mrolla]

Bug aside, it baffles me that it's a real person publishing rather than CI after tagging.

[majewsky]

I don't know about their process, but I always make my release tags myself. I wouldn't want to give the signing key to any CI system.

[WoahNoun]

That seems fundamentally backwards. The CI system should do the tagging. Allowing manual tagging introduces intentional or unintentional malfeasance in shared projects.

[javagram]

Manual tagging is the best way for most projects to do stuff like sign the package using an offline hardware key.

Putting your keys on CI makes you vulnerable to your CI being hacked, which anecdotally seems to have happened to several projects.

[mrolla]

I am very reluctant myself, but I think at some point you have to compromise. You can self host and go the hard way, trust some 3rd party CI (reputation is key) or go, if available, with the one from your cloud provider. This is exactly why we went with Codebuild at some point. It's not great, but hey we are not giving it anything more they don't already have (we host everything on AWS).