Hacker News new | ask | show | jobs
by WoahNoun 2553 days ago
That seems fundamentally backwards. The CI system should do the tagging. Allowing manual tagging introduces intentional or unintentional malfeasance in shared projects.
1 comments
javagram 2553 days ago
Manual tagging is the best way for most projects to do stuff like sign the package using an offline hardware key.

Putting your keys on CI makes you vulnerable to your CI being hacked, which anecdotally seems to have happened to several projects.

link