From 807ce83fde56b08e68e30a4e8e8bd625713cab52 Mon Sep 17 00:00:00 2001
From: timothyF95 <tim.funnell@smartcontract.com>
Date: Wed, 1 Apr 2026 16:03:19 +0100
Subject: [PATCH 1/2] Sign release tag

---
 scripts/tag-and-push.sh | 29 ++++++++++++++++++++++++-----
 1 file changed, 24 insertions(+), 5 deletions(-)

diff --git a/scripts/tag-and-push.sh b/scripts/tag-and-push.sh
index eaba43fe..8d352cb9 100755
--- a/scripts/tag-and-push.sh
+++ b/scripts/tag-and-push.sh
@@ -1,5 +1,5 @@
-#!/bin/bash
-set -euo pipefail
+#!/bin/sh
+set -eu
 
 version=$(node -p "require('./package.json').version")
 tag="v${version}"
@@ -9,6 +9,25 @@ if git rev-parse "$tag" >/dev/null 2>&1; then
   exit 0
 fi
 
-echo "Creating and pushing tag: $tag"
-git tag -a "$tag" -m "CRE CLI $tag"
-git push origin "$tag"
+sha=$(git rev-parse HEAD)
+repo="${GITHUB_REPOSITORY}"
+
+echo "Creating signed tag: $tag (pointing to $sha)"
+
+# Create an annotated tag object via the GitHub API.
+# Tags created server-side are signed by GitHub and display as "Verified".
+tag_sha=$(gh api "repos/${repo}/git/tags" \
+  --method POST \
+  -f tag="$tag" \
+  -f message="CRE CLI $tag" \
+  -f object="$sha" \
+  -f type="commit" \
+  --jq '.sha')
+
+# Create the ref pointing to the tag object
+gh api "repos/${repo}/git/refs" \
+  --method POST \
+  -f ref="refs/tags/$tag" \
+  -f sha="$tag_sha"
+
+echo "Tag $tag created and verified."

From 2d4a06059093b775d208724ed04235cb63d7b6fc Mon Sep 17 00:00:00 2001
From: timothyF95 <tim.funnell@smartcontract.com>
Date: Wed, 1 Apr 2026 16:05:26 +0100
Subject: [PATCH 2/2] sh -> bash

---
 scripts/tag-and-push.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/scripts/tag-and-push.sh b/scripts/tag-and-push.sh
index 8d352cb9..94c4ffc1 100755
--- a/scripts/tag-and-push.sh
+++ b/scripts/tag-and-push.sh
@@ -1,5 +1,5 @@
-#!/bin/sh
-set -eu
+#!/bin/bash
+set -euo pipefail
 
 version=$(node -p "require('./package.json').version")
 tag="v${version}"