fix(release): strip PGP signature block from release notes

Andrew Dunnrequested to merge
fix/release-notes-strip-pgp into main

Summary

v2.0.0 through v2.1.1 GitLab release descriptions leaked the -----BEGIN PGP SIGNATURE----- block from the signed tag annotation. Cause: `git tag -l --format='%(contents)'` returns the entire tag annotation, signature and all. The signature is verifiable via `git verify-tag` and is not load-bearing in human-readable release notes — strip it from the description.

What changed

  • `.gitlab-ci.yml` `create-release` job: pipe the tag contents through sed (delete BEGIN/END PGP block inclusive) and two awk passes to trim leading + trailing blank lines.
  • `CONTRIBUTING.md`: new "Tag signing" subsection codifying the discipline. Annotated + signed tags are the contract; `tag.gpgSign=true` recommended for project-scoped gitconfig. The CI job handles the signature-strip so contributors don't need knowledge of it.

Followup (not in this MR)

Existing `v2.0.0`/`v2.0.1`/`v2.0.2`/`v2.1.0`/`v2.1.1` release descriptions still contain the PGP block; backfill via REST API `PUT /projects/:id/releases/:tag_name` with the stripped content. Single pass, scriptable.

Test plan

  • MR pipeline green (lint + syntax)
  • Verified locally: `git tag -l --format='%(contents)' v2.0.0` piped through the new strip filter produces 1871 bytes of clean message body (was 2181 with the PGP block).

Merge request reports