Sanitize CI_COMMIT_TAG_MESSAGE to exclude SSH signatures

Summary

The CI_COMMIT_TAG_MESSAGE CI/CD variable currently includes SSH signatures when a tag is signed, which causes the signature to appear in release descriptions when using the variable in CI/CD pipelines.

Problem

When creating a release from a signed tag using CI/CD (e.g., using $CI_COMMIT_TAG_MESSAGE in the release description), the SSH signature is included in the release notes, making them cluttered and difficult to read.

Example CI/CD configuration:

release_job:
  stage: release
  image: registry.gitlab.com/gitlab-org/cli:latest
  rules:
    - if: $CI_COMMIT_TAG
  script:
    - echo "running release_job"
  release:
    tag_name: '$CI_COMMIT_TAG'
    description: '$CI_COMMIT_TAG_MESSAGE'
    ref: '$CI_COMMIT_TAG'

Root Cause

The issue is located in lib/gitlab/ci/variables/builder/pipeline.rb at line 86:

variables.append(key: 'CI_COMMIT_TAG_MESSAGE', value: git_tag.message)

The tag message is used without filtering out SSH signatures, similar to the issue that was fixed in !189422 (merged) for the UI display.

Proposed Solution

Apply the same signature filtering logic used in !189422 (merged) to sanitize the CI_COMMIT_TAG_MESSAGE variable before exposing it to CI/CD pipelines. This should strip out SSH signatures (and potentially other signature types) to provide clean tag messages.

Related

• MR !189422 (merged) - Hide SSH signature from tag message in UI
• Comment: !189422 (comment 2938036213)