It would be great if githubPublishRelease step could create annotated tags instead of lightweight ones, as lightweight tags directly show the commit they point to giving the impression the guy who created the commit is also responsible for the tag. Also it is as far as I know impossible to review who created the tag which is to me some audit issue. This can be fixed by using annotated tags (using option -m upon tag creation).
It would be great if githubPublishRelease step could create annotated tags instead of lightweight ones, as lightweight tags directly show the commit they point to giving the impression the guy who created the commit is also responsible for the tag. Also it is as far as I know impossible to review who created the tag which is to me some audit issue. This can be fixed by using annotated tags (using option -m upon tag creation).
If I get the current coding right the tag is implicitly created by the github rest api if the supplied tag does not yet exist: https://github.com/SAP/jenkins-library/blob/fe2e4e77573d85fb17ce06ad1d16a63c79dda4d1/cmd/githubPublishRelease.go#L93 if instead the tag would be created explicitly prior the createRelease call that tag would be used https://github.com/google/go-github/blob/42ae4fe2918071bae627539203680b2187a413a3/github/git_tags.go#L62C2-L62C116