prevent accidental releases of unsigend tags

.github/workflows/release.yml

@@ -26,6 +26,10 @@ jobs:
     if: github.ref_type == 'tag' && needs.get-version.outputs.versionType != 'unknown'
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 0
+      - name: Check the git tag is signed
+        run: git cat-file -p "${GITHUB_REF_NAME}" | grep "BEGIN SSH SIGNATURE"
       - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
         with:
           distribution: ${{ env.JAVA_DIST }}