Tags

This tags API only deals with tag objects - so only annotated tags, not lightweight tags.

Get a Tag

GET /repos/:owner/:repo/git/tags/:sha

Response

Status: 200 OK
{
  "tag": "v0.0.1",
  "sha": "940bd336248efae0f9ee5bc7b2d5c985887b16ac",
  "url": "https://api.github.com/repos/octocat/Hello-World/git/tags/940bd336248efae0f9ee5bc7b2d5c985887b16ac",
  "message": "initial version",
  "tagger": {
    "name": "Scott Chacon",
    "email": "schacon@gmail.com",
    "date": "2014-11-07T22:01:45Z"
  },
  "object": {
    "type": "commit",
    "sha": "c3d0be41ecbe669545ee3e94d31ed9a4bc91ee3c",
    "url": "https://api.github.com/repos/octocat/Hello-World/git/commits/c3d0be41ecbe669545ee3e94d31ed9a4bc91ee3c"
  }
}

Create a Tag Object

Note that creating a tag object does not create the reference that makes a tag in Git. If you want to create an annotated tag in Git, you have to do this call to create the tag object, and then create the refs/tags/[tag] reference. If you want to create a lightweight tag, you only have to create the tag reference - this call would be unnecessary.

POST /repos/:owner/:repo/git/tags

Parameters

Name Type Description
tag string The tag
message string The tag message
object string The SHA of the git object this is tagging
type string The type of the object we're tagging. Normally this is a commit but it can also be a tree or a blob.
tagger object An object with information about the individual creating the tag.

The tagger object contains the following keys:

Name Type Description
name string The name of the author of the tag
email string The email of the author of the tag
date string When this object was tagged. This is a timestamp in ISO 8601 format: YYYY-MM-DDTHH:MM:SSZ.

Example Input

{
  "tag": "v0.0.1",
  "message": "initial version\n",
  "object": "c3d0be41ecbe669545ee3e94d31ed9a4bc91ee3c",
  "type": "commit",
  "tagger": {
    "name": "Scott Chacon",
    "email": "schacon@gmail.com",
    "date": "2011-06-17T14:53:35-07:00"
  }
}

Response

Status: 201 Created
Location: https://api.github.com/repos/octocat/Hello-World/git/tags/940bd336248efae0f9ee5bc7b2d5c985887b16ac
{
  "tag": "v0.0.1",
  "sha": "940bd336248efae0f9ee5bc7b2d5c985887b16ac",
  "url": "https://api.github.com/repos/octocat/Hello-World/git/tags/940bd336248efae0f9ee5bc7b2d5c985887b16ac",
  "message": "initial version",
  "tagger": {
    "name": "Scott Chacon",
    "email": "schacon@gmail.com",
    "date": "2014-11-07T22:01:45Z"
  },
  "object": {
    "type": "commit",
    "sha": "c3d0be41ecbe669545ee3e94d31ed9a4bc91ee3c",
    "url": "https://api.github.com/repos/octocat/Hello-World/git/commits/c3d0be41ecbe669545ee3e94d31ed9a4bc91ee3c"
  }
}

Tag signature verification

Tag response objects including signature verification data are currently available for developers to preview. During the preview period, the object formats may change without advance notice. Please see the blog post for full details.

To receive signature verification data in tag objects you must provide a custom media type in the Accept header:

application/vnd.github.cryptographer-preview
GET /repos/:owner/:repo/git/tags/:sha

Response

Status: 200 OK
{
  "tag": "v0.0.1",
  "sha": "940bd336248efae0f9ee5bc7b2d5c985887b16ac",
  "url": "https://api.github.com/repos/octocat/Hello-World/git/tags/940bd336248efae0f9ee5bc7b2d5c985887b16ac",
  "message": "initial version",
  "tagger": {
    "name": "Scott Chacon",
    "email": "schacon@gmail.com",
    "date": "2014-11-07T22:01:45Z"
  },
  "object": {
    "type": "commit",
    "sha": "c3d0be41ecbe669545ee3e94d31ed9a4bc91ee3c",
    "url": "https://api.github.com/repos/octocat/Hello-World/git/commits/c3d0be41ecbe669545ee3e94d31ed9a4bc91ee3c"
  },
  "verification": {
    "verified": true,
    "reason": "valid",
    "signature": "-----BEGIN PGP MESSAGE-----\n...\n-----END PGP MESSAGE-----",
    "payload": "object c3d0be41ecbe669545ee3e94d31ed9a4bc91ee3c\n..."
  }
}

The verification object

The response will include a verification field whose value is an object describing the result of verifying the tag's signature. The following fields are included in the verification object:

Name Type Description
verified boolean Does GitHub consider the signature in this tag to be verified?
reason string The reason for verified value. Possible values and their meanings are enumerated in the table below.
signature string The signature that was extracted from the tag.
payload string The value that was signed.

The reason field

The following are possible reasons that may be included in the verification object:

Value Description
expired_key The key that made the signature is expired.
not_signing_key The "signing" flag is not among the usage flags in the GPG key that made the signature.
gpgverify_error There was an error communicating with the signature-verification service.
gpgverify_unavailable The signature-verification service is currently unavailable.
unsigned The object does not include a signature.
unkown_signature_type A non-PGP signature was found in the tag.
no_user No user was associated with the tagger email address in the tag.
unverified_email The tagger email address in the tag was associated with a user, but the email address is not verified on her/his account.
bad_email The tagger email address in the tag is not included in the identities of the PGP key that made the signature.
unknown_key The key that made the signature has not been registered with any user's account.
malformed_signature There was an error parsing the signature.
invalid The signature could not be cryptographically verified using the key whose key-id was found in the signature.
valid None of the above errors applied, so the signature is considered to be verified.