ci: use ci token instead of repo token for pushing tags

.github/workflows/create-dev-tag.yml

@@ -9,9 +9,7 @@ on:
 env:
   GOWORK: off
   GOPRIVATE: github.com/mesosphere
-
-permissions:
-  contents: write
+  GITHUB_TOKEN: ${{ secrets.MESOSPHERECI_USER_TOKEN }}
 
 jobs:
   create-dev-tag:
@@ -35,26 +33,32 @@ jobs:
           depth: 0
 
       - name: Configure git for private repo access
-        run: git config --global url.https://$GH_ACCESS_TOKEN@github.com/.insteadOf https://github.com/
+        run: git config --global url.https://$GITHUB_TOKEN@github.com/.insteadOf https://github.com/
 
       - name: Setup asdf
         uses: asdf-vm/actions/setup@v2
 
+      - name: Import GPG key
+        uses: crazy-max/ghaction-import-gpg@v4
+        with:
+          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
+          passphrase: ${{ secrets.GPG_PASSPHRASE }}
+          git_user_signingkey: true
+          git_commit_gpgsign: true
+          git_push_gpgsign: false
+          git_committer_email: "ci-mergebot@d2iq.com"
+          git_committer_name: "ci-mergebot"
+
       - name: Generate tag
         run: |
           # Overriding a variable that causes a conflict in legacy
           # versions of gh-dkp
           export GITHUB_REPOSITORY="kommander-applications"
           OUT=$(make repo.dev.tag)
           echo "TAG=$(echo ${OUT##* })" >> $GITHUB_ENV
-        env:
-          GITHUB_TOKEN: ${{ secrets.MESOSPHERECI_USER_TOKEN }}
 
       - name: Create tag
-        run: |
-          git config --global user.email "ci-mergebot@d2iq.com"
-          git config --global user.name "ci-mergebot"
-          git tag -m "${{ env.TAG }}" ${{ env.TAG }}
+        run: git tag -s -f -m "${{ env.TAG }}" ${{ env.TAG }}
 
       - name: Push tag
         run: git push --force --tags origin ${{ env.TAG }}