From 5e53f8eea2783e9a9b5963dafae20a7e5320618c Mon Sep 17 00:00:00 2001
From: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>
Date: Sat, 18 Apr 2026 15:23:21 -0300
Subject: [PATCH] ci: add release-major-tag workflow (#552)

* build: drop docker-bake in favor of plain npm

Every TypeScript action maintained by actions/* (checkout, setup-node,
setup-go, cache, upload-artifact) uses plain npm scripts. The bake
setup is a docker/* org convention and adds friction for TS work:
contributors need Docker, the dev loop is ~10x slower than npm, and
Alpine-vs-host byte drift in dist/index.js makes PRs bounce.

Replace with the standard pattern:
- .node-version pins Node 24 so contributors and CI agree
- npm scripts (build, lint, format, test, pre-checkin) replace bake
  targets one-for-one
- validate.yml runs lint + a check-dist diff (mirrors actions/setup-node)
  and a vendor check that npm install --package-lock-only is a no-op
- test.yml uses setup-node + sigstore/cosign-installer, drops bake-action
- dependabot-build.yml regenerates dist via npm instead of bake

CONTRIBUTING.md and README development section updated to match.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* build: align scripts and workflows with actions/* convention

Match the standard layout used by actions/checkout, actions/setup-node,
etc.:

- package.json scripts: split format/format-check (Prettier) from
  lint/lint:fix (ESLint), and have pre-checkin run all four (format,
  lint:fix, build, test) in that order.
- validate.yml lint job runs format-check + lint as separate steps.
- test.yml drops the redundant --coverage flag (now in the test script).
- Drop dependabot-build.yml: actions/* don't auto-rebuild dist on
  dependabot PRs; the check-dist style validate / build job catches
  drift and a maintainer rebuilds locally if needed.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* ci: add release-major-tag workflow

Adopts the actions/checkout pattern (workflow_dispatch with target +
major_version inputs that force-pushes the major tag). Doubles as a
rollback tool. Documented in CONTRIBUTING under a 'Releasing' section.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* ci: drop irrelevant pin comment from release-major-tag

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 .github/workflows/release-major-tag.yml | 46 +++++++++++++++++++++++++
 CONTRIBUTING.md                         | 15 ++++++++
 2 files changed, 61 insertions(+)
 create mode 100644 .github/workflows/release-major-tag.yml

diff --git a/.github/workflows/release-major-tag.yml b/.github/workflows/release-major-tag.yml
new file mode 100644
index 0000000..6de2bf9
--- /dev/null
+++ b/.github/workflows/release-major-tag.yml
@@ -0,0 +1,46 @@
+name: release major tag
+
+run-name: Move ${{ github.event.inputs.major_version }} to ${{ github.event.inputs.target }}
+
+on:
+  workflow_dispatch:
+    inputs:
+      target:
+        description: The tag, branch, or SHA the major version should point to (e.g. v7.1.0)
+        required: true
+      major_version:
+        type: choice
+        description: The major version tag to move
+        options:
+          - v7
+          - v6
+          - v5
+          - v4
+          - v3
+          - v2
+          - v1
+
+# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+permissions:
+  contents: write
+
+jobs:
+  tag:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 0
+      -
+        name: Git config
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+      -
+        name: Move ${{ github.event.inputs.major_version }} to ${{ github.event.inputs.target }}
+        run: git tag -f ${{ github.event.inputs.major_version }} ${{ github.event.inputs.target }}
+      -
+        name: Push
+        run: git push origin ${{ github.event.inputs.major_version }} --force
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index eaa00d6..bb87824 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -72,3 +72,18 @@ Use [Conventional Commits](https://www.conventionalcommits.org/) (`feat:`,
 - The `signing` CI job and `goreleaser-pro` matrix entries are skipped on PRs
   from forks because they need repository secrets — that's expected and not
   something you need to fix.
+
+## Releasing (maintainers)
+
+1. Create a new GitHub Release with a semver tag (e.g. `v7.1.0`) — either
+   through the UI or `gh release create v7.1.0 --generate-notes`.
+2. Once the release exists, run the [**release major tag**](./.github/workflows/release-major-tag.yml)
+   workflow from the Actions tab:
+   - `target`: the new tag (e.g. `v7.1.0`)
+   - `major_version`: the major version to repoint (e.g. `v7`)
+
+   This force-pushes the major tag to the new release so consumers using
+   `goreleaser/goreleaser-action@v7` pick up the change.
+
+   The same workflow doubles as a rollback tool — pass an older tag as
+   `target` to revert the major.