Add install tests pinned to versions that exercise every release era so
we don't regress the graceful-skip path for releases that pre-date the
cosign v3 sigstore bundle:
- v0.182.0 pre-checksums-signing
- v1.26.2 cosign v2 detached .sig only
- v2.12.4 last release before sigstore bundles
- v2.13.0 first release with sigstore bundle (minimum verifiable)
- v2.15.3 recent release with sigstore bundle
Plus an explicit verifyChecksum integration test that installs v2.12.4
with cosign in PATH to confirm the cosign step is skipped (not failed)
when the sigstore bundle is absent.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
GoReleaser v2.13.0 was the first release to ship the cosign v3
sigstore-bundle 'checksums.txt.sigstore.json' alongside the archive.
Earlier releases only publish a cosign v2 detached '.sig', which the
action's verifier does not understand and silently skips.
Drop '~> 1.26' / '~> 2.6' / 'v0.182.0' / '~> v1' from the matrix and
the install tests; pin '~> 2.13' as the minimum-supported version we
actively exercise in CI. Document v2.13.0 as the minimum cosign-
verifiable version in the README.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* feat: verify release checksum and cosign signature
Download checksums.txt for the release and verify the SHA-256 of the
downloaded archive against it. When cosign is available in PATH, also
download checksums.txt.sigstore.json and verify the signature against
the goreleaser/goreleaser-pro release workflow identity. Both steps
degrade gracefully (with a warning) when the corresponding artifacts
or tooling are missing.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* test: use install() for checksum e2e tests
Drop the http-client download helper from verifyChecksum integration
tests; call goreleaser.install() instead so the test exercises the
public API path and avoids duplicating download logic.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---------
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* feat!: use "~> v2" as default
Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>
* fix: more changes
Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>
* gen
Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>
* docs: update
* docs: update
---------
Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>
* feat: warn about using 'latest'
* feat: use "~> v1" as latest
Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>
* feat: default to "~> v1" instead of "latest"
Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>
---------
Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>
* feat: support oss nightlies
Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>
* fix: test
---------
Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>
* feat: support nightly
Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>
* chore: nightly test
Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>
* chore: typo
Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>
---------
Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>
* fix: don't depend on the GitHub API to check release
* chore: update generated content
---------
Co-authored-by: CrazyMax <crazy-max@users.noreply.github.com>
* feat!: remove auto-snapshot on dirty tag
Signed-off-by: Carlos A Becker <caarlos0@users.noreply.github.com>
* feat!: remove the entire git thing
Signed-off-by: Carlos A Becker <caarlos0@users.noreply.github.com>
* fix: tests
Signed-off-by: Carlos A Becker <caarlos0@users.noreply.github.com>
* test: fix
Signed-off-by: Carlos A Becker <caarlos0@users.noreply.github.com>
* fix: snapshto tests
Signed-off-by: Carlos A Becker <caarlos0@users.noreply.github.com>
Signed-off-by: Carlos A Becker <caarlos0@users.noreply.github.com>
* fix: Use GITHUB_REF to retrieve tag before checking the most recent tag (#238)
* Update tests
* Check also tags sorted by creatordate for the current GITHUB_SHA
* fix: Check tags length
Co-authored-by: CrazyMax <crazy-max@users.noreply.github.com>
* Use native GitHub Action tools to download assets and use GitHub API
* Fix unexpected output when tag not found
* Use GitHub Action exec
* Add screenshot
Co-authored-by: CrazyMax <crazy-max@users.noreply.github.com>
