* fix(nightly): pick latest nightly by published_at
GitHub's /releases endpoint is not reliably ordered by published_at,
so resolveNightly could pick an older nightly than the most recent
one. Filter, sort by published_at desc, and take the first.
* test(nightly): add regression coverage for release ordering
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Both goreleaser and goreleaser-pro now publish nightly releases as
vX.Y.Z-<sha>-nightly, so the action no longer needs to special-case
or fall back to the moving 'nightly' tag.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* feat: resolve nightly to latest vX.Y.Z-<sha>-nightly release
Query GitHub releases API to resolve the 'nightly' version input to the
latest immutable nightly tag, replacing the moving 'nightly' tag that is
being removed for supply-chain hardening.
Refs goreleaser/goreleaser#6550
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* feat: keep legacy 'nightly' tag working during transition
Fall back to the moving 'nightly' tag when no immutable
vX.Y.Z-<sha>-nightly release is found, so the action keeps working
between this release and the goreleaser nightly switchover.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* test: assert isNightlyTag accepts legacy fallback
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix: accept nightly tags without 'v' prefix
goreleaser-pro publishes nightly releases as e.g. 2.16.0-eaeb08c50-nightly
(no 'v' prefix). Make the nightly tag regex tolerate either form, and
split the integration tests so OSS asserts the legacy fallback while
Pro asserts the new <version>-<sha>-nightly format.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Revert "fix: accept nightly tags without 'v' prefix"
The missing 'v' prefix on the goreleaser-pro nightly was a release
mistake; new nightlies will keep the 'v' prefix.
This reverts commit 7673f7f.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* ci: pass GITHUB_TOKEN to tests
The new nightly resolution hits api.github.com/repos/.../releases,
which is rate-limited for unauthenticated requests.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* docs: note GITHUB_TOKEN need for nightly resolution
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---------
Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Resolves the GoReleaser version from a file. Currently supports the
asdf/mise `.tool-versions` format; resolved value takes precedence
over the `version` input.
# .tool-versions
goreleaser 2.13.0
- uses: goreleaser/goreleaser-action@v7
with:
version-file: .tool-versions
args: release --clean
Path is resolved relative to `workdir` unless absolute. Bare semvers
are auto-prefixed with `v`; constraint expressions and `latest` are
returned as-is. Multiple fallback versions per asdf convention are
accepted but only the first is used.
Refs #541Closes#542
Co-authored-by: Anthony Couvreur <22034450+acouvreur@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* feat: verify release checksum and cosign signature
Download checksums.txt for the release and verify the SHA-256 of the
downloaded archive against it. When cosign is available in PATH, also
download checksums.txt.sigstore.json and verify the signature against
the goreleaser/goreleaser-pro release workflow identity. Both steps
degrade gracefully (with a warning) when the corresponding artifacts
or tooling are missing.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* test: use install() for checksum e2e tests
Drop the http-client download helper from verifyChecksum integration
tests; call goreleaser.install() instead so the test exercises the
public API path and avoids duplicating download logic.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---------
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix: support .config directory for goreleaser config files
Add support for .config/goreleaser.yaml and .config/goreleaser.yml
configuration files to match GoReleaser's official search order.
* run $ docker buildx bake build
* feat!: use "~> v2" as default
Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>
* fix: more changes
Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>
* gen
Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>
* docs: update
* docs: update
---------
Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>
* feat: warn about using 'latest'
* feat: use "~> v1" as latest
Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>
* feat: default to "~> v1" instead of "latest"
Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>
---------
Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>
* feat: support oss nightlies
Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>
* fix: test
---------
Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>
* feat: support nightly
Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>
* chore: nightly test
Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>
* chore: typo
Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>
---------
Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>
* fix: don't depend on the GitHub API to check release
* chore: update generated content
---------
Co-authored-by: CrazyMax <crazy-max@users.noreply.github.com>
* feat!: remove auto-snapshot on dirty tag
Signed-off-by: Carlos A Becker <caarlos0@users.noreply.github.com>
* feat!: remove the entire git thing
Signed-off-by: Carlos A Becker <caarlos0@users.noreply.github.com>
* fix: tests
Signed-off-by: Carlos A Becker <caarlos0@users.noreply.github.com>
* test: fix
Signed-off-by: Carlos A Becker <caarlos0@users.noreply.github.com>
* fix: snapshto tests
Signed-off-by: Carlos A Becker <caarlos0@users.noreply.github.com>
Signed-off-by: Carlos A Becker <caarlos0@users.noreply.github.com>
* fix: do not override GORELEASER_CURRENT_TAG
Signed-off-by: Carlos A Becker <caarlos0@users.noreply.github.com>
* fix: build
Signed-off-by: Carlos A Becker <caarlos0@users.noreply.github.com>
Signed-off-by: Carlos A Becker <caarlos0@users.noreply.github.com>
* fix: should not force snapshot when nightly is set
Signed-off-by: Carlos A Becker <caarlos0@gmail.com>
* fix: build
Signed-off-by: Carlos A Becker <caarlos0@gmail.com>
* fix: Use GITHUB_REF to retrieve tag before checking the most recent tag (#238)
* Update tests
* Check also tags sorted by creatordate for the current GITHUB_SHA
* fix: Check tags length
Co-authored-by: CrazyMax <crazy-max@users.noreply.github.com>
* Use native GitHub Action tools to download assets and use GitHub API
* Fix unexpected output when tag not found
* Use GitHub Action exec
* Add screenshot
Co-authored-by: CrazyMax <crazy-max@users.noreply.github.com>
