ci / ci (goreleaser, ubuntu-latest, ~> 2.13) (push) Has been cancelled
ci / ci (goreleaser, windows-latest, latest) (push) Has been cancelled
ci / ci (goreleaser, windows-latest, ~> 2.13) (push) Has been cancelled
ci / ci (goreleaser-pro, macos-latest, latest) (push) Has been cancelled
ci / ci (goreleaser-pro, macos-latest, ~> 2.13) (push) Has been cancelled
ci / ci (goreleaser-pro, ubuntu-latest, latest) (push) Has been cancelled
ci / ci (goreleaser-pro, ubuntu-latest, ~> 2.13) (push) Has been cancelled
ci / ci (goreleaser-pro, windows-latest, latest) (push) Has been cancelled
ci / ci (goreleaser-pro, windows-latest, ~> 2.13) (push) Has been cancelled
ci / install-only (false, goreleaser, latest) (push) Has been cancelled
ci / install-only (false, goreleaser, ~> 2.13) (push) Has been cancelled
ci / install-only (false, goreleaser-pro, latest) (push) Has been cancelled
ci / install-only (false, goreleaser-pro, ~> 2.13) (push) Has been cancelled
ci / install-only (true, goreleaser, latest) (push) Has been cancelled
ci / install-only (true, goreleaser, ~> 2.13) (push) Has been cancelled
ci / install-only (true, goreleaser-pro, latest) (push) Has been cancelled
ci / install-only (true, goreleaser-pro, ~> 2.13) (push) Has been cancelled
ci / signing (macos-latest) (push) Has been cancelled
ci / signing (ubuntu-latest) (push) Has been cancelled
ci / signing (windows-latest) (push) Has been cancelled
ci / nightly (goreleaser, macos-latest) (push) Has been cancelled
ci / nightly (goreleaser, ubuntu-latest) (push) Has been cancelled
ci / nightly (goreleaser, windows-latest) (push) Has been cancelled
ci / nightly (goreleaser-pro, macos-latest) (push) Has been cancelled
ci / nightly (goreleaser-pro, ubuntu-latest) (push) Has been cancelled
ci / nightly (goreleaser-pro, windows-latest) (push) Has been cancelled
test / test (push) Has been cancelled
validate / build (push) Has been cancelled
validate / vendor (push) Has been cancelled
Adds a workflow that, on Dependabot PRs, rebuilds the ncc-bundled dist/
and pushes it back onto the PR branch, so a dependency bump and its
matching dist/ land in a single PR and the validate workflow stays green.
Pushing the dist commit uses GH_PAT (the default GITHUB_TOKEN is read-only
on Dependabot runs and its pushes do not re-trigger checks). The job is a
no-op until GH_PAT is available as a Dependabot secret.
Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* feat: resolve nightly to latest vX.Y.Z-<sha>-nightly release
Query GitHub releases API to resolve the 'nightly' version input to the
latest immutable nightly tag, replacing the moving 'nightly' tag that is
being removed for supply-chain hardening.
Refs goreleaser/goreleaser#6550
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* feat: keep legacy 'nightly' tag working during transition
Fall back to the moving 'nightly' tag when no immutable
vX.Y.Z-<sha>-nightly release is found, so the action keeps working
between this release and the goreleaser nightly switchover.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* test: assert isNightlyTag accepts legacy fallback
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix: accept nightly tags without 'v' prefix
goreleaser-pro publishes nightly releases as e.g. 2.16.0-eaeb08c50-nightly
(no 'v' prefix). Make the nightly tag regex tolerate either form, and
split the integration tests so OSS asserts the legacy fallback while
Pro asserts the new <version>-<sha>-nightly format.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Revert "fix: accept nightly tags without 'v' prefix"
The missing 'v' prefix on the goreleaser-pro nightly was a release
mistake; new nightlies will keep the 'v' prefix.
This reverts commit 7673f7f.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* ci: pass GITHUB_TOKEN to tests
The new nightly resolution hits api.github.com/repos/.../releases,
which is rate-limited for unauthenticated requests.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* docs: note GITHUB_TOKEN need for nightly resolution
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---------
Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
GoReleaser v2.13.0 was the first release to ship the cosign v3
sigstore-bundle 'checksums.txt.sigstore.json' alongside the archive.
Earlier releases only publish a cosign v2 detached '.sig', which the
action's verifier does not understand and silently skips.
Drop '~> 1.26' / '~> 2.6' / 'v0.182.0' / '~> v1' from the matrix and
the install tests; pin '~> 2.13' as the minimum-supported version we
actively exercise in CI. Document v2.13.0 as the minimum cosign-
verifiable version in the README.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* build: drop docker-bake in favor of plain npm
Every TypeScript action maintained by actions/* (checkout, setup-node,
setup-go, cache, upload-artifact) uses plain npm scripts. The bake
setup is a docker/* org convention and adds friction for TS work:
contributors need Docker, the dev loop is ~10x slower than npm, and
Alpine-vs-host byte drift in dist/index.js makes PRs bounce.
Replace with the standard pattern:
- .node-version pins Node 24 so contributors and CI agree
- npm scripts (build, lint, format, test, pre-checkin) replace bake
targets one-for-one
- validate.yml runs lint + a check-dist diff (mirrors actions/setup-node)
and a vendor check that npm install --package-lock-only is a no-op
- test.yml uses setup-node + sigstore/cosign-installer, drops bake-action
- dependabot-build.yml regenerates dist via npm instead of bake
CONTRIBUTING.md and README development section updated to match.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* build: align scripts and workflows with actions/* convention
Match the standard layout used by actions/checkout, actions/setup-node,
etc.:
- package.json scripts: split format/format-check (Prettier) from
lint/lint:fix (ESLint), and have pre-checkin run all four (format,
lint:fix, build, test) in that order.
- validate.yml lint job runs format-check + lint as separate steps.
- test.yml drops the redundant --coverage flag (now in the test script).
- Drop dependabot-build.yml: actions/* don't auto-rebuild dist on
dependabot PRs; the check-dist style validate / build job catches
drift and a maintainer rebuilds locally if needed.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* ci: add release-major-tag workflow
Adopts the actions/checkout pattern (workflow_dispatch with target +
major_version inputs that force-pushes the major tag). Doubles as a
rollback tool. Documented in CONTRIBUTING under a 'Releasing' section.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* ci: drop irrelevant pin comment from release-major-tag
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---------
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* build: drop docker-bake in favor of plain npm
Every TypeScript action maintained by actions/* (checkout, setup-node,
setup-go, cache, upload-artifact) uses plain npm scripts. The bake
setup is a docker/* org convention and adds friction for TS work:
contributors need Docker, the dev loop is ~10x slower than npm, and
Alpine-vs-host byte drift in dist/index.js makes PRs bounce.
Replace with the standard pattern:
- .node-version pins Node 24 so contributors and CI agree
- npm scripts (build, lint, format, test, pre-checkin) replace bake
targets one-for-one
- validate.yml runs lint + a check-dist diff (mirrors actions/setup-node)
and a vendor check that npm install --package-lock-only is a no-op
- test.yml uses setup-node + sigstore/cosign-installer, drops bake-action
- dependabot-build.yml regenerates dist via npm instead of bake
CONTRIBUTING.md and README development section updated to match.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* build: align scripts and workflows with actions/* convention
Match the standard layout used by actions/checkout, actions/setup-node,
etc.:
- package.json scripts: split format/format-check (Prettier) from
lint/lint:fix (ESLint), and have pre-checkin run all four (format,
lint:fix, build, test) in that order.
- validate.yml lint job runs format-check + lint as separate steps.
- test.yml drops the redundant --coverage flag (now in the test script).
- Drop dependabot-build.yml: actions/* don't auto-rebuild dist on
dependabot PRs; the check-dist style validate / build job catches
drift and a maintainer rebuilds locally if needed.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---------
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* feat: verify release checksum and cosign signature
Download checksums.txt for the release and verify the SHA-256 of the
downloaded archive against it. When cosign is available in PATH, also
download checksums.txt.sigstore.json and verify the signature against
the goreleaser/goreleaser-pro release workflow identity. Both steps
degrade gracefully (with a warning) when the corresponding artifacts
or tooling are missing.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* test: use install() for checksum e2e tests
Drop the http-client download helper from verifyChecksum integration
tests; call goreleaser.install() instead so the test exercises the
public API path and avoids duplicating download logic.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---------
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* feat: support oss nightlies
Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>
* fix: test
---------
Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>
* feat: support nightly
Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>
* chore: nightly test
Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>
* chore: typo
Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>
---------
Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>
* fix: don't depend on the GitHub API to check release
* chore: update generated content
---------
Co-authored-by: CrazyMax <crazy-max@users.noreply.github.com>
* feat!: remove auto-snapshot on dirty tag
Signed-off-by: Carlos A Becker <caarlos0@users.noreply.github.com>
* feat!: remove the entire git thing
Signed-off-by: Carlos A Becker <caarlos0@users.noreply.github.com>
* fix: tests
Signed-off-by: Carlos A Becker <caarlos0@users.noreply.github.com>
* test: fix
Signed-off-by: Carlos A Becker <caarlos0@users.noreply.github.com>
* fix: snapshto tests
Signed-off-by: Carlos A Becker <caarlos0@users.noreply.github.com>
Signed-off-by: Carlos A Becker <caarlos0@users.noreply.github.com>