actions/goreleaser-action
12
0
Fork 0
mirror of https://github.com/goreleaser/goreleaser-action.git synced 2026-05-15 15:10:33 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Compare commits

base: actions:master
Branches Tags
actions:master
actions:yargs
actions:gorelv2
actions:semver
actions:releases/v4
actions:releases/v3
actions:releases/v2
actions:releases/v1
actions:v7
actions:v7.2.1
actions:v7.2.0
actions:v7.1.0
actions:v7.0.0
actions:v6
actions:v6.4.0
actions:v6.3.0
actions:v6.2.1
actions:v6.2.0
actions:v6.1.0
actions:v6.0.0
actions:v5
actions:v5.1.0
actions:v5.0.0
actions:v4.6.0
actions:v4
actions:v4.5.0
actions:v4.4.0
actions:v4.3.0
actions:v4.2.0
actions:v4.1.1
actions:v4.1.0
actions:v4.0.0
actions:v3
actions:v3.2.0
actions:v3.1.0
actions:v3.0.0
actions:v2
actions:v2.9.1
actions:v2.9.0
actions:v2.8.1
actions:v2.8.0
actions:v2.7.0
actions:v2.6.1
actions:v2.6.0
actions:v2.5.0
actions:v2.4.1
actions:v2.4.0
actions:v2.3.0
actions:v2.2.1
actions:v2.2.0
actions:v2.1.1
actions:v2.1.0
actions:v2.0.2
actions:v2.0.1
actions:v1
actions:v1.5.1
actions:v2.0.0
actions:v1.5.0
actions:v1.4.0
actions:v1.3.1
actions:v1.3.0
actions:v1.2.1
actions:v1.2.0
actions:v1.1.0
actions:v1.0.2
actions:v1.0.1
actions:v1.0.0
actions:v0.4.0
actions:v0.3.0
actions:v0.2.2
actions:v0.2.1
actions:v0.2.0
actions:v0.1.0
..
compare: actions:v7.0.0
Branches Tags
actions:master
actions:yargs
actions:gorelv2
actions:semver
actions:releases/v4
actions:releases/v3
actions:releases/v2
actions:releases/v1
actions:v7
actions:v7.2.1
actions:v7.2.0
actions:v7.1.0
actions:v7.0.0
actions:v6
actions:v6.4.0
actions:v6.3.0
actions:v6.2.1
actions:v6.2.0
actions:v6.1.0
actions:v6.0.0
actions:v5
actions:v5.1.0
actions:v5.0.0
actions:v4.6.0
actions:v4
actions:v4.5.0
actions:v4.4.0
actions:v4.3.0
actions:v4.2.0
actions:v4.1.1
actions:v4.1.0
actions:v4.0.0
actions:v3
actions:v3.2.0
actions:v3.1.0
actions:v3.0.0
actions:v2
actions:v2.9.1
actions:v2.9.0
actions:v2.8.1
actions:v2.8.0
actions:v2.7.0
actions:v2.6.1
actions:v2.6.0
actions:v2.5.0
actions:v2.4.1
actions:v2.4.0
actions:v2.3.0
actions:v2.2.1
actions:v2.2.0
actions:v2.1.1
actions:v2.1.0
actions:v2.0.2
actions:v2.0.1
actions:v1
actions:v1.5.1
actions:v2.0.0
actions:v1.5.0
actions:v1.4.0
actions:v1.3.1
actions:v1.3.0
actions:v1.2.1
actions:v1.2.0
actions:v1.1.0
actions:v1.0.2
actions:v1.0.1
actions:v1.0.0
actions:v0.4.0
actions:v0.3.0
actions:v0.2.2
actions:v0.2.1
actions:v0.2.0
actions:v0.1.0

No commits in common. "master" and "v7.0.0" have entirely different histories.
master ... v7.0.0

24 changed files with 360 additions and 801 deletions
Download patch file Download diff file Expand all files Collapse all files

109
.github/workflows/ci.yml vendored
View file

@ -32,26 +32,31 @@ jobs:
- windows-latest
version:
- latest
- '~> 2.13'
- '~> 2.6'
- '~> 1.26'
distribution:
- goreleaser
- goreleaser-pro
steps:
- name: Checkout
-
name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
- name: Set up Go
uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
-
name: Set up Go
uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
with:
go-version: stable
- name: Check
-
name: Check
uses: ./
with:
version: ${{ matrix.version }}
args: check --verbose
workdir: ./test
- name: GoReleaser
-
name: GoReleaser
if: ${{ !(github.event_name == 'pull_request' && matrix.distribution == 'goreleaser-pro') }}
uses: ./
env:
@ -69,33 +74,32 @@ jobs:
matrix:
version:
- latest
- '~> 2.13'
- '~> 2.6'
- '~> 1.26'
distribution:
- goreleaser
- goreleaser-pro
cosign:
- true
- false
steps:
- name: Checkout
-
name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
- name: Set up Go
uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
-
name: Set up Go
uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
with:
go-version: 1.18
- name: Install cosign
if: matrix.cosign
uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1
- name: GoReleaser
-
name: GoReleaser
if: ${{ !(github.event_name == 'pull_request' && matrix.distribution == 'goreleaser-pro') }}
uses: ./
with:
distribution: ${{ matrix.distribution }}
version: ${{ matrix.version }}
install-only: true
- name: Check
-
name: Check
if: ${{ !(github.event_name == 'pull_request' && matrix.distribution == 'goreleaser-pro') }}
run: |
goreleaser check --verbose
@ -111,21 +115,25 @@ jobs:
- macos-latest
- windows-latest
steps:
- name: Checkout
-
name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
- name: Set up Go
uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
-
name: Set up Go
uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
with:
go-version: 1.18
- name: Import GPG key
-
name: Import GPG key
id: import_gpg
uses: crazy-max/ghaction-import-gpg@2dc316deee8e90f13e1a351ab510b4d5bc0c82cd # v7.0.0
uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v6.3.0
with:
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY_TEST }}
passphrase: ${{ secrets.PASSPHRASE_TEST }}
- name: Check
-
name: Check
uses: ./
with:
version: latest
@ -133,7 +141,8 @@ jobs:
workdir: ./test
env:
GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}
- name: GoReleaser
-
name: GoReleaser
uses: ./
with:
version: latest
@ -145,26 +154,31 @@ jobs:
upload-artifact:
runs-on: ubuntu-latest
steps:
- name: Checkout
-
name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
- name: Set up Go
uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
-
name: Set up Go
uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
with:
go-version: 1.18
- name: Check
-
name: Check
uses: ./
with:
args: check --verbose
workdir: ./test
- name: GoReleaser
-
name: GoReleaser
uses: ./
with:
args: release --skip=publish --clean --snapshot
workdir: ./test
- name: Upload assets
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
-
name: Upload assets
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
with:
name: myapp
path: ./test/dist/*
@ -172,20 +186,24 @@ jobs:
dist:
runs-on: ubuntu-latest
steps:
- name: Checkout
-
name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
- name: Set up Go
uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
-
name: Set up Go
uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
with:
go-version: 1.18
- name: GoReleaser
-
name: GoReleaser
uses: ./
with:
args: release --config .goreleaser-dist.yml --skip=publish --clean --snapshot
workdir: ./test
- name: Check dist
-
name: Check dist
run: |
tree -nh ./test/_output
@ -202,24 +220,27 @@ jobs:
- goreleaser-pro
- goreleaser
steps:
- name: Checkout
-
name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
- name: Set up Go
uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
-
name: Set up Go
uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
with:
go-version: 1.18
- name: GoReleaser
-
name: GoReleaser
uses: ./
with:
install-only: true
distribution: ${{ matrix.distribution }}
version: nightly
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Check
-
name: Check
run: |
goreleaser check -f ./test/.goreleaser.yml
goreleaser --version
goreleaser --version | grep nightly

46
.github/workflows/dependabot-build.yml vendored Normal file
View file

@ -0,0 +1,46 @@
name: dependabot-build
on:
pull_request:
paths:
- 'package.json'
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
permissions:
contents: write
jobs:
build:
runs-on: ubuntu-latest
if: github.actor == 'dependabot[bot]'
steps:
-
name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
ref: ${{ github.head_ref }}
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
-
name: Vendor
uses: docker/bake-action@5be5f02ff8819ecd3092ea6b2e6261c31774f2b4 # v6.10.0
with:
targets: vendor
-
name: Pre-checkin
uses: docker/bake-action@5be5f02ff8819ecd3092ea6b2e6261c31774f2b4 # v6.10.0
with:
targets: pre-checkin
-
name: Commit and push changes
run: |
git config user.name "github-actions[bot]"
git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
git add -A
if git diff --cached --quiet; then
echo "No changes to commit"
else
git commit -m "chore: update dist and vendor"
git push
fi

42
.github/workflows/release-major-tag.yml vendored
View file

@ -1,42 +0,0 @@
name: release major tag
run-name: Move ${{ github.event.inputs.major_version }} to ${{ github.event.inputs.target }}
on:
workflow_dispatch:
inputs:
target:
description: The tag, branch, or SHA the major version should point to (e.g. v7.1.0)
required: true
major_version:
type: choice
description: The major version tag to move
options:
- v7
- v6
- v5
- v4
- v3
- v2
- v1
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
permissions:
contents: write
jobs:
tag:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
- name: Git config
run: |
git config user.name "github-actions[bot]"
git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
- name: Move ${{ github.event.inputs.major_version }} to ${{ github.event.inputs.target }}
run: git tag -f ${{ github.event.inputs.major_version }} ${{ github.event.inputs.target }}
- name: Push
run: git push origin ${{ github.event.inputs.major_version }} --force

25
.github/workflows/test.yml vendored
View file

@ -19,24 +19,19 @@ jobs:
test:
runs-on: ubuntu-latest
steps:
- name: Checkout
-
name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
- name: Setup Node.js
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
-
name: Test
uses: docker/bake-action@5be5f02ff8819ecd3092ea6b2e6261c31774f2b4 # v6.10.0
with:
node-version-file: '.node-version'
cache: npm
- name: Install cosign
uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1
- name: Install dependencies
run: npm ci
- name: Test
run: npm test
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Upload coverage
uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0
source: .
targets: test
-
name: Upload coverage
uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
with:
files: ./coverage/clover.xml

78
.github/workflows/validate.yml vendored
View file

@ -16,68 +16,32 @@ on:
pull_request:
jobs:
lint:
prepare:
runs-on: ubuntu-latest
outputs:
targets: ${{ steps.generate.outputs.targets }}
steps:
- name: Checkout
-
name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Setup Node.js
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
-
name: List targets
id: generate
uses: docker/bake-action/subaction/list-targets@5be5f02ff8819ecd3092ea6b2e6261c31774f2b4 # v6.10.0
with:
node-version-file: '.node-version'
cache: npm
- name: Install dependencies
run: npm ci
- name: Format check
run: npm run format-check
- name: Lint
run: npm run lint
target: validate
build:
validate:
runs-on: ubuntu-latest
needs:
- prepare
strategy:
fail-fast: false
matrix:
target: ${{ fromJson(needs.prepare.outputs.targets) }}
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Setup Node.js
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.0.0
-
name: Validate
uses: docker/bake-action@5be5f02ff8819ecd3092ea6b2e6261c31774f2b4 # v6.10.0
with:
node-version-file: '.node-version'
cache: npm
- name: Install dependencies
run: npm ci --ignore-scripts
- name: Rebuild dist
run: npm run build
- name: Compare dist
id: diff
run: |
if [ "$(git diff --ignore-space-at-eol dist | wc -l)" -gt "0" ]; then
echo "Detected uncommitted changes after build. Run 'npm run build' and commit dist/." >&2
git diff dist
exit 1
fi
- name: Upload built dist on failure
if: ${{ failure() && steps.diff.conclusion == 'failure' }}
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: dist
path: dist
vendor:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Setup Node.js
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.0.0
with:
node-version-file: '.node-version'
cache: npm
- name: Refresh package-lock.json
run: npm install --package-lock-only
- name: Compare package-lock.json
run: |
if [ -n "$(git status --porcelain -- package-lock.json)" ]; then
echo "package-lock.json is out of sync with package.json. Run 'npm install' and commit." >&2
git diff package-lock.json
exit 1
fi
targets: ${{ matrix.target }}

1
.node-version
View file

@ -1 +0,0 @@
24

89
CONTRIBUTING.md
View file

@ -1,89 +0,0 @@
# Contributing
Thanks for your interest in contributing!
## Prerequisites
- [Node.js](https://nodejs.org/) — version pinned in [`.node-version`](./.node-version).
Tools like [`nvm`](https://github.com/nvm-sh/nvm), [`fnm`](https://github.com/Schniz/fnm),
[`asdf`](https://asdf-vm.com/), or [`mise`](https://mise.jdx.dev/) read this file
automatically.
- [`cosign`](https://docs.sigstore.dev/cosign/installation/) — only required if you
want to run the signature-verification integration tests locally.
## Setup
```sh
npm ci
```
## Pre-commit checklist
Before committing changes to `src/`, `__tests__/`, `package.json`,
`package-lock.json`, or `action.yml`:
```sh
npm run pre-checkin
```
That runs `format` + `build` + `test` — the same checks CI runs.
Then commit `dist/` along with your source changes; the action runtime loads
`dist/index.js` directly, so it must stay in sync.
If CI's `validate / build` job fails because `dist/` differs from a fresh
build, just download the `dist` artifact from the failed run and commit it —
or rerun `npm run build` locally with the Node version in `.node-version`.
## npm scripts
| Script | Purpose |
| ------------------- | ------------------------------------------------ |
| `npm run build` | Bundle `src/` to `dist/index.js` via `ncc` |
| `npm run format` | Run Prettier (write) |
| `npm run format-check` | Run Prettier (check only, used in CI) |
| `npm run lint` | Run ESLint (check only, used in CI) |
| `npm run lint:fix` | Run ESLint with `--fix` |
| `npm test` | Run Jest with coverage |
| `npm run pre-checkin` | `format` + `lint:fix` + `build` + `test` |
## Tests
`npm test` runs the full Jest suite, including integration tests that:
- Download real GoReleaser releases from GitHub
- Verify `checksums.txt` against the downloaded archive
- Verify the cosign sigstore bundle (skipped if `cosign` isn't on `PATH`,
but the CI image always has it installed)
These need outbound network access. Offline / restrictive-proxy runs will
have those tests fail — that's expected.
## Commit messages
Use [Conventional Commits](https://www.conventionalcommits.org/) (`feat:`,
`fix:`, `test:`, `docs:`, `chore:`, `ci:`, …). Keep the subject ≤72 chars.
## Pull requests
- Target `master`.
- Make sure `npm run pre-checkin` passes.
- One logical change per PR is easier to review.
- The `signing` CI job and `goreleaser-pro` matrix entries are skipped on PRs
from forks because they need repository secrets — that's expected and not
something you need to fix.
## Releasing (maintainers)
1. Create a new GitHub Release with a semver tag (e.g. `v7.1.0`) — either
through the UI or `gh release create v7.1.0 --generate-notes`.
2. Once the release exists, run the [**release major tag**](./.github/workflows/release-major-tag.yml)
workflow from the Actions tab:
- `target`: the new tag (e.g. `v7.1.0`)
- `major_version`: the major version to repoint (e.g. `v7`)
This force-pushes the major tag to the new release so consumers using
`goreleaser/goreleaser-action@v7` pick up the change.
The same workflow doubles as a rollback tool — pass an older tag as
`target` to revert the major.

96
README.md
View file

@ -16,7 +16,6 @@ ___
* [Usage](#usage)
* [Workflow](#workflow)
* [Verification](#verification)
* [Run on new tag](#run-on-new-tag)
* [Signing](#signing)
* [Upload artifacts](#upload-artifacts)
@ -55,15 +54,15 @@ jobs:
steps:
-
name: Checkout
uses: actions/checkout@v6
uses: actions/checkout@v5
with:
fetch-depth: 0
-
name: Set up Go
uses: actions/setup-go@v6
uses: actions/setup-go@v5
-
name: Run GoReleaser
uses: goreleaser/goreleaser-action@v7
uses: goreleaser/goreleaser-action@v6
with:
# either 'goreleaser' (default) or 'goreleaser-pro'
distribution: goreleaser
@ -78,49 +77,6 @@ jobs:
> **IMPORTANT**: note the `fetch-depth: 0` input in `Checkout` step. It is required for the changelog to work correctly.
### Verification
The action verifies the integrity of the downloaded GoReleaser archive
against the published `checksums.txt` automatically — no configuration
required.
If [`cosign`](https://docs.sigstore.dev/cosign/) is available on `PATH`, the
action will additionally verify the cosign sigstore signature of the
checksums file against the GoReleaser release workflow's OIDC identity. If
`cosign` isn't installed, this step is silently skipped.
> **Note**: cosign signature verification requires GoReleaser **v2.13.0 or
> newer** (and the matching `nightly`). Earlier releases ship a `.sig`
> detached signature signed with cosign v2, which is not compatible with
> the cosign v3 sigstore-bundle format the action verifies. For older
> versions the cosign step is silently skipped — only the `checksums.txt`
> SHA-256 verification runs.
> **Note**: when `version: nightly` is used, the action resolves the
> latest immutable `vX.Y.Z-<sha>-nightly` release from the GitHub
> Releases API. Pass `GITHUB_TOKEN` to the action step (as in the example
> above) to avoid unauthenticated API rate limits.
To enable signature verification, install cosign before running the action:
```yaml
-
name: Install cosign
uses: sigstore/cosign-installer@v3
-
name: Run GoReleaser
uses: goreleaser/goreleaser-action@v7
with:
distribution: goreleaser
version: '~> v2'
args: release --clean
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
```
Both checksum and signature verification work for tagged releases (≥ v2.13.0)
and the `nightly` channel.
### Run on new tag
If you want to run GoReleaser only on new tag, you can use this event:
@ -137,7 +93,7 @@ Or with a condition on GoReleaser step:
```yaml
-
name: Run GoReleaser
uses: goreleaser/goreleaser-action@v7
uses: goreleaser/goreleaser-action@v6
if: startsWith(github.ref, 'refs/tags/')
with:
version: '~> v2'
@ -157,13 +113,13 @@ the [Import GPG](https://github.com/crazy-max/ghaction-import-gpg) GitHub Action
-
name: Import GPG key
id: import_gpg
uses: crazy-max/ghaction-import-gpg@v7
uses: crazy-max/ghaction-import-gpg@v6
with:
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
passphrase: ${{ secrets.PASSPHRASE }}
-
name: Run GoReleaser
uses: goreleaser/goreleaser-action@v7
uses: goreleaser/goreleaser-action@v6
with:
version: '~> v2'
args: release --clean
@ -188,7 +144,7 @@ purposes. You can do that with the [actions/upload-artifact](https://github.com/
```yaml
-
name: Run GoReleaser
uses: goreleaser/goreleaser-action@v7
uses: goreleaser/goreleaser-action@v6
with:
version: '~> v2'
args: release --clean
@ -197,7 +153,7 @@ purposes. You can do that with the [actions/upload-artifact](https://github.com/
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
name: Upload assets
uses: actions/upload-artifact@v6
uses: actions/upload-artifact@v4
with:
name: myapp
path: myfolder/dist/*
@ -209,7 +165,7 @@ purposes. You can do that with the [actions/upload-artifact](https://github.com/
steps:
-
name: Install GoReleaser
uses: goreleaser/goreleaser-action@v7
uses: goreleaser/goreleaser-action@v6
with:
install-only: true
-
@ -227,28 +183,11 @@ Following inputs can be used as `step.with` keys
|------------------|---------|--------------|------------------------------------------------------------------|
| `distribution` | String | `goreleaser` | GoReleaser distribution, either `goreleaser` or `goreleaser-pro` |
| `version`**Âą** | String | `~> v2` | GoReleaser version |
| `version-file`**²** | String | | Read the GoReleaser version from a file (see below) |
| `args` | String | | Arguments to pass to GoReleaser |
| `workdir` | String | `.` | Working directory (below repository root) |
| `install-only` | Bool | `false` | Just install GoReleaser |
> **Âą** Can be a fixed version like `v0.117.0` or a max satisfying semver one like `~> 0.132`. In this case this will return `v0.132.1`.
>
> **²** Path to a file containing the GoReleaser version. Resolved relative
> to `workdir`. Currently only [`.tool-versions`](https://asdf-vm.com/manage/configuration.html#tool-versions)
> (asdf/mise) format is supported. When set, this takes precedence over `version`.
>
> ```yaml
> # .tool-versions
> goreleaser 2.13.0
> ```
>
> ```yaml
> - uses: goreleaser/goreleaser-action@v7
> with:
> version-file: .tool-versions
> args: release --clean
> ```
### outputs
@ -280,7 +219,7 @@ secret named `GH_PAT`, the step will look like this:
```yaml
-
name: Run GoReleaser
uses: goreleaser/goreleaser-action@v7
uses: goreleaser/goreleaser-action@v6
with:
version: '~> v2'
args: release --clean
@ -294,16 +233,15 @@ If you need the auto-snapshot feature, take a look at [this example repository](
## Development
See [CONTRIBUTING.md](./CONTRIBUTING.md) for the full development workflow.
Quick reference:
```
# install dependencies
npm ci
# format code and build javascript artifacts
docker buildx bake pre-checkin
# format, build dist/, and run tests
npm run pre-checkin
# validate all code has correctly formatted and built
docker buildx bake validate
# run tests
docker buildx bake test
```
## License

12
__tests__/github.test.ts
View file

@ -22,7 +22,7 @@ describe('getRelease', () => {
it('unknown GoReleaser release', async () => {
await expect(github.getRelease('goreleaser', 'foo')).rejects.toThrow(
new Error('Cannot find GoReleaser release foo in https://goreleaser.com/releases.json')
new Error('Cannot find GoReleaser release foo in https://goreleaser.com/static/releases.json')
);
});
@ -56,16 +56,16 @@ describe('getRelease', () => {
expect(release?.tag_name).not.toEqual('');
});
it('resolves nightly to a <version>-<sha>-nightly release for OSS GoReleaser', async () => {
it('returns nightly GoReleaser GitHub release', async () => {
const release = await github.getRelease('goreleaser', 'nightly');
expect(release).not.toBeNull();
expect(release.tag_name).toMatch(github.nightlyTagRegex);
expect(release?.tag_name).not.toEqual('');
});
it('resolves nightly to a <version>-<sha>-nightly release for GoReleaser Pro', async () => {
it('returns nightly GoReleaser Pro GitHub release', async () => {
const release = await github.getRelease('goreleaser-pro', 'nightly');
expect(release).not.toBeNull();
expect(release.tag_name).toMatch(github.nightlyTagRegex);
expect(release?.tag_name).not.toEqual('');
});
it('returns v0.182.0 GoReleaser Pro GitHub release', async () => {
@ -100,7 +100,7 @@ describe('getRelease', () => {
it('unknown GoReleaser Pro release', async () => {
await expect(github.getRelease('goreleaser-pro', 'foo')).rejects.toThrow(
new Error('Cannot find GoReleaser release foo in https://goreleaser.com/releases-pro.json')
new Error('Cannot find GoReleaser release foo in https://goreleaser.com/static/releases-pro.json')
);
});
});

152
__tests__/goreleaser.test.ts
View file

@ -1,53 +1,38 @@
import {describe, expect, it} from '@jest/globals';
import * as fs from 'fs';
import * as os from 'os';
import * as path from 'path';
import * as io from '@actions/io';
import * as goreleaser from '../src/goreleaser';
describe('install', () => {
it('acquires v0.182.0 version of GoReleaser', async () => {
const bin = await goreleaser.install('goreleaser', 'v0.182.0');
expect(fs.existsSync(bin)).toBe(true);
}, 100000);
it('acquires latest version of GoReleaser', async () => {
const bin = await goreleaser.install('goreleaser', 'latest');
expect(fs.existsSync(bin)).toBe(true);
}, 100000);
it('acquires v0.182.0-pro version of GoReleaser Pro', async () => {
const bin = await goreleaser.install('goreleaser-pro', 'v0.182.0-pro');
expect(fs.existsSync(bin)).toBe(true);
}, 100000);
it('acquires latest v1 version of GoReleaser', async () => {
const bin = await goreleaser.install('goreleaser', '~> v1');
expect(fs.existsSync(bin)).toBe(true);
}, 100000);
it('acquires latest v1 version of GoReleaser Pro', async () => {
const bin = await goreleaser.install('goreleaser-pro', '~> v1');
expect(fs.existsSync(bin)).toBe(true);
}, 100000);
it('acquires latest v2 version of GoReleaser', async () => {
const bin = await goreleaser.install('goreleaser', '~> v2');
expect(fs.existsSync(bin)).toBe(true);
}, 100000);
// The following pinned versions exercise install across release eras to
// guard against regressions in checksum handling and the cosign skip path:
// - v0.182.0 : pre-checksums-signing era
// - v1.26.2 : cosign v2 detached `.sig` only
// - v2.12.4 : last release before sigstore bundles (cosign skipped)
// - v2.13.0 : first release with cosign v3 sigstore bundle
// - v2.15.3 : recent release with sigstore bundle
it('acquires v0.182.0 (pre-signing) version of GoReleaser', async () => {
const bin = await goreleaser.install('goreleaser', 'v0.182.0');
expect(fs.existsSync(bin)).toBe(true);
}, 100000);
it('acquires v1.26.2 (cosign v2 .sig) version of GoReleaser', async () => {
const bin = await goreleaser.install('goreleaser', 'v1.26.2');
expect(fs.existsSync(bin)).toBe(true);
}, 100000);
it('acquires v2.12.4 (last pre-sigstore-bundle) version of GoReleaser', async () => {
const bin = await goreleaser.install('goreleaser', 'v2.12.4');
expect(fs.existsSync(bin)).toBe(true);
}, 100000);
it('acquires v2.13.0 (minimum cosign-verifiable) version of GoReleaser', async () => {
const bin = await goreleaser.install('goreleaser', 'v2.13.0');
expect(fs.existsSync(bin)).toBe(true);
}, 100000);
it('acquires v2.15.3 (recent sigstore-bundle) version of GoReleaser', async () => {
const bin = await goreleaser.install('goreleaser', 'v2.15.3');
expect(fs.existsSync(bin)).toBe(true);
}, 100000);
it('acquires latest v2 version of GoReleaser Pro', async () => {
const bin = await goreleaser.install('goreleaser-pro', '~> v2');
expect(fs.existsSync(bin)).toBe(true);
@ -68,100 +53,3 @@ describe('distribSuffix', () => {
expect(goreleaser.distribSuffix('goreleaser')).toEqual('');
});
});
describe('findChecksum', () => {
const sample = [
'*malformed-line',
'',
'abc123 goreleaser_Linux_x86_64.tar.gz',
'def456 *goreleaser_Darwin_all.tar.gz',
'789xyz checksums.txt'
].join('\n');
it('finds a checksum by filename', () => {
expect(goreleaser.findChecksum(sample, 'goreleaser_Linux_x86_64.tar.gz')).toEqual('abc123');
});
it('strips a leading asterisk on the filename (binary mode)', () => {
expect(goreleaser.findChecksum(sample, 'goreleaser_Darwin_all.tar.gz')).toEqual('def456');
});
it('returns undefined when not present', () => {
expect(goreleaser.findChecksum(sample, 'missing.tar.gz')).toBeUndefined();
});
});
describe('getCertificateIdentity', () => {
it('returns the OSS workflow identity for tagged releases', () => {
expect(goreleaser.getCertificateIdentity('goreleaser', 'v2.15.3')).toEqual(
'https://github.com/goreleaser/goreleaser/.github/workflows/release.yml@refs/tags/v2.15.3'
);
});
it('returns the Pro internal workflow identity for tagged releases', () => {
expect(goreleaser.getCertificateIdentity('goreleaser-pro', 'v2.15.3')).toEqual(
'https://github.com/goreleaser/goreleaser-pro-internal/.github/workflows/release-pro.yml@refs/tags/v2.15.3'
);
});
it('uses nightly-oss.yml@refs/heads/main for OSS nightly tag', () => {
expect(goreleaser.getCertificateIdentity('goreleaser', 'v2.16.0-abc1234-nightly')).toEqual(
'https://github.com/goreleaser/goreleaser/.github/workflows/nightly-oss.yml@refs/heads/main'
);
});
it('uses nightly-pro.yml@refs/heads/main for Pro nightly tag', () => {
expect(goreleaser.getCertificateIdentity('goreleaser-pro', 'v2.16.0-eaeb08c50-nightly')).toEqual(
'https://github.com/goreleaser/goreleaser-pro-internal/.github/workflows/nightly-pro.yml@refs/heads/main'
);
});
});
describe('verifyChecksum', () => {
const requireCosign = async (): Promise<void> => {
const cosign = await io.which('cosign', false);
if (!cosign) {
throw new Error(
'cosign must be installed in PATH to run this integration test (apk add cosign / sigstore/cosign-installer)'
);
}
};
it('verifies a tagged OSS release end-to-end with cosign', async () => {
await requireCosign();
const bin = await goreleaser.install('goreleaser', 'v2.15.3');
expect(fs.existsSync(bin)).toBe(true);
}, 120000);
it('verifies the OSS nightly release end-to-end with cosign', async () => {
await requireCosign();
const bin = await goreleaser.install('goreleaser', 'nightly');
expect(fs.existsSync(bin)).toBe(true);
}, 120000);
it('installs a pre-v2.13 release (no sigstore bundle) without failing when cosign is present', async () => {
// v2.12.x is the last release that did NOT publish checksums.txt.sigstore.json.
// The action must still install it cleanly: checksum verified, cosign step skipped.
await requireCosign();
const bin = await goreleaser.install('goreleaser', 'v2.12.4');
expect(fs.existsSync(bin)).toBe(true);
}, 120000);
it('throws on checksum mismatch', async () => {
const dir = fs.mkdtempSync(path.join(os.tmpdir(), 'gha-'));
const archive = path.join(dir, 'fake.tar.gz');
fs.writeFileSync(archive, 'tampered content');
await expect(
goreleaser.verifyChecksum('goreleaser', 'v2.15.3', archive, 'goreleaser_Linux_x86_64.tar.gz')
).rejects.toThrow(/Checksum mismatch/);
}, 60000);
it('throws when the filename is not in checksums.txt', async () => {
const dir = fs.mkdtempSync(path.join(os.tmpdir(), 'gha-'));
const archive = path.join(dir, 'whatever.tar.gz');
fs.writeFileSync(archive, '');
await expect(
goreleaser.verifyChecksum('goreleaser', 'v2.15.3', archive, 'not-a-real-asset.tar.gz')
).rejects.toThrow(/Could not find not-a-real-asset.tar.gz in checksums.txt/);
}, 60000);
});

117
__tests__/version.test.ts
View file

@ -1,117 +0,0 @@
import {describe, expect, it, beforeEach, afterEach} from '@jest/globals';
import * as fs from 'fs';
import * as os from 'os';
import * as path from 'path';
import {getRequestedVersion} from '../src/version';
import {Inputs} from '../src/context';
const baseInputs = (overrides: Partial<Inputs>): Inputs => ({
distribution: 'goreleaser',
version: '~> v2',
versionFile: '',
args: '',
workdir: '.',
installOnly: false,
...overrides
});
describe('getRequestedVersion', () => {
let tmpDir: string;
beforeEach(() => {
tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'goreleaser-version-'));
});
afterEach(() => {
fs.rmSync(tmpDir, {recursive: true, force: true});
});
const writeToolVersions = (content: string, name = '.tool-versions'): void => {
fs.writeFileSync(path.join(tmpDir, name), content);
};
describe('without version-file', () => {
it('returns the version input as-is', () => {
expect(getRequestedVersion(baseInputs({version: 'v1.2.3'}))).toBe('v1.2.3');
});
it('returns the default version when none is provided', () => {
expect(getRequestedVersion(baseInputs({version: '~> v2'}))).toBe('~> v2');
});
});
describe('with .tool-versions', () => {
it('parses an unprefixed version and adds the v prefix', () => {
writeToolVersions('goreleaser 1.2.3\n');
expect(getRequestedVersion(baseInputs({versionFile: '.tool-versions', workdir: tmpDir}))).toBe('v1.2.3');
});
it('keeps an existing v prefix without doubling it', () => {
writeToolVersions('goreleaser v1.2.3\n');
expect(getRequestedVersion(baseInputs({versionFile: '.tool-versions', workdir: tmpDir}))).toBe('v1.2.3');
});
it('takes precedence over the version input', () => {
writeToolVersions('goreleaser 1.2.3\n');
expect(getRequestedVersion(baseInputs({version: 'v9.9.9', versionFile: '.tool-versions', workdir: tmpDir}))).toBe(
'v1.2.3'
);
});
it('ignores other tools and picks goreleaser', () => {
writeToolVersions(['nodejs 20.10.0', 'goreleaser 2.13.0', 'python 3.12.1', ''].join('\n'));
expect(getRequestedVersion(baseInputs({versionFile: '.tool-versions', workdir: tmpDir}))).toBe('v2.13.0');
});
it('skips full-line and inline comments', () => {
writeToolVersions(['# pinned for CI', 'goreleaser 2.13.0 # minimum cosign-verifiable', ''].join('\n'));
expect(getRequestedVersion(baseInputs({versionFile: '.tool-versions', workdir: tmpDir}))).toBe('v2.13.0');
});
it('preserves "latest"', () => {
writeToolVersions('goreleaser latest\n');
expect(getRequestedVersion(baseInputs({versionFile: '.tool-versions', workdir: tmpDir}))).toBe('latest');
});
it('uses only the first version when multiple fallbacks are listed', () => {
// asdf supports listing fallback versions; we install the first match.
writeToolVersions('goreleaser 2.13.0 2.12.4\n');
expect(getRequestedVersion(baseInputs({versionFile: '.tool-versions', workdir: tmpDir}))).toBe('v2.13.0');
});
it('accepts an absolute path and ignores workdir', () => {
const abs = path.join(tmpDir, '.tool-versions');
fs.writeFileSync(abs, 'goreleaser 2.13.0\n');
expect(getRequestedVersion(baseInputs({versionFile: abs, workdir: '/nonexistent'}))).toBe('v2.13.0');
});
it('throws when the file does not exist', () => {
expect(() => getRequestedVersion(baseInputs({versionFile: '.tool-versions', workdir: tmpDir}))).toThrow(
/version-file not found/
);
});
it('throws when the file has no goreleaser entry', () => {
writeToolVersions(['nodejs 20.10.0', 'python 3.12.1', ''].join('\n'));
expect(() => getRequestedVersion(baseInputs({versionFile: '.tool-versions', workdir: tmpDir}))).toThrow(
/No goreleaser entry/
);
});
it('throws when the goreleaser entry has no version', () => {
writeToolVersions('goreleaser\n');
expect(() => getRequestedVersion(baseInputs({versionFile: '.tool-versions', workdir: tmpDir}))).toThrow(
/No version specified for goreleaser/
);
});
});
describe('with an unsupported file', () => {
it('throws a clear error', () => {
fs.writeFileSync(path.join(tmpDir, '.go-version'), '1.2.3\n');
expect(() => getRequestedVersion(baseInputs({versionFile: '.go-version', workdir: tmpDir}))).toThrow(
/Unsupported version-file/
);
});
});
});

6
action.yml
View file

@ -15,12 +15,6 @@ inputs:
description: 'GoReleaser version'
default: '~> v2'
required: false
version-file:
description: |
Read the GoReleaser version from a file. Path is resolved relative to
`workdir`. Currently only `.tool-versions` (asdf/mise) is supported.
When set, takes precedence over `version`.
required: false
args:
description: 'Arguments to pass to GoReleaser'
required: false

71
dev.Dockerfile Normal file
View file

@ -0,0 +1,71 @@
# syntax=docker/dockerfile:1
ARG NODE_VERSION=24
FROM node:${NODE_VERSION}-alpine AS base
RUN apk add --no-cache cpio findutils git
WORKDIR /src
FROM base AS deps
RUN --mount=type=bind,target=.,rw \
--mount=type=cache,target=/src/node_modules \
npm install && mkdir /vendor && cp package-lock.json /vendor
FROM scratch AS vendor-update
COPY --from=deps /vendor /
FROM deps AS vendor-validate
RUN --mount=type=bind,target=.,rw <<EOT
set -e
git add -A
cp -rf /vendor/* .
if [ -n "$(git status --porcelain -- package-lock.json)" ]; then
echo >&2 'ERROR: Vendor result differs. Please vendor your package with "docker buildx bake vendor"'
git status --porcelain -- package-lock.json
exit 1
fi
EOT
FROM deps AS build
RUN --mount=type=bind,target=.,rw \
--mount=type=cache,target=/src/node_modules \
npm run build && mkdir /out && cp -Rf dist /out/
FROM scratch AS build-update
COPY --from=build /out /
FROM build AS build-validate
RUN --mount=type=bind,target=.,rw <<EOT
set -e
git add -A
cp -rf /out/* .
if [ -n "$(git status --porcelain -- dist)" ]; then
echo >&2 'ERROR: Build result differs. Please build first with "docker buildx bake build"'
git status --porcelain -- dist
exit 1
fi
EOT
FROM deps AS format
RUN --mount=type=bind,target=.,rw \
--mount=type=cache,target=/src/node_modules \
npm run format \
&& mkdir /out && find . -name '*.ts' -not -path './node_modules/*' | cpio -pdm /out
FROM scratch AS format-update
COPY --from=format /out /
FROM deps AS lint
RUN --mount=type=bind,target=.,rw \
--mount=type=cache,target=/src/node_modules \
npm run lint
FROM deps AS test
ENV RUNNER_TEMP=/tmp/github_runner
ENV RUNNER_TOOL_CACHE=/tmp/github_tool_cache
RUN --mount=type=bind,target=.,rw \
--mount=type=cache,target=/src/node_modules \
npm run test -- --coverage --coverageDirectory=/tmp/coverage
FROM scratch AS test-coverage
COPY --from=test /tmp/coverage /

10
dist/index.js generated vendored
View file

File diff suppressed because one or more lines are too long

1
dist/index.js.map generated vendored Normal file
View file

File diff suppressed because one or more lines are too long

1
dist/sourcemap-register.js generated vendored Normal file
View file

File diff suppressed because one or more lines are too long

61
docker-bake.hcl Normal file
View file

@ -0,0 +1,61 @@
target "_common" {
args = {
BUILDKIT_CONTEXT_KEEP_GIT_DIR = 1
}
}
group "default" {
targets = ["build"]
}
group "pre-checkin" {
targets = ["vendor", "format", "build"]
}
group "validate" {
targets = ["lint", "build-validate", "vendor-validate"]
}
target "build" {
dockerfile = "dev.Dockerfile"
target = "build-update"
output = ["."]
}
target "build-validate" {
inherits = ["_common"]
dockerfile = "dev.Dockerfile"
target = "build-validate"
output = ["type=cacheonly"]
}
target "format" {
dockerfile = "dev.Dockerfile"
target = "format-update"
output = ["."]
}
target "lint" {
dockerfile = "dev.Dockerfile"
target = "lint"
output = ["type=cacheonly"]
}
target "vendor" {
dockerfile = "dev.Dockerfile"
target = "vendor-update"
output = ["."]
}
target "vendor-validate" {
inherits = ["_common"]
dockerfile = "dev.Dockerfile"
target = "vendor-validate"
output = ["type=cacheonly"]
}
target "test" {
dockerfile = "dev.Dockerfile"
target = "test-coverage"
output = ["./coverage"]
}

18
package-lock.json generated
View file

@ -112,6 +112,7 @@
"integrity": "sha512-H3mcG6ZDLTlYfaSNi0iOKkigqMFvkTKlGUYlD8GW7nNOYRrevuA46iTypPyv+06V3fEmvvazfntkBU34L0azAw==",
"dev": true,
"license": "MIT",
"peer": true,
"dependencies": {
"@babel/code-frame": "^7.28.6",
"@babel/generator": "^7.28.6",
@ -1430,6 +1431,7 @@
"integrity": "sha512-ne4A0IpG3+2ETuREInjPNhUGis1SFjv1d5asp8MzEAGtOZeTeHVDOYqOgqfhvseqg/iXty2hjBf1zAOb7RNiNw==",
"dev": true,
"license": "MIT",
"peer": true,
"dependencies": {
"undici-types": "~7.16.0"
}
@ -1471,6 +1473,7 @@
"integrity": "sha512-oy9+hTPCUFpngkEZUSzbf9MxI65wbKFoQYsgPdILTfbUldp5ovUuphZVe4i30emU9M/kP+T64Di0mxl7dSw3MA==",
"dev": true,
"license": "MIT",
"peer": true,
"dependencies": {
"@eslint-community/regexpp": "^4.5.1",
"@typescript-eslint/scope-manager": "6.21.0",
@ -1507,6 +1510,7 @@
"integrity": "sha512-tbsV1jPne5CkFQCgPBcDOt30ItF7aJoZL997JSF7MhGQqOeT3svWRYxiqlfA5RUdlHN6Fi+EI9bxqbdyAUZjYQ==",
"dev": true,
"license": "BSD-2-Clause",
"peer": true,
"dependencies": {
"@typescript-eslint/scope-manager": "6.21.0",
"@typescript-eslint/types": "6.21.0",
@ -1686,6 +1690,7 @@
"integrity": "sha512-NZyJarBfL7nWwIq+FDL6Zp/yHEhePMNnnJ0y3qfieCrmNvYct8uvtiV41UvlSe6apAfk0fY1FbWx+NwfmpvtTg==",
"dev": true,
"license": "MIT",
"peer": true,
"bin": {
"acorn": "bin/acorn"
},
@ -2011,6 +2016,7 @@
}
],
"license": "MIT",
"peer": true,
"dependencies": {
"baseline-browser-mapping": "^2.9.0",
"caniuse-lite": "^1.0.30001759",
@ -2467,6 +2473,7 @@
"deprecated": "This version is no longer supported. Please see https://eslint.org/version-support for other options.",
"dev": true,
"license": "MIT",
"peer": true,
"dependencies": {
"@eslint-community/eslint-utils": "^4.2.0",
"@eslint-community/regexpp": "^4.6.1",
@ -2523,6 +2530,7 @@
"integrity": "sha512-iI1f+D2ViGn+uvv5HuHVUamg8ll4tN+JRHGc6IJi4TP9Kl976C57fzPXgseXNs8v0iA8aSJpHsTWjDb9QJamGQ==",
"dev": true,
"license": "MIT",
"peer": true,
"bin": {
"eslint-config-prettier": "bin/cli.js"
},
@ -3558,6 +3566,7 @@
"integrity": "sha512-NIy3oAFp9shda19hy4HK0HRTWKtPJmGdnvywu01nOqNC2vZg+Z+fvJDxpMQA88eb2I9EcafcdjYgsDthnYTvGw==",
"dev": true,
"license": "MIT",
"peer": true,
"dependencies": {
"@jest/core": "^29.7.0",
"@jest/types": "^29.6.3",
@ -4811,6 +4820,7 @@
"integrity": "sha512-yEPsovQfpxYfgWNhCfECjG5AQaO+K3dp6XERmOepyPDVqcJm+bjyCVO3pmU+nAPe0N5dDvekfGezt/EIiRe1TA==",
"dev": true,
"license": "MIT",
"peer": true,
"bin": {
"prettier": "bin/prettier.cjs"
},
@ -5474,6 +5484,7 @@
"integrity": "sha512-f0FFpIdcHgn8zcPSbf1dRevwt047YMnaiJM3u2w2RewrB+fob/zePZcrOyQoLMMO7aBIddLcQIEK5dYjkLnGrQ==",
"dev": true,
"license": "MIT",
"peer": true,
"dependencies": {
"@cspotcode/source-map-support": "^0.8.0",
"@tsconfig/node10": "^1.0.7",
@ -5586,6 +5597,7 @@
"integrity": "sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw==",
"dev": true,
"license": "Apache-2.0",
"peer": true,
"bin": {
"tsc": "bin/tsc",
"tsserver": "bin/tsserver"
@ -5609,9 +5621,9 @@
}
},
"node_modules/undici": {
"version": "6.24.1",
"resolved": "https://registry.npmjs.org/undici/-/undici-6.24.1.tgz",
"integrity": "sha512-sC+b0tB1whOCzbtlx20fx3WgCXwkW627p4EA9uM+/tNNPkSS+eSEld6pAs9nDv7WbY1UUljBMYPtu9BCOrCWKA==",
"version": "6.23.0",
"resolved": "https://registry.npmjs.org/undici/-/undici-6.23.0.tgz",
"integrity": "sha512-VfQPToRA5FZs/qJxLIinmU59u0r7LXqoJkCzinq3ckNJp3vKEh7jTWN589YQ5+aoAC/TGRLyJLCPKcLQbM8r9g==",
"license": "MIT",
"engines": {
"node": ">=18.17"

14
package.json
View file

@ -5,12 +5,14 @@
"type": "module",
"scripts": {
"build": "ncc build src/main.ts --minify --license licenses.txt",
"format": "prettier --write \"**/*.ts\"",
"format-check": "prettier --check \"**/*.ts\"",
"lint": "eslint --max-warnings=0 \"**/*.ts\"",
"lint:fix": "eslint --fix \"**/*.ts\"",
"test": "NODE_OPTIONS='--experimental-vm-modules' jest --coverage",
"pre-checkin": "npm run format && npm run lint:fix && npm run build && npm test"
"lint": "npm run prettier && npm run eslint",
"format": "npm run prettier:fix && npm run eslint:fix",
"eslint": "eslint --max-warnings=0 .",
"eslint:fix": "eslint --fix .",
"prettier": "prettier --check \"./**/*.ts\"",
"prettier:fix": "prettier --write \"./**/*.ts\"",
"test": "NODE_OPTIONS='--experimental-vm-modules' jest",
"all": "npm run build && npm run format && npm test"
},
"repository": {
"type": "git",

2
src/context.ts
View file

@ -7,7 +7,6 @@ export const osArch: string = os.arch();
export interface Inputs {
distribution: string;
version: string;
versionFile: string;
args: string;
workdir: string;
installOnly: boolean;
@ -17,7 +16,6 @@ export async function getInputs(): Promise<Inputs> {
return {
distribution: core.getInput('distribution') || 'goreleaser',
version: core.getInput('version') || '~> v2',
versionFile: core.getInput('version-file'),
args: core.getInput('args'),
workdir: core.getInput('workdir') || '.',
installOnly: core.getBooleanInput('install-only')

46
src/github.ts
View file

@ -30,13 +30,6 @@ export interface GitHubRelease {
tag_name: string;
}
// Matches the new-style nightly release tag pattern: vX.Y.Z-<sha>-nightly
export const nightlyTagRegex = /^v\d+\.\d+\.\d+-[0-9a-f]+-nightly$/i;
export const isNightlyTag = (tag: string): boolean => {
return nightlyTagRegex.test(tag);
};
export const getRelease = async (distribution: string, version: string): Promise<GitHubRelease> => {
if (version === 'latest') {
core.warning("You are using 'latest' as default version. Will lock to '~> v2'.");
@ -47,7 +40,7 @@ export const getRelease = async (distribution: string, version: string): Promise
export const getReleaseTag = async (distribution: string, version: string): Promise<GitHubRelease> => {
if (version === 'nightly') {
return resolveNightly(distribution);
return {tag_name: version};
}
// If version is a specific version (not a range), skip the JSON check
@ -66,7 +59,7 @@ export const getReleaseTag = async (distribution: string, version: string): Prom
const tag: string = (await resolveVersion(distribution, version)) || version;
const suffix: string = goreleaser.distribSuffix(distribution);
const url = `https://goreleaser.com/releases${suffix}.json`;
const url = `https://goreleaser.com/static/releases${suffix}.json`;
const releases = await withRetry(async () => {
const http: httpm.HttpClient = new httpm.HttpClient('goreleaser-action');
@ -88,39 +81,6 @@ export const getReleaseTag = async (distribution: string, version: string): Prom
throw new Error(`Cannot find GoReleaser release ${version} in ${url}`);
};
// resolveNightly looks up the latest immutable nightly release of the form
// `vX.Y.Z-<sha>-nightly` on the GitHub releases of the given distribution.
const resolveNightly = async (distribution: string): Promise<GitHubRelease> => {
const url = `https://api.github.com/repos/goreleaser/${distribution}/releases?per_page=100`;
core.debug(`Resolving latest nightly release from ${url}`);
const releases = await withRetry(async () => {
const http: httpm.HttpClient = new httpm.HttpClient('goreleaser-action');
const headers: {[name: string]: string} = {
Accept: 'application/vnd.github+json',
'X-GitHub-Api-Version': '2022-11-28'
};
const token = process.env.GITHUB_TOKEN;
if (token) {
headers['Authorization'] = `Bearer ${token}`;
}
const resp: httpm.HttpClientResponse = await http.get(url, headers);
const body = await resp.readBody();
const statusCode = resp.message.statusCode || 500;
if (statusCode >= 400) {
throw new Error(`Failed to list releases from ${url} with status code ${statusCode}: ${body}`);
}
return <Array<GitHubRelease>>JSON.parse(body);
});
const match = releases.find(r => nightlyTagRegex.test(r.tag_name));
if (!match) {
throw new Error(`No '<version>-<sha>-nightly' release found in ${url}`);
}
core.info(`Resolved nightly to ${match.tag_name}`);
return match;
};
const resolveVersion = async (distribution: string, version: string): Promise<string | null> => {
const allTags: Array<string> | null = await getAllTags(distribution);
if (!allTags) {
@ -148,7 +108,7 @@ interface GitHubTag {
const getAllTags = async (distribution: string): Promise<Array<string>> => {
const suffix: string = goreleaser.distribSuffix(distribution);
const url = `https://goreleaser.com/releases${suffix}.json`;
const url = `https://goreleaser.com/static/releases${suffix}.json`;
core.debug(`Downloading ${url}`);
return withRetry(async () => {

102
src/goreleaser.ts
View file

@ -1,26 +1,26 @@
import * as crypto from 'crypto';
import * as fs from 'fs';
import * as path from 'path';
import * as util from 'util';
import yaml from 'js-yaml';
import * as context from './context';
import * as github from './github';
import * as core from '@actions/core';
import * as exec from '@actions/exec';
import * as io from '@actions/io';
import * as tc from '@actions/tool-cache';
export async function install(distribution: string, version: string): Promise<string> {
const release: github.GitHubRelease = await github.getRelease(distribution, version);
const filename = getFilename(distribution);
const baseUrl = `https://github.com/goreleaser/${distribution}/releases/download/${release.tag_name}`;
const downloadUrl = `${baseUrl}/${filename}`;
const downloadUrl = util.format(
'https://github.com/goreleaser/%s/releases/download/%s/%s',
distribution,
release.tag_name,
filename
);
core.info(`Downloading ${downloadUrl}`);
const downloadPath: string = await tc.downloadTool(downloadUrl);
core.debug(`Downloaded to ${downloadPath}`);
await verifyChecksum(distribution, release.tag_name, downloadPath, filename);
core.info('Extracting GoReleaser');
let extPath: string;
if (context.osPlat == 'win32') {
@ -45,92 +45,6 @@ export async function install(distribution: string, version: string): Promise<st
return exePath;
}
export async function verifyChecksum(
distribution: string,
tag: string,
archivePath: string,
filename: string
): Promise<void> {
const baseUrl = `https://github.com/goreleaser/${distribution}/releases/download/${tag}`;
let checksumsPath: string;
try {
core.info(`Downloading ${baseUrl}/checksums.txt`);
checksumsPath = await tc.downloadTool(`${baseUrl}/checksums.txt`);
} catch (e) {
core.warning(`Skipping checksum verification: unable to download checksums.txt: ${e.message}`);
return;
}
const sha256 = crypto.createHash('sha256').update(fs.readFileSync(archivePath)).digest('hex');
const expected = findChecksum(fs.readFileSync(checksumsPath, 'utf8'), filename);
if (!expected) {
throw new Error(`Could not find ${filename} in checksums.txt`);
}
if (expected.toLowerCase() !== sha256.toLowerCase()) {
throw new Error(`Checksum mismatch for ${filename}: expected ${expected}, got ${sha256}`);
}
core.info(`Checksum verified for ${filename}`);
await verifyCosignSignature(distribution, tag, baseUrl, checksumsPath);
}
export const findChecksum = (checksumsContent: string, filename: string): string | undefined => {
const match = checksumsContent
.split('\n')
.map(line => line.trim().split(/\s+/))
.find(parts => parts.length >= 2 && parts[1].replace(/^[*]/, '') === filename);
return match ? match[0] : undefined;
};
async function verifyCosignSignature(
distribution: string,
tag: string,
baseUrl: string,
checksumsPath: string
): Promise<void> {
const cosign = await io.which('cosign', false);
if (!cosign) {
core.info('cosign not found in PATH, skipping signature verification');
return;
}
let bundlePath: string;
try {
core.info(`Downloading ${baseUrl}/checksums.txt.sigstore.json`);
bundlePath = await tc.downloadTool(`${baseUrl}/checksums.txt.sigstore.json`);
} catch (e) {
core.warning(`Skipping cosign signature verification: unable to download sigstore bundle: ${e.message}`);
return;
}
const certificateIdentity = getCertificateIdentity(distribution, tag);
core.info(`Verifying checksums.txt signature with cosign (identity: ${certificateIdentity})`);
await exec.exec(cosign, [
'verify-blob',
'--certificate-identity',
certificateIdentity,
'--certificate-oidc-issuer',
'https://token.actions.githubusercontent.com',
'--bundle',
bundlePath,
checksumsPath
]);
core.info('cosign signature verified');
}
export const getCertificateIdentity = (distribution: string, tag: string): string => {
const pro = isPro(distribution);
if (github.isNightlyTag(tag)) {
const workflow = pro ? 'nightly-pro.yml' : 'nightly-oss.yml';
const repo = pro ? 'goreleaser-pro-internal' : 'goreleaser';
return `https://github.com/goreleaser/${repo}/.github/workflows/${workflow}@refs/heads/main`;
}
if (pro) {
return `https://github.com/goreleaser/goreleaser-pro-internal/.github/workflows/release-pro.yml@refs/tags/${tag}`;
}
return `https://github.com/goreleaser/goreleaser/.github/workflows/release.yml@refs/tags/${tag}`;
};
export const distribSuffix = (distribution: string): string => {
return isPro(distribution) ? '-pro' : '';
};
@ -167,7 +81,7 @@ const getFilename = (distribution: string): string => {
const platform: string = context.osPlat == 'win32' ? 'Windows' : context.osPlat == 'darwin' ? 'Darwin' : 'Linux';
const ext: string = context.osPlat == 'win32' ? 'zip' : 'tar.gz';
const suffix: string = distribSuffix(distribution);
return `goreleaser${suffix}_${platform}_${arch}.${ext}`;
return util.format('goreleaser%s_%s_%s.%s', suffix, platform, arch, ext);
};
export async function getDistPath(yamlfile: string): Promise<string> {

6
src/main.ts
View file

@ -4,16 +4,14 @@ import yargs from 'yargs';
import type {Arguments} from 'yargs';
import * as context from './context';
import * as goreleaser from './goreleaser';
import {getRequestedVersion} from './version';
import * as core from '@actions/core';
import * as exec from '@actions/exec';
async function run(): Promise<void> {
try {
const inputs: context.Inputs = await context.getInputs();
const version = getRequestedVersion(inputs);
const bin = await goreleaser.install(inputs.distribution, version);
core.info(`GoReleaser ${version} installed successfully`);
const bin = await goreleaser.install(inputs.distribution, inputs.version);
core.info(`GoReleaser ${inputs.version} installed successfully`);
if (inputs.installOnly) {
const goreleaserDir = path.dirname(bin);

56
src/version.ts
View file

@ -1,56 +0,0 @@
import * as fs from 'fs';
import * as path from 'path';
import {Inputs} from './context';
// Resolves the GoReleaser version to install.
//
// When `version-file` is set, it is read from disk and parsed; the resolved
// value takes precedence over the `version` input. Otherwise, `version` is
// returned as-is (it always has a default — see context.getInputs).
export function getRequestedVersion(inputs: Inputs): string {
if (!inputs.versionFile) {
return inputs.version;
}
const filePath = path.isAbsolute(inputs.versionFile)
? inputs.versionFile
: path.join(inputs.workdir || '.', inputs.versionFile);
if (!fs.existsSync(filePath)) {
throw new Error(`version-file not found: ${filePath}`);
}
const basename = path.basename(filePath);
const content = fs.readFileSync(filePath, 'utf-8');
switch (basename) {
case '.tool-versions':
return parseToolVersions(content, filePath);
default:
throw new Error(`Unsupported version-file: ${filePath} (only .tool-versions is supported)`);
}
}
// Parses a single `goreleaser <version>` entry out of a `.tool-versions` file
// (asdf/mise format). Full-line `#` comments and inline `# ...` suffixes are
// stripped. When a tool lists multiple fallback versions only the first is
// used. Bare semvers are returned with a leading `v`; constraint expressions
// (`~> v2`, `latest`, ...) are returned as-is.
function parseToolVersions(content: string, filePath: string): string {
for (const rawLine of content.split('\n')) {
const line = rawLine.replace(/#.*$/, '').trim();
if (!line) {
continue;
}
const tokens = line.split(/\s+/);
if (tokens[0] !== 'goreleaser') {
continue;
}
const version = tokens[1];
if (!version) {
throw new Error(`No version specified for goreleaser in ${filePath}`);
}
return /^\d/.test(version) ? `v${version}` : version;
}
throw new Error(`No goreleaser entry found in ${filePath}`);
}