.github/workflows/ci.yml

@@ -37,21 +37,25 @@ jobs:
           - goreleaser
           - goreleaser-pro
     steps:
-      - name: Checkout
+      -
+        name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
-      - name: Set up Go
+      -
+        name: Set up Go
         uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
           go-version: stable
-      - name: Check
+      -
+        name: Check
         uses: ./
         with:
           version: ${{ matrix.version }}
           args: check --verbose
           workdir: ./test
-      - name: GoReleaser
+      -
+        name: GoReleaser
         if: ${{ !(github.event_name == 'pull_request' && matrix.distribution == 'goreleaser-pro') }}
         uses: ./
         env:
@@ -77,25 +81,30 @@ jobs:
           - true
           - false
     steps:
-      - name: Checkout
+      -
+        name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
-      - name: Set up Go
+      -
+        name: Set up Go
         uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
           go-version: 1.18
-      - name: Install cosign
+      -
+        name: Install cosign
         if: matrix.cosign
-        uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1
+        uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2
-      - name: GoReleaser
+      -
+        name: GoReleaser
         if: ${{ !(github.event_name == 'pull_request' && matrix.distribution == 'goreleaser-pro') }}
         uses: ./
         with:
           distribution: ${{ matrix.distribution }}
           version: ${{ matrix.version }}
           install-only: true
-      - name: Check
+      -
+        name: Check
         if: ${{ !(github.event_name == 'pull_request' && matrix.distribution == 'goreleaser-pro') }}
         run: |
           goreleaser check --verbose
@@ -111,21 +120,25 @@ jobs:
           - macos-latest
           - windows-latest
     steps:
-      - name: Checkout
+      -
+        name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
-      - name: Set up Go
+      -
+        name: Set up Go
         uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
           go-version: 1.18
-      - name: Import GPG key
+      -
+        name: Import GPG key
         id: import_gpg
         uses: crazy-max/ghaction-import-gpg@2dc316deee8e90f13e1a351ab510b4d5bc0c82cd # v7.0.0
         with:
           gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY_TEST }}
           passphrase: ${{ secrets.PASSPHRASE_TEST }}
-      - name: Check
+      -
+        name: Check
         uses: ./
         with:
           version: latest
@@ -133,7 +146,8 @@ jobs:
           workdir: ./test
         env:
           GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}
-      - name: GoReleaser
+      -
+        name: GoReleaser
         uses: ./
         with:
           version: latest
@@ -145,26 +159,31 @@ jobs:
   upload-artifact:
     runs-on: ubuntu-latest
     steps:
-      - name: Checkout
+      -
+        name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
-      - name: Set up Go
+      -
+        name: Set up Go
         uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
           go-version: 1.18
-      - name: Check
+      -
+        name: Check
         uses: ./
         with:
           args: check --verbose
           workdir: ./test
-      - name: GoReleaser
+      -
+        name: GoReleaser
         uses: ./
         with:
           args: release --skip=publish --clean --snapshot
           workdir: ./test
-      - name: Upload assets
+      -
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        name: Upload assets
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: myapp
           path: ./test/dist/*
@@ -172,20 +191,24 @@ jobs:
   dist:
     runs-on: ubuntu-latest
     steps:
-      - name: Checkout
+      -
+        name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
-      - name: Set up Go
+      -
+        name: Set up Go
         uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
           go-version: 1.18
-      - name: GoReleaser
+      -
+        name: GoReleaser
         uses: ./
         with:
           args: release --config .goreleaser-dist.yml --skip=publish --clean --snapshot
           workdir: ./test
-      - name: Check dist
+      -
+        name: Check dist
         run: |
           tree -nh ./test/_output
 
@@ -202,24 +225,27 @@ jobs:
           - goreleaser-pro
           - goreleaser
     steps:
-      - name: Checkout
+      -
+        name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
-      - name: Set up Go
+      -
+        name: Set up Go
         uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
           go-version: 1.18
-      - name: GoReleaser
+      -
+        name: GoReleaser
         uses: ./
         with:
           install-only: true
           distribution: ${{ matrix.distribution }}
           version: nightly
-        env:
+      -
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        name: Check
-      - name: Check
         run: |
           goreleaser check -f ./test/.goreleaser.yml
           goreleaser --version
           goreleaser --version | grep nightly
+

.github/workflows/release-major-tag.yml

@@ -28,15 +28,19 @@ jobs:
   tag:
     runs-on: ubuntu-latest
     steps:
-      - name: Checkout
+      -
+        name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
-      - name: Git config
+      -
+        name: Git config
         run: |
           git config user.name "github-actions[bot]"
           git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
-      - name: Move ${{ github.event.inputs.major_version }} to ${{ github.event.inputs.target }}
+      -
+        name: Move ${{ github.event.inputs.major_version }} to ${{ github.event.inputs.target }}
         run: git tag -f ${{ github.event.inputs.major_version }} ${{ github.event.inputs.target }}
-      - name: Push
+      -
+        name: Push
         run: git push origin ${{ github.event.inputs.major_version }} --force

.github/workflows/test.yml

@@ -19,24 +19,30 @@ jobs:
   test:
     runs-on: ubuntu-latest
     steps:
-      - name: Checkout
+      -
+        name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
-      - name: Setup Node.js
+      -
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+        name: Setup Node.js
+        uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v6.0.0
         with:
           node-version-file: '.node-version'
           cache: npm
-      - name: Install cosign
+      -
-        uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1
+        name: Install cosign
-      - name: Install dependencies
+        uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2
+      -
+        name: Install dependencies
         run: npm ci
-      - name: Test
+      -
+        name: Test
         run: npm test
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      - name: Upload coverage
+      -
+        name: Upload coverage
         uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0
         with:
           files: ./coverage/clover.xml

.github/workflows/validate.yml

@@ -19,35 +19,45 @@ jobs:
   lint:
     runs-on: ubuntu-latest
     steps:
-      - name: Checkout
+      -
+        name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - name: Setup Node.js
+      -
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+        name: Setup Node.js
+        uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v6.0.0
         with:
           node-version-file: '.node-version'
           cache: npm
-      - name: Install dependencies
+      -
+        name: Install dependencies
         run: npm ci
-      - name: Format check
+      -
+        name: Format check
         run: npm run format-check
-      - name: Lint
+      -
+        name: Lint
         run: npm run lint
 
   build:
     runs-on: ubuntu-latest
     steps:
-      - name: Checkout
+      -
+        name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - name: Setup Node.js
+      -
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.0.0
+        name: Setup Node.js
+        uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v6.0.0
         with:
           node-version-file: '.node-version'
           cache: npm
-      - name: Install dependencies
+      -
+        name: Install dependencies
         run: npm ci --ignore-scripts
-      - name: Rebuild dist
+      -
+        name: Rebuild dist
         run: npm run build
-      - name: Compare dist
+      -
+        name: Compare dist
         id: diff
         run: |
           if [ "$(git diff --ignore-space-at-eol dist | wc -l)" -gt "0" ]; then
@@ -55,9 +65,10 @@ jobs:
             git diff dist
             exit 1
           fi
-      - name: Upload built dist on failure
+      -
+        name: Upload built dist on failure
         if: ${{ failure() && steps.diff.conclusion == 'failure' }}
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: dist
           path: dist
@@ -65,16 +76,20 @@ jobs:
   vendor:
     runs-on: ubuntu-latest
     steps:
-      - name: Checkout
+      -
+        name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - name: Setup Node.js
+      -
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.0.0
+        name: Setup Node.js
+        uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v6.0.0
         with:
           node-version-file: '.node-version'
           cache: npm
-      - name: Refresh package-lock.json
+      -
+        name: Refresh package-lock.json
         run: npm install --package-lock-only
-      - name: Compare package-lock.json
+      -
+        name: Compare package-lock.json
         run: |
           if [ -n "$(git status --porcelain -- package-lock.json)" ]; then
             echo "package-lock.json is out of sync with package.json. Run 'npm install' and commit." >&2

__tests__/github.test.ts

@@ -56,10 +56,12 @@ describe('getRelease', () => {
     expect(release?.tag_name).not.toEqual('');
   });
 
-  it('resolves nightly to a <version>-<sha>-nightly release for OSS GoReleaser', async () => {
+  it('resolves nightly to the legacy nightly tag for OSS GoReleaser', async () => {
+    // No <version>-<sha>-nightly release exists in goreleaser/goreleaser yet,
+    // so this should fall back to the legacy moving `nightly` tag.
     const release = await github.getRelease('goreleaser', 'nightly');
     expect(release).not.toBeNull();
-    expect(release.tag_name).toMatch(github.nightlyTagRegex);
+    expect(release.tag_name).toEqual('nightly');
   });
 
   it('resolves nightly to a <version>-<sha>-nightly release for GoReleaser Pro', async () => {

__tests__/goreleaser.test.ts

@@ -104,6 +104,18 @@ describe('getCertificateIdentity', () => {
     );
   });
 
+  it('uses nightly-oss.yml@refs/heads/main for OSS legacy nightly tag', () => {
+    expect(goreleaser.getCertificateIdentity('goreleaser', 'nightly')).toEqual(
+      'https://github.com/goreleaser/goreleaser/.github/workflows/nightly-oss.yml@refs/heads/main'
+    );
+  });
+
+  it('uses nightly-pro.yml@refs/heads/main for Pro legacy nightly tag', () => {
+    expect(goreleaser.getCertificateIdentity('goreleaser-pro', 'nightly')).toEqual(
+      'https://github.com/goreleaser/goreleaser-pro-internal/.github/workflows/nightly-pro.yml@refs/heads/main'
+    );
+  });
+
   it('uses nightly-oss.yml@refs/heads/main for OSS nightly tag', () => {
     expect(goreleaser.getCertificateIdentity('goreleaser', 'v2.16.0-abc1234-nightly')).toEqual(
       'https://github.com/goreleaser/goreleaser/.github/workflows/nightly-oss.yml@refs/heads/main'

src/github.ts

@@ -34,7 +34,7 @@ export interface GitHubRelease {
 export const nightlyTagRegex = /^v\d+\.\d+\.\d+-[0-9a-f]+-nightly$/i;
 
 export const isNightlyTag = (tag: string): boolean => {
-  return nightlyTagRegex.test(tag);
+  return tag === 'nightly' || nightlyTagRegex.test(tag);
 };
 
 export const getRelease = async (distribution: string, version: string): Promise<GitHubRelease> => {
@@ -114,11 +114,15 @@ const resolveNightly = async (distribution: string): Promise<GitHubRelease> => {
   });
 
   const match = releases.find(r => nightlyTagRegex.test(r.tag_name));
-  if (!match) {
+  if (match) {
-    throw new Error(`No '<version>-<sha>-nightly' release found in ${url}`);
-  }
     core.info(`Resolved nightly to ${match.tag_name}`);
     return match;
+  }
+
+  // Fallback to the legacy moving `nightly` tag during the transition period,
+  // until goreleaser stops publishing it.
+  core.warning(`No '<version>-<sha>-nightly' release found in ${url}, falling back to 'nightly' tag`);
+  return {tag_name: 'nightly'};
 };
 
 const resolveVersion = async (distribution: string, version: string): Promise<string | null> => {