ci: update actions

Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>

.gitattributes

@@ -1,4 +1,2 @@
-/.yarn/releases/** binary
-/.yarn/plugins/** binary
-/dist/** linguist-generated=true
-/lib/** linguist-generated=true
+/dist/** linguist-generated=true -diff
+/lib/** linguist-generated=true -diff

.github/dependabot.yml

@@ -3,18 +3,28 @@ updates:
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
-      interval: "daily"
-      time: "06:00"
-      timezone: "Europe/Paris"
+      interval: monthly
     labels:
       - "dependencies"
+    commit-message:
+      prefix: "ci"
+      include: "scope"
+    groups:
+      actions:
+        patterns:
+          - "*"
   - package-ecosystem: "npm"
     directory: "/"
     schedule:
-      interval: "daily"
-      time: "06:00"
-      timezone: "Europe/Paris"
+      interval: monthly
     allow:
       - dependency-type: "production"
     labels:
       - "dependencies"
+    commit-message:
+      prefix: "chore"
+      include: "scope"
+    groups:
+      npm:
+        patterns:
+          - "*"

.github/workflows/ci.yml

@@ -4,6 +4,10 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+permissions:
+  contents: read
+
 on:
   schedule:
     - cron: '0 10 * * *'
@@ -24,34 +28,30 @@ jobs:
       matrix:
         os:
           - ubuntu-latest
-          - macOS-latest
+          - macos-latest
           - windows-latest
         version:
           - latest
-          - '~> 1.15'
+          - '~> 2.13'
         distribution:
           - goreleaser
           - goreleaser-pro
     steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v4
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
-      -
-        name: Set up Go
-        uses: actions/setup-go@v4
+      - name: Set up Go
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
-          go-version: 1.18
-      -
-        name: Check
+          go-version: stable
+      - name: Check
         uses: ./
         with:
           version: ${{ matrix.version }}
-          args: check --debug
+          args: check --verbose
           workdir: ./test
-      -
-        name: GoReleaser
+      - name: GoReleaser
         if: ${{ !(github.event_name == 'pull_request' && matrix.distribution == 'goreleaser-pro') }}
         uses: ./
         env:
@@ -59,7 +59,7 @@ jobs:
         with:
           distribution: ${{ matrix.distribution }}
           version: ${{ matrix.version }}
-          args: release --skip-publish --clean --snapshot
+          args: release --skip=publish --clean --snapshot
           workdir: ./test
 
   install-only:
@@ -69,34 +69,36 @@ jobs:
       matrix:
         version:
           - latest
-          - '~> 0.166'
+          - '~> 2.13'
         distribution:
           - goreleaser
           - goreleaser-pro
+        cosign:
+          - true
+          - false
     steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v4
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
-      -
-        name: Set up Go
-        uses: actions/setup-go@v4
+      - name: Set up Go
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
           go-version: 1.18
-      -
-        name: GoReleaser
+      - name: Install cosign
+        if: matrix.cosign
+        uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1
+      - name: GoReleaser
         if: ${{ !(github.event_name == 'pull_request' && matrix.distribution == 'goreleaser-pro') }}
         uses: ./
         with:
           distribution: ${{ matrix.distribution }}
           version: ${{ matrix.version }}
           install-only: true
-      -
-        name: Check
+      - name: Check
         if: ${{ !(github.event_name == 'pull_request' && matrix.distribution == 'goreleaser-pro') }}
         run: |
-          goreleaser check --debug
+          goreleaser check --verbose
 
   signing:
     runs-on: ${{ matrix.os }}
@@ -106,41 +108,36 @@ jobs:
       matrix:
         os:
           - ubuntu-latest
-          - macOS-latest
+          - macos-latest
           - windows-latest
     steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v4
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
-      -
-        name: Set up Go
-        uses: actions/setup-go@v4
+      - name: Set up Go
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
           go-version: 1.18
-      -
-        name: Import GPG key
+      - name: Import GPG key
         id: import_gpg
-        uses: crazy-max/ghaction-import-gpg@v6
+        uses: crazy-max/ghaction-import-gpg@2dc316deee8e90f13e1a351ab510b4d5bc0c82cd # v7.0.0
         with:
           gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY_TEST }}
           passphrase: ${{ secrets.PASSPHRASE_TEST }}
-      -
-        name: Check
+      - name: Check
         uses: ./
         with:
           version: latest
-          args: -f .goreleaser-signing.yml check --debug
+          args: -f .goreleaser-signing.yml check --verbose
           workdir: ./test
         env:
           GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}
-      -
-        name: GoReleaser
+      - name: GoReleaser
         uses: ./
         with:
           version: latest
-          args: -f .goreleaser-signing.yml release --skip-publish --clean --snapshot
+          args: -f .goreleaser-signing.yml release --skip=publish --clean --snapshot
           workdir: ./test
         env:
           GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}
@@ -148,31 +145,26 @@ jobs:
   upload-artifact:
     runs-on: ubuntu-latest
     steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v4
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
-      -
-        name: Set up Go
-        uses: actions/setup-go@v4
+      - name: Set up Go
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
           go-version: 1.18
-      -
-        name: Check
+      - name: Check
         uses: ./
         with:
-          args: check --debug
+          args: check --verbose
           workdir: ./test
-      -
-        name: GoReleaser
+      - name: GoReleaser
         uses: ./
         with:
-          args: release --skip-publish --clean --snapshot
+          args: release --skip=publish --clean --snapshot
           workdir: ./test
-      -
-        name: Upload assets
-        uses: actions/upload-artifact@v3
+      - name: Upload assets
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: myapp
           path: ./test/dist/*
@@ -180,24 +172,20 @@ jobs:
   dist:
     runs-on: ubuntu-latest
     steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v4
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
-      -
-        name: Set up Go
-        uses: actions/setup-go@v4
+      - name: Set up Go
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
           go-version: 1.18
-      -
-        name: GoReleaser
+      - name: GoReleaser
         uses: ./
         with:
-          args: release --config .goreleaser-dist.yml --skip-publish --clean --snapshot
+          args: release --config .goreleaser-dist.yml --skip=publish --clean --snapshot
           workdir: ./test
-      -
-        name: Check dist
+      - name: Check dist
         run: |
           tree -nh ./test/_output
 
@@ -208,33 +196,30 @@ jobs:
       matrix:
         os:
           - ubuntu-latest
-          - macOS-latest
+          - macos-latest
           - windows-latest
         distribution:
           - goreleaser-pro
           - goreleaser
     steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v4
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
-      -
-        name: Set up Go
-        uses: actions/setup-go@v4
+      - name: Set up Go
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
           go-version: 1.18
-      -
-        name: GoReleaser
+      - name: GoReleaser
         uses: ./
         with:
           install-only: true
           distribution: ${{ matrix.distribution }}
           version: nightly
-      -
-        name: Check
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Check
         run: |
           goreleaser check -f ./test/.goreleaser.yml
           goreleaser --version
           goreleaser --version | grep nightly
-

.github/workflows/release-major-tag.yml

@@ -0,0 +1,42 @@
+name: release major tag
+
+run-name: Move ${{ github.event.inputs.major_version }} to ${{ github.event.inputs.target }}
+
+on:
+  workflow_dispatch:
+    inputs:
+      target:
+        description: The tag, branch, or SHA the major version should point to (e.g. v7.1.0)
+        required: true
+      major_version:
+        type: choice
+        description: The major version tag to move
+        options:
+          - v7
+          - v6
+          - v5
+          - v4
+          - v3
+          - v2
+          - v1
+
+# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+permissions:
+  contents: write
+
+jobs:
+  tag:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 0
+      - name: Git config
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+      - name: Move ${{ github.event.inputs.major_version }} to ${{ github.event.inputs.target }}
+        run: git tag -f ${{ github.event.inputs.major_version }} ${{ github.event.inputs.target }}
+      - name: Push
+        run: git push origin ${{ github.event.inputs.major_version }} --force

.github/workflows/test.yml

@@ -4,6 +4,10 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+permissions:
+  contents: read
+
 on:
   push:
     branches:
@@ -15,18 +19,24 @@ jobs:
   test:
     runs-on: ubuntu-latest
     steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v4
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
-      -
-        name: Test
-        uses: docker/bake-action@v3
+      - name: Setup Node.js
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
-          targets: test
-      -
-        name: Upload coverage
-        uses: codecov/codecov-action@v3
+          node-version-file: '.node-version'
+          cache: npm
+      - name: Install cosign
+        uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1
+      - name: Install dependencies
+        run: npm ci
+      - name: Test
+        run: npm test
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Upload coverage
+        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0
         with:
-          file: ./coverage/clover.xml
+          files: ./coverage/clover.xml

.github/workflows/validate.yml

@@ -4,6 +4,10 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+permissions:
+  contents: read
+
 on:
   push:
     branches:
@@ -12,34 +16,68 @@ on:
   pull_request:
 
 jobs:
-  prepare:
+  lint:
     runs-on: ubuntu-latest
-    outputs:
-      targets: ${{ steps.targets.outputs.matrix }}
     steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v4
-      -
-        name: Targets matrix
-        id: targets
-        run: |
-          echo "matrix=$(docker buildx bake validate --print | jq -cr '.group.validate.targets')" >> $GITHUB_OUTPUT
-
-  validate:
-    runs-on: ubuntu-latest
-    needs:
-      - prepare
-    strategy:
-      fail-fast: false
-      matrix:
-        target: ${{ fromJson(needs.prepare.outputs.targets) }}
-    steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v4
-      -
-        name: Validate
-        uses: docker/bake-action@v3
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - name: Setup Node.js
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
-          targets: ${{ matrix.target }}
+          node-version-file: '.node-version'
+          cache: npm
+      - name: Install dependencies
+        run: npm ci
+      - name: Format check
+        run: npm run format-check
+      - name: Lint
+        run: npm run lint
+
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - name: Setup Node.js
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.0.0
+        with:
+          node-version-file: '.node-version'
+          cache: npm
+      - name: Install dependencies
+        run: npm ci --ignore-scripts
+      - name: Rebuild dist
+        run: npm run build
+      - name: Compare dist
+        id: diff
+        run: |
+          if [ "$(git diff --ignore-space-at-eol dist | wc -l)" -gt "0" ]; then
+            echo "Detected uncommitted changes after build. Run 'npm run build' and commit dist/." >&2
+            git diff dist
+            exit 1
+          fi
+      - name: Upload built dist on failure
+        if: ${{ failure() && steps.diff.conclusion == 'failure' }}
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        with:
+          name: dist
+          path: dist
+
+  vendor:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - name: Setup Node.js
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.0.0
+        with:
+          node-version-file: '.node-version'
+          cache: npm
+      - name: Refresh package-lock.json
+        run: npm install --package-lock-only
+      - name: Compare package-lock.json
+        run: |
+          if [ -n "$(git status --porcelain -- package-lock.json)" ]; then
+            echo "package-lock.json is out of sync with package.json. Run 'npm install' and commit." >&2
+            git diff package-lock.json
+            exit 1
+          fi

.gitignore

@@ -4,8 +4,6 @@
 logs
 *.log
 npm-debug.log*
-yarn-debug.log*
-yarn-error.log*
 lerna-debug.log*
 .pnpm-debug.log*
 
@@ -35,8 +33,6 @@ jspm_packages/
 # Optional eslint cache
 .eslintcache
 
-# Yarn Integrity file
-.yarn-integrity
 
 # dotenv environment variable files
 .env
@@ -44,10 +40,4 @@ jspm_packages/
 .env.test.local
 .env.production.local
 .env.local
-
-# yarn v2
-.yarn/cache
-.yarn/unplugged
-.yarn/build-state.yml
-.yarn/install-state.gz
-.pnp.*
+provenance.json

.kodiak.toml

@@ -1,15 +0,0 @@
-version = 1
-
-[merge]
-automerge_label = "automerge"
-blacklist_title_regex = "^WIP.*"
-method = "squash"
-delete_branch_on_merge = true
-block_on_reviews_requested = false
-notify_on_conflict = true
-optimistic_updates = true
-
-[merge.message]
-title = "pull_request_title"
-include_pr_number = true
-body_type = "markdown"

.node-version

@@ -0,0 +1 @@
+24

.yarnrc.yml

@@ -1,15 +0,0 @@
-logFilters:
-  - code: YN0013
-    level: discard
-  - code: YN0019
-    level: discard
-  - code: YN0076
-    level: discard
-
-nodeLinker: node-modules
-
-plugins:
-  - path: .yarn/plugins/@yarnpkg/plugin-interactive-tools.cjs
-    spec: "@yarnpkg/plugin-interactive-tools"
-
-yarnPath: .yarn/releases/yarn-3.6.3.cjs

CONTRIBUTING.md

@@ -0,0 +1,89 @@
+# Contributing
+
+Thanks for your interest in contributing!
+
+## Prerequisites
+
+- [Node.js](https://nodejs.org/) — version pinned in [`.node-version`](./.node-version).
+  Tools like [`nvm`](https://github.com/nvm-sh/nvm), [`fnm`](https://github.com/Schniz/fnm),
+  [`asdf`](https://asdf-vm.com/), or [`mise`](https://mise.jdx.dev/) read this file
+  automatically.
+- [`cosign`](https://docs.sigstore.dev/cosign/installation/) — only required if you
+  want to run the signature-verification integration tests locally.
+
+## Setup
+
+```sh
+npm ci
+```
+
+## Pre-commit checklist
+
+Before committing changes to `src/`, `__tests__/`, `package.json`,
+`package-lock.json`, or `action.yml`:
+
+```sh
+npm run pre-checkin
+```
+
+That runs `format` + `build` + `test` — the same checks CI runs.
+
+Then commit `dist/` along with your source changes; the action runtime loads
+`dist/index.js` directly, so it must stay in sync.
+
+If CI's `validate / build` job fails because `dist/` differs from a fresh
+build, just download the `dist` artifact from the failed run and commit it —
+or rerun `npm run build` locally with the Node version in `.node-version`.
+
+## npm scripts
+
+| Script              | Purpose                                          |
+| ------------------- | ------------------------------------------------ |
+| `npm run build`     | Bundle `src/` to `dist/index.js` via `ncc`       |
+| `npm run format`    | Run Prettier (write)                             |
+| `npm run format-check` | Run Prettier (check only, used in CI)         |
+| `npm run lint`      | Run ESLint (check only, used in CI)              |
+| `npm run lint:fix`  | Run ESLint with `--fix`                          |
+| `npm test`          | Run Jest with coverage                           |
+| `npm run pre-checkin` | `format` + `lint:fix` + `build` + `test`       |
+
+## Tests
+
+`npm test` runs the full Jest suite, including integration tests that:
+
+- Download real GoReleaser releases from GitHub
+- Verify `checksums.txt` against the downloaded archive
+- Verify the cosign sigstore bundle (skipped if `cosign` isn't on `PATH`,
+  but the CI image always has it installed)
+
+These need outbound network access. Offline / restrictive-proxy runs will
+have those tests fail — that's expected.
+
+## Commit messages
+
+Use [Conventional Commits](https://www.conventionalcommits.org/) (`feat:`,
+`fix:`, `test:`, `docs:`, `chore:`, `ci:`, …). Keep the subject ≤72 chars.
+
+## Pull requests
+
+- Target `master`.
+- Make sure `npm run pre-checkin` passes.
+- One logical change per PR is easier to review.
+- The `signing` CI job and `goreleaser-pro` matrix entries are skipped on PRs
+  from forks because they need repository secrets — that's expected and not
+  something you need to fix.
+
+## Releasing (maintainers)
+
+1. Create a new GitHub Release with a semver tag (e.g. `v7.1.0`) — either
+   through the UI or `gh release create v7.1.0 --generate-notes`.
+2. Once the release exists, run the [**release major tag**](./.github/workflows/release-major-tag.yml)
+   workflow from the Actions tab:
+   - `target`: the new tag (e.g. `v7.1.0`)
+   - `major_version`: the major version to repoint (e.g. `v7`)
+
+   This force-pushes the major tag to the new release so consumers using
+   `goreleaser/goreleaser-action@v7` pick up the change.
+
+   The same workflow doubles as a rollback tool — pass an older tag as
+   `target` to revert the major.

README.md

@@ -16,6 +16,7 @@ ___
 
 * [Usage](#usage)
   * [Workflow](#workflow)
+  * [Verification](#verification)
   * [Run on new tag](#run-on-new-tag)
   * [Signing](#signing)
   * [Upload artifacts](#upload-artifacts)
@@ -31,7 +32,7 @@ ___
 ## Usage
 
 GoReleaser Action runs [goreleaser][], please follow its [docs][gdocs] for
-more information about how to customize what GoReleaser do.
+more information about how to customize what GoReleaser does.
 
 [goreleaser]: https://goreleaser.com/
 [gdocs]: https://goreleaser.com/customization
@@ -54,19 +55,20 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0
       -
         name: Set up Go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@v6
       -
         name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@v4
+        uses: goreleaser/goreleaser-action@v7
         with:
           # either 'goreleaser' (default) or 'goreleaser-pro'
           distribution: goreleaser
-          version: latest
+          # 'latest', 'nightly', or a semver
+          version: '~> v2'
           args: release --clean
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -76,6 +78,49 @@ jobs:
 
 > **IMPORTANT**: note the `fetch-depth: 0` input in `Checkout` step. It is required  for the changelog to work correctly.
 
+### Verification
+
+The action verifies the integrity of the downloaded GoReleaser archive
+against the published `checksums.txt` automatically — no configuration
+required.
+
+If [`cosign`](https://docs.sigstore.dev/cosign/) is available on `PATH`, the
+action will additionally verify the cosign sigstore signature of the
+checksums file against the GoReleaser release workflow's OIDC identity. If
+`cosign` isn't installed, this step is silently skipped.
+
+> **Note**: cosign signature verification requires GoReleaser **v2.13.0 or
+> newer** (and the matching `nightly`). Earlier releases ship a `.sig`
+> detached signature signed with cosign v2, which is not compatible with
+> the cosign v3 sigstore-bundle format the action verifies. For older
+> versions the cosign step is silently skipped — only the `checksums.txt`
+> SHA-256 verification runs.
+
+> **Note**: when `version: nightly` is used, the action resolves the
+> latest immutable `vX.Y.Z-<sha>-nightly` release from the GitHub
+> Releases API. Pass `GITHUB_TOKEN` to the action step (as in the example
+> above) to avoid unauthenticated API rate limits.
+
+To enable signature verification, install cosign before running the action:
+
+```yaml
+      -
+        name: Install cosign
+        uses: sigstore/cosign-installer@v3
+      -
+        name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@v7
+        with:
+          distribution: goreleaser
+          version: '~> v2'
+          args: release --clean
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+```
+
+Both checksum and signature verification work for tagged releases (≥ v2.13.0)
+and the `nightly` channel.
+
 ### Run on new tag
 
 If you want to run GoReleaser only on new tag, you can use this event:
@@ -92,10 +137,10 @@ Or with a condition on GoReleaser step:
 ```yaml
       -
         name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@v4
+        uses: goreleaser/goreleaser-action@v7
         if: startsWith(github.ref, 'refs/tags/')
         with:
-          version: latest
+          version: '~> v2'
           args: release --clean
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -112,15 +157,15 @@ the [Import GPG](https://github.com/crazy-max/ghaction-import-gpg) GitHub Action
       -
         name: Import GPG key
         id: import_gpg
-        uses: crazy-max/ghaction-import-gpg@v5
+        uses: crazy-max/ghaction-import-gpg@v7
         with:
           gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
           passphrase: ${{ secrets.PASSPHRASE }}
       -
         name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@v4
+        uses: goreleaser/goreleaser-action@v7
         with:
-          version: latest
+          version: '~> v2'
           args: release --clean
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -138,21 +183,21 @@ signs:
 ### Upload artifacts
 
 For some events like pull request or schedule you might want to store the artifacts somewhere for testing
-purpose. You can do that with the [actions/upload-artifact](https://github.com/actions/upload-artifact) action:
+purposes. You can do that with the [actions/upload-artifact](https://github.com/actions/upload-artifact) action:
 
 ```yaml
       -
         name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@v4
+        uses: goreleaser/goreleaser-action@v7
         with:
-          version: latest
+          version: '~> v2'
           args: release --clean
           workdir: myfolder
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       -
         name: Upload assets
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v6
         with:
           name: myapp
           path: myfolder/dist/*
@@ -164,7 +209,7 @@ purpose. You can do that with the [actions/upload-artifact](https://github.com/a
 steps:
   -
     name: Install GoReleaser
-    uses: goreleaser/goreleaser-action@v4
+    uses: goreleaser/goreleaser-action@v7
     with:
       install-only: true
   -
@@ -181,12 +226,29 @@ Following inputs can be used as `step.with` keys
 | Name             | Type    | Default      | Description                                                      |
 |------------------|---------|--------------|------------------------------------------------------------------|
 | `distribution`   | String  | `goreleaser` | GoReleaser distribution, either `goreleaser` or `goreleaser-pro` |
-| `version`**¹**   | String  | `latest`     | GoReleaser version                                               |
+| `version`**¹**   | String  | `~> v2`      | GoReleaser version                                               |
+| `version-file`**²** | String  |              | Read the GoReleaser version from a file (see below)              |
 | `args`           | String  |              | Arguments to pass to GoReleaser                                  |
 | `workdir`        | String  | `.`          | Working directory (below repository root)                        |
 | `install-only`   | Bool    | `false`      | Just install GoReleaser                                          |
 
 > **¹** Can be a fixed version like `v0.117.0` or a max satisfying semver one like `~> 0.132`. In this case this will return `v0.132.1`.
+>
+> **²** Path to a file containing the GoReleaser version. Resolved relative
+> to `workdir`. Currently only [`.tool-versions`](https://asdf-vm.com/manage/configuration.html#tool-versions)
+> (asdf/mise) format is supported. When set, this takes precedence over `version`.
+>
+> ```yaml
+> # .tool-versions
+> goreleaser 2.13.0
+> ```
+>
+> ```yaml
+> - uses: goreleaser/goreleaser-action@v7
+>   with:
+>     version-file: .tool-versions
+>     args: release --clean
+> ```
 
 ### outputs
 
@@ -218,9 +280,9 @@ secret named `GH_PAT`, the step will look like this:
 ```yaml
       -
         name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@v4
+        uses: goreleaser/goreleaser-action@v7
         with:
-          version: latest
+          version: '~> v2'
           args: release --clean
         env:
           GITHUB_TOKEN: ${{ secrets.GH_PAT }}
@@ -232,15 +294,16 @@ If you need the auto-snapshot feature, take a look at [this example repository](
 
 ## Development
 
+See [CONTRIBUTING.md](./CONTRIBUTING.md) for the full development workflow.
+
+Quick reference:
+
 ```
-# format code and build javascript artifacts
-docker buildx bake pre-checkin
+# install dependencies
+npm ci
 
-# validate all code has correctly formatted and built
-docker buildx bake validate
-
-# run tests
-docker buildx bake test
+# format, build dist/, and run tests
+npm run pre-checkin
 ```
 
 ## License

__tests__/github.test.ts

@@ -22,7 +22,7 @@ describe('getRelease', () => {
 
   it('unknown GoReleaser release', async () => {
     await expect(github.getRelease('goreleaser', 'foo')).rejects.toThrow(
-      new Error('Cannot find GoReleaser release foo in https://goreleaser.com/static/releases.json')
+      new Error('Cannot find GoReleaser release foo in https://goreleaser.com/releases.json')
     );
   });
 
@@ -32,18 +32,42 @@ describe('getRelease', () => {
     expect(release?.tag_name).not.toEqual('');
   });
 
-  it('returns nightly GoReleaser GitHub release', async () => {
-    const release = await github.getRelease('goreleaser', 'nightly');
+  it('returns latest v1 GoReleaser Pro GitHub release', async () => {
+    const release = await github.getRelease('goreleaser-pro', '~> v1');
     expect(release).not.toBeNull();
     expect(release?.tag_name).not.toEqual('');
   });
 
-  it('returns nightly GoReleaser Pro GitHub release', async () => {
-    const release = await github.getRelease('goreleaser-pro', 'nightly');
+  it('returns latest v1 GoReleaser GitHub release', async () => {
+    const release = await github.getRelease('goreleaser', '~> v1');
     expect(release).not.toBeNull();
     expect(release?.tag_name).not.toEqual('');
   });
 
+  it('returns latest v2 GoReleaser Pro GitHub release', async () => {
+    const release = await github.getRelease('goreleaser-pro', '~> v2');
+    expect(release).not.toBeNull();
+    expect(release?.tag_name).not.toEqual('');
+  });
+
+  it('returns latest v2 GoReleaser GitHub release', async () => {
+    const release = await github.getRelease('goreleaser', '~> v2');
+    expect(release).not.toBeNull();
+    expect(release?.tag_name).not.toEqual('');
+  });
+
+  it('resolves nightly to a <version>-<sha>-nightly release for OSS GoReleaser', async () => {
+    const release = await github.getRelease('goreleaser', 'nightly');
+    expect(release).not.toBeNull();
+    expect(release.tag_name).toMatch(github.nightlyTagRegex);
+  });
+
+  it('resolves nightly to a <version>-<sha>-nightly release for GoReleaser Pro', async () => {
+    const release = await github.getRelease('goreleaser-pro', 'nightly');
+    expect(release).not.toBeNull();
+    expect(release.tag_name).toMatch(github.nightlyTagRegex);
+  });
+
   it('returns v0.182.0 GoReleaser Pro GitHub release', async () => {
     const release = await github.getRelease('goreleaser-pro', 'v0.182.0');
     expect(release).not.toBeNull();
@@ -56,9 +80,27 @@ describe('getRelease', () => {
     expect(release?.tag_name).toEqual('v0.182.1-pro');
   });
 
+  it('returns v2.7.0 GoReleaser Pro GitHub release', async () => {
+    const release = await github.getRelease('goreleaser-pro', '~> v2.7');
+    expect(release).not.toBeNull();
+    expect(release?.tag_name).toEqual('v2.7.0');
+  });
+
+  it('skips JSON check for specific version v2.8.1', async () => {
+    const release = await github.getRelease('goreleaser', 'v2.8.1');
+    expect(release).not.toBeNull();
+    expect(release?.tag_name).toEqual('v2.8.1');
+  });
+
+  it('skips JSON check for specific version without v prefix', async () => {
+    const release = await github.getRelease('goreleaser', '2.8.1');
+    expect(release).not.toBeNull();
+    expect(release?.tag_name).toEqual('v2.8.1');
+  });
+
   it('unknown GoReleaser Pro release', async () => {
     await expect(github.getRelease('goreleaser-pro', 'foo')).rejects.toThrow(
-      new Error('Cannot find GoReleaser release foo-pro in https://goreleaser.com/static/releases-pro.json')
+      new Error('Cannot find GoReleaser release foo in https://goreleaser.com/releases-pro.json')
     );
   });
 });

__tests__/goreleaser.test.ts

@@ -1,20 +1,55 @@
 import {describe, expect, it} from '@jest/globals';
 import * as fs from 'fs';
+import * as os from 'os';
+import * as path from 'path';
+import * as io from '@actions/io';
 import * as goreleaser from '../src/goreleaser';
 
 describe('install', () => {
-  it('acquires v0.182.0 version of GoReleaser', async () => {
-    const bin = await goreleaser.install('goreleaser', 'v0.182.0');
-    expect(fs.existsSync(bin)).toBe(true);
-  }, 100000);
-
   it('acquires latest version of GoReleaser', async () => {
     const bin = await goreleaser.install('goreleaser', 'latest');
     expect(fs.existsSync(bin)).toBe(true);
   }, 100000);
 
-  it('acquires v0.182.0-pro version of GoReleaser Pro', async () => {
-    const bin = await goreleaser.install('goreleaser-pro', 'v0.182.0-pro');
+  it('acquires latest v2 version of GoReleaser', async () => {
+    const bin = await goreleaser.install('goreleaser', '~> v2');
+    expect(fs.existsSync(bin)).toBe(true);
+  }, 100000);
+
+  // The following pinned versions exercise install across release eras to
+  // guard against regressions in checksum handling and the cosign skip path:
+  //   - v0.182.0  : pre-checksums-signing era
+  //   - v1.26.2   : cosign v2 detached `.sig` only
+  //   - v2.12.4   : last release before sigstore bundles (cosign skipped)
+  //   - v2.13.0   : first release with cosign v3 sigstore bundle
+  //   - v2.15.3   : recent release with sigstore bundle
+  it('acquires v0.182.0 (pre-signing) version of GoReleaser', async () => {
+    const bin = await goreleaser.install('goreleaser', 'v0.182.0');
+    expect(fs.existsSync(bin)).toBe(true);
+  }, 100000);
+
+  it('acquires v1.26.2 (cosign v2 .sig) version of GoReleaser', async () => {
+    const bin = await goreleaser.install('goreleaser', 'v1.26.2');
+    expect(fs.existsSync(bin)).toBe(true);
+  }, 100000);
+
+  it('acquires v2.12.4 (last pre-sigstore-bundle) version of GoReleaser', async () => {
+    const bin = await goreleaser.install('goreleaser', 'v2.12.4');
+    expect(fs.existsSync(bin)).toBe(true);
+  }, 100000);
+
+  it('acquires v2.13.0 (minimum cosign-verifiable) version of GoReleaser', async () => {
+    const bin = await goreleaser.install('goreleaser', 'v2.13.0');
+    expect(fs.existsSync(bin)).toBe(true);
+  }, 100000);
+
+  it('acquires v2.15.3 (recent sigstore-bundle) version of GoReleaser', async () => {
+    const bin = await goreleaser.install('goreleaser', 'v2.15.3');
+    expect(fs.existsSync(bin)).toBe(true);
+  }, 100000);
+
+  it('acquires latest v2 version of GoReleaser Pro', async () => {
+    const bin = await goreleaser.install('goreleaser-pro', '~> v2');
     expect(fs.existsSync(bin)).toBe(true);
   }, 100000);
 
@@ -33,3 +68,100 @@ describe('distribSuffix', () => {
     expect(goreleaser.distribSuffix('goreleaser')).toEqual('');
   });
 });
+
+describe('findChecksum', () => {
+  const sample = [
+    '*malformed-line',
+    '',
+    'abc123  goreleaser_Linux_x86_64.tar.gz',
+    'def456 *goreleaser_Darwin_all.tar.gz',
+    '789xyz  checksums.txt'
+  ].join('\n');
+
+  it('finds a checksum by filename', () => {
+    expect(goreleaser.findChecksum(sample, 'goreleaser_Linux_x86_64.tar.gz')).toEqual('abc123');
+  });
+
+  it('strips a leading asterisk on the filename (binary mode)', () => {
+    expect(goreleaser.findChecksum(sample, 'goreleaser_Darwin_all.tar.gz')).toEqual('def456');
+  });
+
+  it('returns undefined when not present', () => {
+    expect(goreleaser.findChecksum(sample, 'missing.tar.gz')).toBeUndefined();
+  });
+});
+
+describe('getCertificateIdentity', () => {
+  it('returns the OSS workflow identity for tagged releases', () => {
+    expect(goreleaser.getCertificateIdentity('goreleaser', 'v2.15.3')).toEqual(
+      'https://github.com/goreleaser/goreleaser/.github/workflows/release.yml@refs/tags/v2.15.3'
+    );
+  });
+
+  it('returns the Pro internal workflow identity for tagged releases', () => {
+    expect(goreleaser.getCertificateIdentity('goreleaser-pro', 'v2.15.3')).toEqual(
+      'https://github.com/goreleaser/goreleaser-pro-internal/.github/workflows/release-pro.yml@refs/tags/v2.15.3'
+    );
+  });
+
+  it('uses nightly-oss.yml@refs/heads/main for OSS nightly tag', () => {
+    expect(goreleaser.getCertificateIdentity('goreleaser', 'v2.16.0-abc1234-nightly')).toEqual(
+      'https://github.com/goreleaser/goreleaser/.github/workflows/nightly-oss.yml@refs/heads/main'
+    );
+  });
+
+  it('uses nightly-pro.yml@refs/heads/main for Pro nightly tag', () => {
+    expect(goreleaser.getCertificateIdentity('goreleaser-pro', 'v2.16.0-eaeb08c50-nightly')).toEqual(
+      'https://github.com/goreleaser/goreleaser-pro-internal/.github/workflows/nightly-pro.yml@refs/heads/main'
+    );
+  });
+});
+
+describe('verifyChecksum', () => {
+  const requireCosign = async (): Promise<void> => {
+    const cosign = await io.which('cosign', false);
+    if (!cosign) {
+      throw new Error(
+        'cosign must be installed in PATH to run this integration test (apk add cosign / sigstore/cosign-installer)'
+      );
+    }
+  };
+
+  it('verifies a tagged OSS release end-to-end with cosign', async () => {
+    await requireCosign();
+    const bin = await goreleaser.install('goreleaser', 'v2.15.3');
+    expect(fs.existsSync(bin)).toBe(true);
+  }, 120000);
+
+  it('verifies the OSS nightly release end-to-end with cosign', async () => {
+    await requireCosign();
+    const bin = await goreleaser.install('goreleaser', 'nightly');
+    expect(fs.existsSync(bin)).toBe(true);
+  }, 120000);
+
+  it('installs a pre-v2.13 release (no sigstore bundle) without failing when cosign is present', async () => {
+    // v2.12.x is the last release that did NOT publish checksums.txt.sigstore.json.
+    // The action must still install it cleanly: checksum verified, cosign step skipped.
+    await requireCosign();
+    const bin = await goreleaser.install('goreleaser', 'v2.12.4');
+    expect(fs.existsSync(bin)).toBe(true);
+  }, 120000);
+
+  it('throws on checksum mismatch', async () => {
+    const dir = fs.mkdtempSync(path.join(os.tmpdir(), 'gha-'));
+    const archive = path.join(dir, 'fake.tar.gz');
+    fs.writeFileSync(archive, 'tampered content');
+    await expect(
+      goreleaser.verifyChecksum('goreleaser', 'v2.15.3', archive, 'goreleaser_Linux_x86_64.tar.gz')
+    ).rejects.toThrow(/Checksum mismatch/);
+  }, 60000);
+
+  it('throws when the filename is not in checksums.txt', async () => {
+    const dir = fs.mkdtempSync(path.join(os.tmpdir(), 'gha-'));
+    const archive = path.join(dir, 'whatever.tar.gz');
+    fs.writeFileSync(archive, '');
+    await expect(
+      goreleaser.verifyChecksum('goreleaser', 'v2.15.3', archive, 'not-a-real-asset.tar.gz')
+    ).rejects.toThrow(/Could not find not-a-real-asset.tar.gz in checksums.txt/);
+  }, 60000);
+});

__tests__/version.test.ts

@@ -0,0 +1,117 @@
+import {describe, expect, it, beforeEach, afterEach} from '@jest/globals';
+import * as fs from 'fs';
+import * as os from 'os';
+import * as path from 'path';
+import {getRequestedVersion} from '../src/version';
+import {Inputs} from '../src/context';
+
+const baseInputs = (overrides: Partial<Inputs>): Inputs => ({
+  distribution: 'goreleaser',
+  version: '~> v2',
+  versionFile: '',
+  args: '',
+  workdir: '.',
+  installOnly: false,
+  ...overrides
+});
+
+describe('getRequestedVersion', () => {
+  let tmpDir: string;
+
+  beforeEach(() => {
+    tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'goreleaser-version-'));
+  });
+
+  afterEach(() => {
+    fs.rmSync(tmpDir, {recursive: true, force: true});
+  });
+
+  const writeToolVersions = (content: string, name = '.tool-versions'): void => {
+    fs.writeFileSync(path.join(tmpDir, name), content);
+  };
+
+  describe('without version-file', () => {
+    it('returns the version input as-is', () => {
+      expect(getRequestedVersion(baseInputs({version: 'v1.2.3'}))).toBe('v1.2.3');
+    });
+
+    it('returns the default version when none is provided', () => {
+      expect(getRequestedVersion(baseInputs({version: '~> v2'}))).toBe('~> v2');
+    });
+  });
+
+  describe('with .tool-versions', () => {
+    it('parses an unprefixed version and adds the v prefix', () => {
+      writeToolVersions('goreleaser 1.2.3\n');
+      expect(getRequestedVersion(baseInputs({versionFile: '.tool-versions', workdir: tmpDir}))).toBe('v1.2.3');
+    });
+
+    it('keeps an existing v prefix without doubling it', () => {
+      writeToolVersions('goreleaser v1.2.3\n');
+      expect(getRequestedVersion(baseInputs({versionFile: '.tool-versions', workdir: tmpDir}))).toBe('v1.2.3');
+    });
+
+    it('takes precedence over the version input', () => {
+      writeToolVersions('goreleaser 1.2.3\n');
+      expect(getRequestedVersion(baseInputs({version: 'v9.9.9', versionFile: '.tool-versions', workdir: tmpDir}))).toBe(
+        'v1.2.3'
+      );
+    });
+
+    it('ignores other tools and picks goreleaser', () => {
+      writeToolVersions(['nodejs 20.10.0', 'goreleaser 2.13.0', 'python 3.12.1', ''].join('\n'));
+      expect(getRequestedVersion(baseInputs({versionFile: '.tool-versions', workdir: tmpDir}))).toBe('v2.13.0');
+    });
+
+    it('skips full-line and inline comments', () => {
+      writeToolVersions(['# pinned for CI', 'goreleaser 2.13.0 # minimum cosign-verifiable', ''].join('\n'));
+      expect(getRequestedVersion(baseInputs({versionFile: '.tool-versions', workdir: tmpDir}))).toBe('v2.13.0');
+    });
+
+    it('preserves "latest"', () => {
+      writeToolVersions('goreleaser latest\n');
+      expect(getRequestedVersion(baseInputs({versionFile: '.tool-versions', workdir: tmpDir}))).toBe('latest');
+    });
+
+    it('uses only the first version when multiple fallbacks are listed', () => {
+      // asdf supports listing fallback versions; we install the first match.
+      writeToolVersions('goreleaser 2.13.0 2.12.4\n');
+      expect(getRequestedVersion(baseInputs({versionFile: '.tool-versions', workdir: tmpDir}))).toBe('v2.13.0');
+    });
+
+    it('accepts an absolute path and ignores workdir', () => {
+      const abs = path.join(tmpDir, '.tool-versions');
+      fs.writeFileSync(abs, 'goreleaser 2.13.0\n');
+      expect(getRequestedVersion(baseInputs({versionFile: abs, workdir: '/nonexistent'}))).toBe('v2.13.0');
+    });
+
+    it('throws when the file does not exist', () => {
+      expect(() => getRequestedVersion(baseInputs({versionFile: '.tool-versions', workdir: tmpDir}))).toThrow(
+        /version-file not found/
+      );
+    });
+
+    it('throws when the file has no goreleaser entry', () => {
+      writeToolVersions(['nodejs 20.10.0', 'python 3.12.1', ''].join('\n'));
+      expect(() => getRequestedVersion(baseInputs({versionFile: '.tool-versions', workdir: tmpDir}))).toThrow(
+        /No goreleaser entry/
+      );
+    });
+
+    it('throws when the goreleaser entry has no version', () => {
+      writeToolVersions('goreleaser\n');
+      expect(() => getRequestedVersion(baseInputs({versionFile: '.tool-versions', workdir: tmpDir}))).toThrow(
+        /No version specified for goreleaser/
+      );
+    });
+  });
+
+  describe('with an unsupported file', () => {
+    it('throws a clear error', () => {
+      fs.writeFileSync(path.join(tmpDir, '.go-version'), '1.2.3\n');
+      expect(() => getRequestedVersion(baseInputs({versionFile: '.go-version', workdir: tmpDir}))).toThrow(
+        /Unsupported version-file/
+      );
+    });
+  });
+});

action.yml

@@ -13,7 +13,13 @@ inputs:
     required: false
   version:
     description: 'GoReleaser version'
-    default: 'latest'
+    default: '~> v2'
+    required: false
+  version-file:
+    description: |
+      Read the GoReleaser version from a file. Path is resolved relative to
+      `workdir`. Currently only `.tool-versions` (asdf/mise) is supported.
+      When set, takes precedence over `version`.
     required: false
   args:
     description: 'Arguments to pass to GoReleaser'
@@ -34,5 +40,5 @@ outputs:
     description: 'Build result metadata'
 
 runs:
-  using: 'node20'
+  using: 'node24'
   main: 'dist/index.js'

dev.Dockerfile

@@ -1,77 +0,0 @@
-# syntax=docker/dockerfile:1
-
-ARG NODE_VERSION=20
-
-FROM node:${NODE_VERSION}-alpine AS base
-RUN apk add --no-cache cpio findutils git
-RUN yarn config set --home enableTelemetry 0
-WORKDIR /src
-
-FROM base AS deps
-RUN --mount=type=bind,target=.,rw \
-  --mount=type=cache,target=/src/.yarn/cache \
-  --mount=type=cache,target=/src/node_modules \
-  yarn install && mkdir /vendor && cp yarn.lock /vendor
-
-FROM scratch AS vendor-update
-COPY --from=deps /vendor /
-
-FROM deps AS vendor-validate
-RUN --mount=type=bind,target=.,rw <<EOT
-  set -e
-  git add -A
-  cp -rf /vendor/* .
-  if [ -n "$(git status --porcelain -- yarn.lock)" ]; then
-    echo >&2 'ERROR: Vendor result differs. Please vendor your package with "docker buildx bake vendor"'
-    git status --porcelain -- yarn.lock
-    exit 1
-  fi
-EOT
-
-FROM deps AS build
-RUN --mount=type=bind,target=.,rw \
-  --mount=type=cache,target=/src/.yarn/cache \
-  --mount=type=cache,target=/src/node_modules \
-  yarn run build && mkdir /out && cp -Rf dist /out/
-
-FROM scratch AS build-update
-COPY --from=build /out /
-
-FROM build AS build-validate
-RUN --mount=type=bind,target=.,rw <<EOT
-  set -e
-  git add -A
-  cp -rf /out/* .
-  if [ -n "$(git status --porcelain -- dist)" ]; then
-    echo >&2 'ERROR: Build result differs. Please build first with "docker buildx bake build"'
-    git status --porcelain -- dist
-    exit 1
-  fi
-EOT
-
-FROM deps AS format
-RUN --mount=type=bind,target=.,rw \
-  --mount=type=cache,target=/src/.yarn/cache \
-  --mount=type=cache,target=/src/node_modules \
-  yarn run format \
-  && mkdir /out && find . -name '*.ts' -not -path './node_modules/*' -not -path './.yarn/*' | cpio -pdm /out
-
-FROM scratch AS format-update
-COPY --from=format /out /
-
-FROM deps AS lint
-RUN --mount=type=bind,target=.,rw \
-  --mount=type=cache,target=/src/.yarn/cache \
-  --mount=type=cache,target=/src/node_modules \
-  yarn run lint
-
-FROM deps AS test
-ENV RUNNER_TEMP=/tmp/github_runner
-ENV RUNNER_TOOL_CACHE=/tmp/github_tool_cache
-RUN --mount=type=bind,target=.,rw \
-  --mount=type=cache,target=/src/.yarn/cache \
-  --mount=type=cache,target=/src/node_modules \
-  yarn run test --coverage --coverageDirectory=/tmp/coverage
-
-FROM scratch AS test-coverage
-COPY --from=test /tmp/coverage /

dist/licenses.txt

@@ -75,7 +75,7 @@ ansi-regex
 MIT
 MIT License
 
-Copyright (c) Sindre Sorhus <sindresorhus@gmail.com> (sindresorhus.com)
+Copyright (c) Sindre Sorhus <sindresorhus@gmail.com> (https://sindresorhus.com)
 
 Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
 
@@ -88,7 +88,7 @@ ansi-styles
 MIT
 MIT License
 
-Copyright (c) Sindre Sorhus <sindresorhus@gmail.com> (sindresorhus.com)
+Copyright (c) Sindre Sorhus <sindresorhus@gmail.com> (https://sindresorhus.com)
 
 Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
 
@@ -115,42 +115,6 @@ WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION,
 ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 
 
-color-convert
-MIT
-Copyright (c) 2011-2016 Heather Arthur <fayearthur@gmail.com>
-
-Permission is hereby granted, free of charge, to any person obtaining
-a copy of this software and associated documentation files (the
-"Software"), to deal in the Software without restriction, including
-without limitation the rights to use, copy, modify, merge, publish,
-distribute, sublicense, and/or sell copies of the Software, and to
-permit persons to whom the Software is furnished to do so, subject to
-the following conditions:
-
-The above copyright notice and this permission notice shall be
-included in all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
-EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
-MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
-NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
-LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
-OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
-WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-
-
-color-name
-MIT
-The MIT License (MIT)
-Copyright (c) 2015 Dmitry Ivanov
-
-Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
 emoji-regex
 MIT
 Copyright Mathias Bynens <https://mathiasbynens.be/>
@@ -198,11 +162,11 @@ Permission to use, copy, modify, and/or distribute this software for any purpose
 THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 
 
-is-fullwidth-code-point
+get-east-asian-width
 MIT
 MIT License
 
-Copyright (c) Sindre Sorhus <sindresorhus@gmail.com> (sindresorhus.com)
+Copyright (c) Sindre Sorhus <sindresorhus@gmail.com> (https://sindresorhus.com)
 
 Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
 
@@ -236,51 +200,6 @@ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 THE SOFTWARE.
 
 
-lru-cache
-ISC
-The ISC License
-
-Copyright (c) Isaac Z. Schlueter and Contributors
-
-Permission to use, copy, modify, and/or distribute this software for any
-purpose with or without fee is hereby granted, provided that the above
-copyright notice and this permission notice appear in all copies.
-
-THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
-IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-
-
-require-directory
-MIT
-The MIT License (MIT)
-
-Copyright (c) 2011 Troy Goode <troygoode@gmail.com>
-
-Permission is hereby granted, free of charge, to any person obtaining a
-copy of this software and associated documentation files (the
-"Software"), to deal in the Software without restriction, including
-without limitation the rights to use, copy, modify, merge, publish,
-distribute, sublicense, and/or sell copies of the Software, and to
-permit persons to whom the Software is furnished to do so, subject to
-the following conditions:
-
-The above copyright notice and this permission notice shall be included
-in all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
-OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
-MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
-IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
-CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
-TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
-SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-
 semver
 ISC
 The ISC License
@@ -304,7 +223,7 @@ string-width
 MIT
 MIT License
 
-Copyright (c) Sindre Sorhus <sindresorhus@gmail.com> (sindresorhus.com)
+Copyright (c) Sindre Sorhus <sindresorhus@gmail.com> (https://sindresorhus.com)
 
 Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
 
@@ -317,7 +236,7 @@ strip-ansi
 MIT
 MIT License
 
-Copyright (c) Sindre Sorhus <sindresorhus@gmail.com> (sindresorhus.com)
+Copyright (c) Sindre Sorhus <sindresorhus@gmail.com> (https://sindresorhus.com)
 
 Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
 
@@ -351,17 +270,29 @@ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 THE SOFTWARE.
 
 
-uuid
+undici
 MIT
-The MIT License (MIT)
+MIT License
 
-Copyright (c) 2010-2020 Robert Kieffer and other contributors
+Copyright (c) Matteo Collina and Undici contributors
 
-Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
 
-The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
 
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
 
 
 wrap-ansi
@@ -394,25 +325,6 @@ TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF
 THIS SOFTWARE.
 
 
-yallist
-ISC
-The ISC License
-
-Copyright (c) Isaac Z. Schlueter and Contributors
-
-Permission to use, copy, modify, and/or distribute this software for any
-purpose with or without fee is hereby granted, provided that the above
-copyright notice and this permission notice appear in all copies.
-
-THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
-IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-
-
 yargs
 MIT
 MIT License

dist/package.json

@@ -0,0 +1,3 @@
+{
+  "type": "module"
+}

docker-bake.hcl

@@ -1,53 +0,0 @@
-group "default" {
-  targets = ["build"]
-}
-
-group "pre-checkin" {
-  targets = ["vendor", "format", "build"]
-}
-
-group "validate" {
-  targets = ["lint", "build-validate", "vendor-validate"]
-}
-
-target "build" {
-  dockerfile = "dev.Dockerfile"
-  target = "build-update"
-  output = ["."]
-}
-
-target "build-validate" {
-  dockerfile = "dev.Dockerfile"
-  target = "build-validate"
-  output = ["type=cacheonly"]
-}
-
-target "format" {
-  dockerfile = "dev.Dockerfile"
-  target = "format-update"
-  output = ["."]
-}
-
-target "lint" {
-  dockerfile = "dev.Dockerfile"
-  target = "lint"
-  output = ["type=cacheonly"]
-}
-
-target "vendor" {
-  dockerfile = "dev.Dockerfile"
-  target = "vendor-update"
-  output = ["."]
-}
-
-target "vendor-validate" {
-  dockerfile = "dev.Dockerfile"
-  target = "vendor-validate"
-  output = ["type=cacheonly"]
-}
-
-target "test" {
-  dockerfile = "dev.Dockerfile"
-  target = "test-coverage"
-  output = ["./coverage"]
-}

jest.config.ts

@@ -1,11 +1,24 @@
-module.exports = {
+import type {Config} from 'jest';
+
+const config: Config = {
   clearMocks: true,
   moduleFileExtensions: ['js', 'ts'],
   setupFiles: ['dotenv/config', '<rootDir>/src/test_setup.ts'],
   testMatch: ['**/*.test.ts'],
   testTimeout: 30000,
   transform: {
-    '^.+\\.ts$': 'ts-jest'
+    '^.+\\.ts$': [
+      'ts-jest',
+      {
+        useESM: true
+      }
+    ]
+  },
+  extensionsToTreatAsEsm: ['.ts'],
+  moduleNameMapper: {
+    '^(\\.{1,2}/.*)\\.js$': '$1'
   },
   verbose: true
 };
+
+export default config;

package.json

@@ -2,16 +2,15 @@
   "name": "goreleaser-action",
   "description": "GitHub Action for GoReleaser, a release automation tool for Go projects",
   "main": "src/main.ts",
+  "type": "module",
   "scripts": {
-    "build": "ncc build src/main.ts --source-map --minify --license licenses.txt",
-    "lint": "yarn run prettier && yarn run eslint",
-    "format": "yarn run prettier:fix && yarn run eslint:fix",
-    "eslint": "eslint --max-warnings=0 .",
-    "eslint:fix": "eslint --fix .",
-    "prettier": "prettier --check \"./**/*.ts\"",
-    "prettier:fix": "prettier --write \"./**/*.ts\"",
-    "test": "jest",
-    "all": "yarn run build && yarn run format && yarn test"
+    "build": "ncc build src/main.ts --minify --license licenses.txt",
+    "format": "prettier --write \"**/*.ts\"",
+    "format-check": "prettier --check \"**/*.ts\"",
+    "lint": "eslint --max-warnings=0 \"**/*.ts\"",
+    "lint:fix": "eslint --fix \"**/*.ts\"",
+    "test": "NODE_OPTIONS='--experimental-vm-modules' jest --coverage",
+    "pre-checkin": "npm run format && npm run lint:fix && npm run build && npm test"
   },
   "repository": {
     "type": "git",
@@ -24,18 +23,18 @@
   ],
   "author": "CrazyMax",
   "license": "MIT",
-  "packageManager": "yarn@3.6.3",
+
   "dependencies": {
-    "@actions/core": "^1.10.1",
-    "@actions/exec": "^1.1.1",
-    "@actions/http-client": "^2.1.1",
-    "@actions/tool-cache": "^2.0.1",
-    "js-yaml": "^4.1.0",
-    "semver": "^7.5.4",
-    "yargs": "^17.7.2"
+    "@actions/core": "^3.0.0",
+    "@actions/exec": "^3.0.0",
+    "@actions/http-client": "^4.0.0",
+    "@actions/tool-cache": "^4.0.0",
+    "js-yaml": "^4.1.1",
+    "semver": "^7.7.4",
+    "yargs": "^18.0.0"
   },
   "devDependencies": {
-    "@types/node": "^20.6.0",
+    "@types/node": "^24.0.0",
     "@typescript-eslint/eslint-plugin": "^6.6.0",
     "@typescript-eslint/parser": "^6.6.0",
     "@vercel/ncc": "^0.38.0",

src/context.ts

@@ -7,6 +7,7 @@ export const osArch: string = os.arch();
 export interface Inputs {
   distribution: string;
   version: string;
+  versionFile: string;
   args: string;
   workdir: string;
   installOnly: boolean;
@@ -15,7 +16,8 @@ export interface Inputs {
 export async function getInputs(): Promise<Inputs> {
   return {
     distribution: core.getInput('distribution') || 'goreleaser',
-    version: core.getInput('version') || 'latest',
+    version: core.getInput('version') || '~> v2',
+    versionFile: core.getInput('version-file'),
     args: core.getInput('args'),
     workdir: core.getInput('workdir') || '.',
     installOnly: core.getBooleanInput('install-only')

src/github.ts

@@ -3,52 +3,122 @@ import * as semver from 'semver';
 import * as core from '@actions/core';
 import * as httpm from '@actions/http-client';
 
+const maxRetries = 10;
+const timeoutMs = 1000;
+const withRetry = async <T>(operation: () => Promise<T>): Promise<T> => {
+  let lastError: Error;
+
+  for (let attempt = 0; attempt <= maxRetries; attempt++) {
+    try {
+      return await operation();
+    } catch (error) {
+      lastError = error as Error;
+
+      if (attempt === maxRetries) {
+        break;
+      }
+
+      core.debug(`Attempt ${attempt + 1} failed, retrying in ${timeoutMs}: ${lastError.message}`);
+      await new Promise(resolve => setTimeout(resolve, timeoutMs));
+    }
+  }
+
+  throw lastError;
+};
+
 export interface GitHubRelease {
   tag_name: string;
 }
 
+// Matches the new-style nightly release tag pattern: vX.Y.Z-<sha>-nightly
+export const nightlyTagRegex = /^v\d+\.\d+\.\d+-[0-9a-f]+-nightly$/i;
+
+export const isNightlyTag = (tag: string): boolean => {
+  return nightlyTagRegex.test(tag);
+};
+
 export const getRelease = async (distribution: string, version: string): Promise<GitHubRelease> => {
   if (version === 'latest') {
-    return getLatestRelease(distribution);
+    core.warning("You are using 'latest' as default version. Will lock to '~> v2'.");
+    return getReleaseTag(distribution, '~> v2');
   }
   return getReleaseTag(distribution, version);
 };
 
 export const getReleaseTag = async (distribution: string, version: string): Promise<GitHubRelease> => {
   if (version === 'nightly') {
-    return {tag_name: version};
+    return resolveNightly(distribution);
   }
+
+  // If version is a specific version (not a range), skip the JSON check
+  const cleanVersion: string = cleanTag(version);
+  if (semver.valid(cleanVersion)) {
+    let tag = version.startsWith('v') ? version : `v${version}`;
+
+    // Handle GoReleaser Pro suffix for versions < 2.7.0, but only if not already present
+    // TODO: remove all this `-pro` thing at some point.
+    if (goreleaser.isPro(distribution) && semver.lt(cleanVersion, '2.7.0') && !tag.endsWith('-pro')) {
+      tag = tag + goreleaser.distribSuffix(distribution);
+    }
+
+    return {tag_name: tag};
+  }
+
   const tag: string = (await resolveVersion(distribution, version)) || version;
   const suffix: string = goreleaser.distribSuffix(distribution);
-  const url = `https://goreleaser.com/static/releases${suffix}.json`;
-  const http: httpm.HttpClient = new httpm.HttpClient('goreleaser-action');
-  const resp: httpm.HttpClientResponse = await http.get(url);
-  const body = await resp.readBody();
-  const statusCode = resp.message.statusCode || 500;
-  if (statusCode >= 400) {
-    throw new Error(
-      `Failed to get GoReleaser release ${version}${suffix} from ${url} with status code ${statusCode}: ${body}`
-    );
-  }
-  const releases = <Array<GitHubRelease>>JSON.parse(body);
+  const url = `https://goreleaser.com/releases${suffix}.json`;
+
+  const releases = await withRetry(async () => {
+    const http: httpm.HttpClient = new httpm.HttpClient('goreleaser-action');
+    const resp: httpm.HttpClientResponse = await http.get(url);
+    const body = await resp.readBody();
+    const statusCode = resp.message.statusCode || 500;
+    if (statusCode >= 400) {
+      throw new Error(
+        `Failed to get GoReleaser release ${version} from ${url} with status code ${statusCode}: ${body}`
+      );
+    }
+    return <Array<GitHubRelease>>JSON.parse(body);
+  });
+
   const res = releases.filter(r => r.tag_name === tag).shift();
   if (res) {
     return res;
   }
-  throw new Error(`Cannot find GoReleaser release ${version}${suffix} in ${url}`);
+  throw new Error(`Cannot find GoReleaser release ${version} in ${url}`);
 };
 
-export const getLatestRelease = async (distribution: string): Promise<GitHubRelease> => {
-  const suffix: string = goreleaser.distribSuffix(distribution);
-  const url = `https://goreleaser.com/static/latest${suffix}`;
-  const http: httpm.HttpClient = new httpm.HttpClient('goreleaser-action');
-  const resp: httpm.HttpClientResponse = await http.get(url);
-  const body = await resp.readBody();
-  const statusCode = resp.message.statusCode || 500;
-  if (statusCode >= 400) {
-    throw new Error(`Failed to get GoReleaser release latest from ${url} with status code ${statusCode}: ${body}`);
+// resolveNightly looks up the latest immutable nightly release of the form
+// `vX.Y.Z-<sha>-nightly` on the GitHub releases of the given distribution.
+const resolveNightly = async (distribution: string): Promise<GitHubRelease> => {
+  const url = `https://api.github.com/repos/goreleaser/${distribution}/releases?per_page=100`;
+  core.debug(`Resolving latest nightly release from ${url}`);
+
+  const releases = await withRetry(async () => {
+    const http: httpm.HttpClient = new httpm.HttpClient('goreleaser-action');
+    const headers: {[name: string]: string} = {
+      Accept: 'application/vnd.github+json',
+      'X-GitHub-Api-Version': '2022-11-28'
+    };
+    const token = process.env.GITHUB_TOKEN;
+    if (token) {
+      headers['Authorization'] = `Bearer ${token}`;
+    }
+    const resp: httpm.HttpClientResponse = await http.get(url, headers);
+    const body = await resp.readBody();
+    const statusCode = resp.message.statusCode || 500;
+    if (statusCode >= 400) {
+      throw new Error(`Failed to list releases from ${url} with status code ${statusCode}: ${body}`);
+    }
+    return <Array<GitHubRelease>>JSON.parse(body);
+  });
+
+  const match = releases.find(r => nightlyTagRegex.test(r.tag_name));
+  if (!match) {
+    throw new Error(`No '<version>-<sha>-nightly' release found in ${url}`);
   }
-  return {tag_name: body};
+  core.info(`Resolved nightly to ${match.tag_name}`);
+  return match;
 };
 
 const resolveVersion = async (distribution: string, version: string): Promise<string | null> => {
@@ -60,7 +130,16 @@ const resolveVersion = async (distribution: string, version: string): Promise<st
 
   const cleanTags: Array<string> = allTags.map(tag => cleanTag(tag));
   const cleanVersion: string = cleanTag(version);
-  return semver.maxSatisfying(cleanTags, cleanVersion) + goreleaser.distribSuffix(distribution);
+  if (!semver.valid(cleanVersion) && !semver.validRange(cleanVersion)) {
+    // if the given version is invalid, return whatever we got.
+    return version;
+  }
+  const v = semver.maxSatisfying(cleanTags, cleanVersion);
+  if (semver.lt(v, '2.7.0')) {
+    // if its a version older than 2.7.0, append the suffix.
+    return v + goreleaser.distribSuffix(distribution);
+  }
+  return v;
 };
 
 interface GitHubTag {
@@ -68,12 +147,13 @@ interface GitHubTag {
 }
 
 const getAllTags = async (distribution: string): Promise<Array<string>> => {
-  const http: httpm.HttpClient = new httpm.HttpClient('goreleaser-action');
   const suffix: string = goreleaser.distribSuffix(distribution);
-  const url = `https://goreleaser.com/static/releases${suffix}.json`;
+  const url = `https://goreleaser.com/releases${suffix}.json`;
   core.debug(`Downloading ${url}`);
-  const getTags = http.getJson<Array<GitHubTag>>(url);
-  return getTags.then(response => {
+
+  return withRetry(async () => {
+    const http: httpm.HttpClient = new httpm.HttpClient('goreleaser-action');
+    const response = await http.getJson<Array<GitHubTag>>(url);
     if (response.result == null) {
       return [];
     }

src/goreleaser.ts

@@ -1,26 +1,26 @@
+import * as crypto from 'crypto';
 import * as fs from 'fs';
 import * as path from 'path';
-import * as util from 'util';
 import yaml from 'js-yaml';
 import * as context from './context';
 import * as github from './github';
 import * as core from '@actions/core';
+import * as exec from '@actions/exec';
+import * as io from '@actions/io';
 import * as tc from '@actions/tool-cache';
 
 export async function install(distribution: string, version: string): Promise<string> {
   const release: github.GitHubRelease = await github.getRelease(distribution, version);
   const filename = getFilename(distribution);
-  const downloadUrl = util.format(
-    'https://github.com/goreleaser/%s/releases/download/%s/%s',
-    distribution,
-    release.tag_name,
-    filename
-  );
+  const baseUrl = `https://github.com/goreleaser/${distribution}/releases/download/${release.tag_name}`;
+  const downloadUrl = `${baseUrl}/${filename}`;
 
   core.info(`Downloading ${downloadUrl}`);
   const downloadPath: string = await tc.downloadTool(downloadUrl);
   core.debug(`Downloaded to ${downloadPath}`);
 
+  await verifyChecksum(distribution, release.tag_name, downloadPath, filename);
+
   core.info('Extracting GoReleaser');
   let extPath: string;
   if (context.osPlat == 'win32') {
@@ -45,6 +45,92 @@ export async function install(distribution: string, version: string): Promise<st
   return exePath;
 }
 
+export async function verifyChecksum(
+  distribution: string,
+  tag: string,
+  archivePath: string,
+  filename: string
+): Promise<void> {
+  const baseUrl = `https://github.com/goreleaser/${distribution}/releases/download/${tag}`;
+  let checksumsPath: string;
+  try {
+    core.info(`Downloading ${baseUrl}/checksums.txt`);
+    checksumsPath = await tc.downloadTool(`${baseUrl}/checksums.txt`);
+  } catch (e) {
+    core.warning(`Skipping checksum verification: unable to download checksums.txt: ${e.message}`);
+    return;
+  }
+
+  const sha256 = crypto.createHash('sha256').update(fs.readFileSync(archivePath)).digest('hex');
+  const expected = findChecksum(fs.readFileSync(checksumsPath, 'utf8'), filename);
+  if (!expected) {
+    throw new Error(`Could not find ${filename} in checksums.txt`);
+  }
+  if (expected.toLowerCase() !== sha256.toLowerCase()) {
+    throw new Error(`Checksum mismatch for ${filename}: expected ${expected}, got ${sha256}`);
+  }
+  core.info(`Checksum verified for ${filename}`);
+
+  await verifyCosignSignature(distribution, tag, baseUrl, checksumsPath);
+}
+
+export const findChecksum = (checksumsContent: string, filename: string): string | undefined => {
+  const match = checksumsContent
+    .split('\n')
+    .map(line => line.trim().split(/\s+/))
+    .find(parts => parts.length >= 2 && parts[1].replace(/^[*]/, '') === filename);
+  return match ? match[0] : undefined;
+};
+
+async function verifyCosignSignature(
+  distribution: string,
+  tag: string,
+  baseUrl: string,
+  checksumsPath: string
+): Promise<void> {
+  const cosign = await io.which('cosign', false);
+  if (!cosign) {
+    core.info('cosign not found in PATH, skipping signature verification');
+    return;
+  }
+
+  let bundlePath: string;
+  try {
+    core.info(`Downloading ${baseUrl}/checksums.txt.sigstore.json`);
+    bundlePath = await tc.downloadTool(`${baseUrl}/checksums.txt.sigstore.json`);
+  } catch (e) {
+    core.warning(`Skipping cosign signature verification: unable to download sigstore bundle: ${e.message}`);
+    return;
+  }
+
+  const certificateIdentity = getCertificateIdentity(distribution, tag);
+  core.info(`Verifying checksums.txt signature with cosign (identity: ${certificateIdentity})`);
+  await exec.exec(cosign, [
+    'verify-blob',
+    '--certificate-identity',
+    certificateIdentity,
+    '--certificate-oidc-issuer',
+    'https://token.actions.githubusercontent.com',
+    '--bundle',
+    bundlePath,
+    checksumsPath
+  ]);
+  core.info('cosign signature verified');
+}
+
+export const getCertificateIdentity = (distribution: string, tag: string): string => {
+  const pro = isPro(distribution);
+  if (github.isNightlyTag(tag)) {
+    const workflow = pro ? 'nightly-pro.yml' : 'nightly-oss.yml';
+    const repo = pro ? 'goreleaser-pro-internal' : 'goreleaser';
+    return `https://github.com/goreleaser/${repo}/.github/workflows/${workflow}@refs/heads/main`;
+  }
+  if (pro) {
+    return `https://github.com/goreleaser/goreleaser-pro-internal/.github/workflows/release-pro.yml@refs/tags/${tag}`;
+  }
+  return `https://github.com/goreleaser/goreleaser/.github/workflows/release.yml@refs/tags/${tag}`;
+};
+
 export const distribSuffix = (distribution: string): string => {
   return isPro(distribution) ? '-pro' : '';
 };
@@ -81,7 +167,7 @@ const getFilename = (distribution: string): string => {
   const platform: string = context.osPlat == 'win32' ? 'Windows' : context.osPlat == 'darwin' ? 'Darwin' : 'Linux';
   const ext: string = context.osPlat == 'win32' ? 'zip' : 'tar.gz';
   const suffix: string = distribSuffix(distribution);
-  return util.format('goreleaser%s_%s_%s.%s', suffix, platform, arch, ext);
+  return `goreleaser${suffix}_${platform}_${arch}.${ext}`;
 };
 
 export async function getDistPath(yamlfile: string): Promise<string> {

src/main.ts

@@ -1,16 +1,19 @@
 import * as fs from 'fs';
 import * as path from 'path';
 import yargs from 'yargs';
+import type {Arguments} from 'yargs';
 import * as context from './context';
 import * as goreleaser from './goreleaser';
+import {getRequestedVersion} from './version';
 import * as core from '@actions/core';
 import * as exec from '@actions/exec';
 
 async function run(): Promise<void> {
   try {
     const inputs: context.Inputs = await context.getInputs();
-    const bin = await goreleaser.install(inputs.distribution, inputs.version);
-    core.info(`GoReleaser ${inputs.version} installed successfully`);
+    const version = getRequestedVersion(inputs);
+    const bin = await goreleaser.install(inputs.distribution, version);
+    core.info(`GoReleaser ${version} installed successfully`);
 
     if (inputs.installOnly) {
       const goreleaserDir = path.dirname(bin);
@@ -28,11 +31,20 @@ async function run(): Promise<void> {
     }
 
     let yamlfile: string | unknown;
-    const argv: {config: string} = yargs.parse(inputs.args) as never;
+    const argv: Arguments<{config?: string}> = yargs(inputs.args).parseSync() as Arguments<{
+      config?: string;
+    }>;
     if (argv.config) {
       yamlfile = argv.config;
     } else {
-      ['.goreleaser.yaml', '.goreleaser.yml', 'goreleaser.yaml', 'goreleaser.yml'].forEach(f => {
+      [
+        '.config/goreleaser.yaml',
+        '.config/goreleaser.yml',
+        '.goreleaser.yaml',
+        '.goreleaser.yml',
+        'goreleaser.yaml',
+        'goreleaser.yml'
+      ].forEach(f => {
         if (fs.existsSync(f)) {
           yamlfile = f;
         }

src/test_setup.ts

@@ -1,4 +1,4 @@
-import tmp = require('tmp');
+import * as tmp from 'tmp';
 
 tmp.setGracefulCleanup();
 const tmpdir = tmp.dirSync({template: 'goreleaser-XXXXXX'});

src/version.ts

@@ -0,0 +1,56 @@
+import * as fs from 'fs';
+import * as path from 'path';
+import {Inputs} from './context';
+
+// Resolves the GoReleaser version to install.
+//
+// When `version-file` is set, it is read from disk and parsed; the resolved
+// value takes precedence over the `version` input. Otherwise, `version` is
+// returned as-is (it always has a default — see context.getInputs).
+export function getRequestedVersion(inputs: Inputs): string {
+  if (!inputs.versionFile) {
+    return inputs.version;
+  }
+
+  const filePath = path.isAbsolute(inputs.versionFile)
+    ? inputs.versionFile
+    : path.join(inputs.workdir || '.', inputs.versionFile);
+
+  if (!fs.existsSync(filePath)) {
+    throw new Error(`version-file not found: ${filePath}`);
+  }
+
+  const basename = path.basename(filePath);
+  const content = fs.readFileSync(filePath, 'utf-8');
+
+  switch (basename) {
+    case '.tool-versions':
+      return parseToolVersions(content, filePath);
+    default:
+      throw new Error(`Unsupported version-file: ${filePath} (only .tool-versions is supported)`);
+  }
+}
+
+// Parses a single `goreleaser <version>` entry out of a `.tool-versions` file
+// (asdf/mise format). Full-line `#` comments and inline `# ...` suffixes are
+// stripped. When a tool lists multiple fallback versions only the first is
+// used. Bare semvers are returned with a leading `v`; constraint expressions
+// (`~> v2`, `latest`, ...) are returned as-is.
+function parseToolVersions(content: string, filePath: string): string {
+  for (const rawLine of content.split('\n')) {
+    const line = rawLine.replace(/#.*$/, '').trim();
+    if (!line) {
+      continue;
+    }
+    const tokens = line.split(/\s+/);
+    if (tokens[0] !== 'goreleaser') {
+      continue;
+    }
+    const version = tokens[1];
+    if (!version) {
+      throw new Error(`No version specified for goreleaser in ${filePath}`);
+    }
+    return /^\d/.test(version) ? `v${version}` : version;
+  }
+  throw new Error(`No goreleaser entry found in ${filePath}`);
+}

test/.goreleaser-signing.yml

@@ -17,12 +17,6 @@ builds:
       - "386"
       - "amd64"
 
-archives:
-  -
-    format_overrides:
-      - goos: windows
-        format: zip
-
 checksum:
   name_template: 'checksums.txt'
 

test/.goreleaser.yml

@@ -17,11 +17,5 @@ builds:
       - "386"
       - "amd64"
 
-archives:
-  -
-    format_overrides:
-      - goos: windows
-        format: zip
-
 checksum:
   name_template: 'checksums.txt'

tsconfig.json

@@ -1,8 +1,8 @@
 {
   "compilerOptions": {
     "esModuleInterop": true,
-    "target": "es6",
-    "module": "commonjs",
+    "target": "ES2024",
+    "module": "ESNext",
     "newLine": "lf",
     "outDir": "./lib",
     "rootDir": "./src",
@@ -10,6 +10,9 @@
     "noImplicitAny": false,
     "resolveJsonModule": true,
     "useUnknownInCatchVariables": false,
+    "moduleResolution": "node",
+    "strict": false,
+    "skipLibCheck": true
   },
   "exclude": [
     "node_modules",