actions/goreleaser-action
12
0
Fork 0
mirror of https://github.com/goreleaser/goreleaser-action.git synced 2026-05-14 06:40:32 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
goreleaser-action/README.md
Carlos Alexandro Becker 4c6ab561ad
feat: resolve nightly to latest vX.Y.Z-<sha>-nightly release (#558) 
* feat: resolve nightly to latest vX.Y.Z-<sha>-nightly release

Query GitHub releases API to resolve the 'nightly' version input to the
latest immutable nightly tag, replacing the moving 'nightly' tag that is
being removed for supply-chain hardening.

Refs goreleaser/goreleaser#6550

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* feat: keep legacy 'nightly' tag working during transition

Fall back to the moving 'nightly' tag when no immutable
vX.Y.Z-<sha>-nightly release is found, so the action keeps working
between this release and the goreleaser nightly switchover.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* test: assert isNightlyTag accepts legacy fallback

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: accept nightly tags without 'v' prefix

goreleaser-pro publishes nightly releases as e.g. 2.16.0-eaeb08c50-nightly
(no 'v' prefix). Make the nightly tag regex tolerate either form, and
split the integration tests so OSS asserts the legacy fallback while
Pro asserts the new <version>-<sha>-nightly format.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Revert "fix: accept nightly tags without 'v' prefix"

The missing 'v' prefix on the goreleaser-pro nightly was a release
mistake; new nightlies will keep the 'v' prefix.

This reverts commit 7673f7f.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* ci: pass GITHUB_TOKEN to tests

The new nightly resolution hits api.github.com/repos/.../releases,
which is rate-limited for unauthenticated requests.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* docs: note GITHUB_TOKEN need for nightly resolution

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-04-26 16:39:25 -03:00

311 lines
11 KiB
Markdown
Raw Permalink Blame History

<p align="center">
<img alt="GoReleaser Logo" src="https://avatars2.githubusercontent.com/u/24697112?v=3&s=200" height="140" />
<h3 align="center">GoReleaser Action</h3>
<p align="center"><a href="https://github.com/features/actions">GitHub Action</a> for GoReleaser</p>
<p align="center">
<a href="https://github.com/goreleaser/goreleaser-action/releases/latest"><img alt="GitHub release" src="https://img.shields.io/github/release/goreleaser/goreleaser-action.svg?logo=github&style=flat-square"></a>
<a href="https://github.com/marketplace/actions/goreleaser-action"><img alt="GitHub marketplace" src="https://img.shields.io/badge/marketplace-goreleaser--action-blue?logo=github&style=flat-square"></a>
<a href="https://github.com/goreleaser/goreleaser-action/actions?workflow=test"><img alt="Test workflow" src="https://img.shields.io/github/actions/workflow/status/goreleaser/goreleaser-action/test.yml?label=test&branch=master&logo=github&style=flat-square"></a>
<a href="https://codecov.io/gh/goreleaser/goreleaser-action"><img alt="Codecov" src="https://img.shields.io/codecov/c/github/goreleaser/goreleaser-action?logo=codecov&style=flat-square"></a>
</p>
</p>
___
![GoRelease Action](.github/goreleaser-action.png)
* [Usage](#usage)
* [Workflow](#workflow)
* [Verification](#verification)
* [Run on new tag](#run-on-new-tag)
* [Signing](#signing)
* [Upload artifacts](#upload-artifacts)
* [Install Only](#install-only)
* [Customizing](#customizing)
* [inputs](#inputs)
* [outputs](#outputs)
* [environment variables](#environment-variables)
* [Limitation](#limitation)
* [Development](#development)
* [License](#license)
## Usage
GoReleaser Action runs [goreleaser][], please follow its [docs][gdocs] for
more information about how to customize what GoReleaser does.
[goreleaser]: https://goreleaser.com/
[gdocs]: https://goreleaser.com/customization
### Workflow
```yaml
name: goreleaser
on:
pull_request:
push:
permissions:
contents: write
jobs:
goreleaser:
runs-on: ubuntu-latest
steps:
-
name: Checkout
uses: actions/checkout@v6
with:
fetch-depth: 0
-
name: Set up Go
uses: actions/setup-go@v6
-
name: Run GoReleaser
uses: goreleaser/goreleaser-action@v7
with:
# either 'goreleaser' (default) or 'goreleaser-pro'
distribution: goreleaser
# 'latest', 'nightly', or a semver
version: '~> v2'
args: release --clean
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# Your GoReleaser Pro key, if you are using the 'goreleaser-pro' distribution
# GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
```
> **IMPORTANT**: note the `fetch-depth: 0` input in `Checkout` step. It is required for the changelog to work correctly.
### Verification
The action verifies the integrity of the downloaded GoReleaser archive
against the published `checksums.txt` automatically — no configuration
required.
If [`cosign`](https://docs.sigstore.dev/cosign/) is available on `PATH`, the
action will additionally verify the cosign sigstore signature of the
checksums file against the GoReleaser release workflow's OIDC identity. If
`cosign` isn't installed, this step is silently skipped.
> **Note**: cosign signature verification requires GoReleaser **v2.13.0 or
> newer** (and the matching `nightly`). Earlier releases ship a `.sig`
> detached signature signed with cosign v2, which is not compatible with
> the cosign v3 sigstore-bundle format the action verifies. For older
> versions the cosign step is silently skipped — only the `checksums.txt`
> SHA-256 verification runs.
> **Note**: when `version: nightly` is used, the action resolves the
> latest immutable `vX.Y.Z-<sha>-nightly` release from the GitHub
> Releases API. Pass `GITHUB_TOKEN` to the action step (as in the example
> above) to avoid unauthenticated API rate limits.
To enable signature verification, install cosign before running the action:
```yaml
-
name: Install cosign
uses: sigstore/cosign-installer@v3
-
name: Run GoReleaser
uses: goreleaser/goreleaser-action@v7
with:
distribution: goreleaser
version: '~> v2'
args: release --clean
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
```
Both checksum and signature verification work for tagged releases (≥ v2.13.0)
and the `nightly` channel.
### Run on new tag
If you want to run GoReleaser only on new tag, you can use this event:
```yaml
on:
push:
tags:
- '*'
```
Or with a condition on GoReleaser step:
```yaml
-
name: Run GoReleaser
uses: goreleaser/goreleaser-action@v7
if: startsWith(github.ref, 'refs/tags/')
with:
version: '~> v2'
args: release --clean
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
```
> For detailed instructions please follow GitHub Actions [workflow syntax](https://help.github.com/en/articles/workflow-syntax-for-github-actions#About-yaml-syntax-for-workflows).
### Signing
If [signing is enabled](https://goreleaser.com/customization/#Signing) in your GoReleaser configuration, you can use
the [Import GPG](https://github.com/crazy-max/ghaction-import-gpg) GitHub Action along with this one:
```yaml
-
name: Import GPG key
id: import_gpg
uses: crazy-max/ghaction-import-gpg@v7
with:
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
passphrase: ${{ secrets.PASSPHRASE }}
-
name: Run GoReleaser
uses: goreleaser/goreleaser-action@v7
with:
version: '~> v2'
args: release --clean
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}
```
And reference the fingerprint in your signing configuration using the `GPG_FINGERPRINT` environment variable:
```yaml
signs:
- artifacts: checksum
args: ["--batch", "-u", "{{ .Env.GPG_FINGERPRINT }}", "--output", "${signature}", "--detach-sign", "${artifact}"]
```
### Upload artifacts
For some events like pull request or schedule you might want to store the artifacts somewhere for testing
purposes. You can do that with the [actions/upload-artifact](https://github.com/actions/upload-artifact) action:
```yaml
-
name: Run GoReleaser
uses: goreleaser/goreleaser-action@v7
with:
version: '~> v2'
args: release --clean
workdir: myfolder
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
name: Upload assets
uses: actions/upload-artifact@v6
with:
name: myapp
path: myfolder/dist/*
```
### Install Only
```yaml
steps:
-
name: Install GoReleaser
uses: goreleaser/goreleaser-action@v7
with:
install-only: true
-
name: Show GoReleaser version
run: goreleaser -v
```
## Customizing
### inputs
Following inputs can be used as `step.with` keys
| Name | Type | Default | Description |
|------------------|---------|--------------|------------------------------------------------------------------|
| `distribution` | String | `goreleaser` | GoReleaser distribution, either `goreleaser` or `goreleaser-pro` |
| `version`**¹** | String | `~> v2` | GoReleaser version |
| `version-file`**²** | String | | Read the GoReleaser version from a file (see below) |
| `args` | String | | Arguments to pass to GoReleaser |
| `workdir` | String | `.` | Working directory (below repository root) |
| `install-only` | Bool | `false` | Just install GoReleaser |
> **¹** Can be a fixed version like `v0.117.0` or a max satisfying semver one like `~> 0.132`. In this case this will return `v0.132.1`.
>
> **²** Path to a file containing the GoReleaser version. Resolved relative
> to `workdir`. Currently only [`.tool-versions`](https://asdf-vm.com/manage/configuration.html#tool-versions)
> (asdf/mise) format is supported. When set, this takes precedence over `version`.
>
> ```yaml
> # .tool-versions
> goreleaser 2.13.0
> ```
>
> ```yaml
> - uses: goreleaser/goreleaser-action@v7
> with:
> version-file: .tool-versions
> args: release --clean
> ```
### outputs
Following outputs are available
| Name | Type | Description |
|-------------|------|------------------------|
| `artifacts` | JSON | Build result artifacts |
| `metadata` | JSON | Build result metadata |
### environment variables
Following environment variables can be used as `step.env` keys
| Name | Description |
|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------|
| `GITHUB_TOKEN` | [GITHUB_TOKEN](https://help.github.com/en/actions/configuring-and-managing-workflows/authenticating-with-the-github_token) as provided by `secrets` and requires `contents:write` |
| `GORELEASER_KEY` | Your [GoReleaser Pro](https://goreleaser.com/pro) License Key, in case you are using the `goreleaser-pro` distribution |
## Limitation
`GITHUB_TOKEN` permissions [are limited to the repository](https://help.github.com/en/actions/configuring-and-managing-workflows/authenticating-with-the-github_token#about-the-github_token-secret)
that contains your workflow.
If you need to push the homebrew tap to another repository, you must therefore create a custom [Personal Access Token](https://help.github.com/articles/creating-a-personal-access-token-for-the-command-line/)
with `repo` permissions and [add it as a secret in the repository](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets). If you create a
secret named `GH_PAT`, the step will look like this:
```yaml
-
name: Run GoReleaser
uses: goreleaser/goreleaser-action@v7
with:
version: '~> v2'
args: release --clean
env:
GITHUB_TOKEN: ${{ secrets.GH_PAT }}
```
## Migrating from v3
If you need the auto-snapshot feature, take a look at [this example repository](https://github.com/caarlos0/goreleaser-action-v4-auto-snapshot-example): it's a minimal working example with all you need.
## Development
See [CONTRIBUTING.md](./CONTRIBUTING.md) for the full development workflow.
Quick reference:
```
# install dependencies
npm ci
# format, build dist/, and run tests
npm run pre-checkin
```
## License
MIT. See `LICENSE` for more details.
Reference in a new issue View git blame Copy permalink