actions/goreleaser-action
12
0
Fork 0
mirror of https://github.com/goreleaser/goreleaser-action.git synced 2026-05-14 06:40:32 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
GitHub Action for GoReleaser https://github.com/marketplace/actions/goreleaser-action
499 commits 8 branches 65 tags 32 MiB
Find a file
Carlos Alexandro Becker 15fa2a96d4
test: cover install across release eras (#555) 
Add install tests pinned to versions that exercise every release era so
we don't regress the graceful-skip path for releases that pre-date the
cosign v3 sigstore bundle:

- v0.182.0  pre-checksums-signing
- v1.26.2   cosign v2 detached .sig only
- v2.12.4   last release before sigstore bundles
- v2.13.0   first release with sigstore bundle (minimum verifiable)
- v2.15.3   recent release with sigstore bundle

Plus an explicit verifyChecksum integration test that installs v2.12.4
with cosign in PATH to confirm the cosign step is skipped (not failed)
when the sigstore bundle is absent.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-04-18 15:55:31 -03:00
.github ci: drop pre-cosign-v3 goreleaser versions from tests (#554) 2026-04-18 15:39:15 -03:00
__tests__ test: cover install across release eras (#555) 2026-04-18 15:55:31 -03:00
dist feat: verify release checksum and cosign signature (#550) 2026-04-18 14:34:46 -03:00
src feat: verify release checksum and cosign signature (#550) 2026-04-18 14:34:46 -03:00
test test: fixes 2025-02-10 23:45:14 -03:00
.dockerignore chore: update yarn to 3.5.1 (#412) 2023-05-07 16:13:08 +02:00
.editorconfig Initial commit 2019-09-20 22:23:46 +02:00
.eslintignore chore: node 20 as default runtime (#432) 2023-09-11 19:59:46 +02:00
.eslintrc.json chore: node 20 as default runtime (#432) 2023-09-11 19:59:46 +02:00
.gitattributes feat!: node 24, update deps, rm yarn, ESM (#533) 2026-01-29 21:22:39 -03:00
.gitignore fix: gitignore 2026-02-09 09:06:51 -03:00
.node-version build: drop docker-bake in favor of plain npm (#551) 2026-04-18 15:22:23 -03:00
.prettierignore chore: update yarn to 3.5.1 (#412) 2023-05-07 16:13:08 +02:00
.prettierrc.json Update prettier 2019-11-12 00:05:29 +01:00
action.yml feat!: node 24, update deps, rm yarn, ESM (#533) 2026-01-29 21:22:39 -03:00
CONTRIBUTING.md ci: add release-major-tag workflow (#552) 2026-04-18 15:23:21 -03:00
jest.config.ts chore(deps): bump the npm group across 1 directory with 4 updates (#536) 2026-01-29 21:59:39 -03:00
LICENSE chore: update community files (#328) 2022-02-27 18:55:49 +01:00
package-lock.json chore(deps): bump undici from 6.23.0 to 6.24.1 (#545) 2026-03-22 22:55:17 -03:00
package.json build: drop docker-bake in favor of plain npm (#551) 2026-04-18 15:22:23 -03:00
README.md ci: drop pre-cosign-v3 goreleaser versions from tests (#554) 2026-04-18 15:39:15 -03:00
tsconfig.json feat!: node 24, update deps, rm yarn, ESM (#533) 2026-01-29 21:22:39 -03:00

README.md

GoReleaser Logo

GoReleaser Action

GitHub Action for GoReleaser

GitHub release GitHub marketplace Test workflow Codecov

GoRelease Action

Usage

GoReleaser Action runs goreleaser, please follow its docs for more information about how to customize what GoReleaser does.

Workflow

name: goreleaser

on:
  pull_request:
  push:

permissions:
  contents: write

jobs:
  goreleaser:
    runs-on: ubuntu-latest
    steps:
      -
        name: Checkout
        uses: actions/checkout@v6
        with:
          fetch-depth: 0
      -
        name: Set up Go
        uses: actions/setup-go@v6
      -
        name: Run GoReleaser
        uses: goreleaser/goreleaser-action@v7
        with:
          # either 'goreleaser' (default) or 'goreleaser-pro'
          distribution: goreleaser
          # 'latest', 'nightly', or a semver
          version: '~> v2'
          args: release --clean
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          # Your GoReleaser Pro key, if you are using the 'goreleaser-pro' distribution
          # GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}

IMPORTANT: note the fetch-depth: 0 input in Checkout step. It is required for the changelog to work correctly.

Verification

The action verifies the integrity of the downloaded GoReleaser archive against the published checksums.txt automatically — no configuration required.

If cosign is available on PATH, the action will additionally verify the cosign sigstore signature of the checksums file against the GoReleaser release workflow's OIDC identity. If cosign isn't installed, this step is silently skipped.

Note

: cosign signature verification requires GoReleaser v2.13.0 or newer (and the matching nightly). Earlier releases ship a .sig detached signature signed with cosign v2, which is not compatible with the cosign v3 sigstore-bundle format the action verifies. For older versions the cosign step is silently skipped — only the checksums.txt SHA-256 verification runs.

To enable signature verification, install cosign before running the action:

      -
        name: Install cosign
        uses: sigstore/cosign-installer@v3
      -
        name: Run GoReleaser
        uses: goreleaser/goreleaser-action@v7
        with:
          distribution: goreleaser
          version: '~> v2'
          args: release --clean
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Both checksum and signature verification work for tagged releases (≥ v2.13.0) and the nightly channel.

Run on new tag

If you want to run GoReleaser only on new tag, you can use this event:

on:
  push:
    tags:
      - '*'

Or with a condition on GoReleaser step:

      -
        name: Run GoReleaser
        uses: goreleaser/goreleaser-action@v7
        if: startsWith(github.ref, 'refs/tags/')
        with:
          version: '~> v2'
          args: release --clean
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

For detailed instructions please follow GitHub Actions workflow syntax.

Signing

If signing is enabled in your GoReleaser configuration, you can use the Import GPG GitHub Action along with this one:

      -
        name: Import GPG key
        id: import_gpg
        uses: crazy-max/ghaction-import-gpg@v7
        with:
          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
          passphrase: ${{ secrets.PASSPHRASE }}
      -
        name: Run GoReleaser
        uses: goreleaser/goreleaser-action@v7
        with:
          version: '~> v2'
          args: release --clean
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}

And reference the fingerprint in your signing configuration using the GPG_FINGERPRINT environment variable:

signs:
  - artifacts: checksum
    args: ["--batch", "-u", "{{ .Env.GPG_FINGERPRINT }}", "--output", "${signature}", "--detach-sign", "${artifact}"]

Upload artifacts

For some events like pull request or schedule you might want to store the artifacts somewhere for testing purposes. You can do that with the actions/upload-artifact action:

      -
        name: Run GoReleaser
        uses: goreleaser/goreleaser-action@v7
        with:
          version: '~> v2'
          args: release --clean
          workdir: myfolder
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      -
        name: Upload assets
        uses: actions/upload-artifact@v6
        with:
          name: myapp
          path: myfolder/dist/*

Install Only

steps:
  -
    name: Install GoReleaser
    uses: goreleaser/goreleaser-action@v7
    with:
      install-only: true
  -
    name: Show GoReleaser version
    run: goreleaser -v

Customizing

inputs

Following inputs can be used as step.with keys

Name Type Default Description
distribution String goreleaser GoReleaser distribution, either goreleaser or goreleaser-pro
version¹ String ~> v2 GoReleaser version
args String Arguments to pass to GoReleaser
workdir String . Working directory (below repository root)
install-only Bool false Just install GoReleaser

¹ Can be a fixed version like v0.117.0 or a max satisfying semver one like ~> 0.132. In this case this will return v0.132.1.

outputs

Following outputs are available

Name Type Description
artifacts JSON Build result artifacts
metadata JSON Build result metadata

environment variables

Following environment variables can be used as step.env keys

Name Description
GITHUB_TOKEN GITHUB_TOKEN as provided by secrets and requires contents:write
GORELEASER_KEY Your GoReleaser Pro License Key, in case you are using the goreleaser-pro distribution

Limitation

GITHUB_TOKEN permissions are limited to the repository that contains your workflow.

If you need to push the homebrew tap to another repository, you must therefore create a custom Personal Access Token with repo permissions and add it as a secret in the repository. If you create a secret named GH_PAT, the step will look like this:

      -
        name: Run GoReleaser
        uses: goreleaser/goreleaser-action@v7
        with:
          version: '~> v2'
          args: release --clean
        env:
          GITHUB_TOKEN: ${{ secrets.GH_PAT }}

Migrating from v3

If you need the auto-snapshot feature, take a look at this example repository: it's a minimal working example with all you need.

Development

See CONTRIBUTING.md for the full development workflow.

Quick reference:

# install dependencies
npm ci

# format, build dist/, and run tests
npm run pre-checkin

License

MIT. See LICENSE for more details.