mirror of
https://github.com/goreleaser/goreleaser-action.git
synced 2026-05-14 06:40:32 +00:00
4b462d3d1d
* feat: verify release checksum and cosign signature Download checksums.txt for the release and verify the SHA-256 of the downloaded archive against it. When cosign is available in PATH, also download checksums.txt.sigstore.json and verify the signature against the goreleaser/goreleaser-pro release workflow identity. Both steps degrade gracefully (with a warning) when the corresponding artifacts or tooling are missing. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * test: use install() for checksum e2e tests Drop the http-client download helper from verifyChecksum integration tests; call goreleaser.install() instead so the test exercises the public API path and avoids duplicating download logic. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
72 lines
1.9 KiB
Docker
72 lines
1.9 KiB
Docker
# syntax=docker/dockerfile:1
|
|
|
|
ARG NODE_VERSION=24
|
|
|
|
FROM node:${NODE_VERSION}-alpine AS base
|
|
RUN apk add --no-cache cpio findutils git
|
|
WORKDIR /src
|
|
|
|
FROM base AS deps
|
|
RUN --mount=type=bind,target=.,rw \
|
|
--mount=type=cache,target=/src/node_modules \
|
|
npm install && mkdir /vendor && cp package-lock.json /vendor
|
|
|
|
FROM scratch AS vendor-update
|
|
COPY --from=deps /vendor /
|
|
|
|
FROM deps AS vendor-validate
|
|
RUN --mount=type=bind,target=.,rw <<EOT
|
|
set -e
|
|
git add -A
|
|
cp -rf /vendor/* .
|
|
if [ -n "$(git status --porcelain -- package-lock.json)" ]; then
|
|
echo >&2 'ERROR: Vendor result differs. Please vendor your package with "docker buildx bake vendor"'
|
|
git status --porcelain -- package-lock.json
|
|
exit 1
|
|
fi
|
|
EOT
|
|
|
|
FROM deps AS build
|
|
RUN --mount=type=bind,target=.,rw \
|
|
--mount=type=cache,target=/src/node_modules \
|
|
npm run build && mkdir /out && cp -Rf dist /out/
|
|
|
|
FROM scratch AS build-update
|
|
COPY --from=build /out /
|
|
|
|
FROM build AS build-validate
|
|
RUN --mount=type=bind,target=.,rw <<EOT
|
|
set -e
|
|
git add -A
|
|
cp -rf /out/* .
|
|
if [ -n "$(git status --porcelain -- dist)" ]; then
|
|
echo >&2 'ERROR: Build result differs. Please build first with "docker buildx bake build"'
|
|
git status --porcelain -- dist
|
|
exit 1
|
|
fi
|
|
EOT
|
|
|
|
FROM deps AS format
|
|
RUN --mount=type=bind,target=.,rw \
|
|
--mount=type=cache,target=/src/node_modules \
|
|
npm run format \
|
|
&& mkdir /out && find . -name '*.ts' -not -path './node_modules/*' | cpio -pdm /out
|
|
|
|
FROM scratch AS format-update
|
|
COPY --from=format /out /
|
|
|
|
FROM deps AS lint
|
|
RUN --mount=type=bind,target=.,rw \
|
|
--mount=type=cache,target=/src/node_modules \
|
|
npm run lint
|
|
|
|
FROM deps AS test
|
|
RUN apk add --no-cache cosign
|
|
ENV RUNNER_TEMP=/tmp/github_runner
|
|
ENV RUNNER_TOOL_CACHE=/tmp/github_tool_cache
|
|
RUN --mount=type=bind,target=.,rw \
|
|
--mount=type=cache,target=/src/node_modules \
|
|
npm run test -- --coverage --coverageDirectory=/tmp/coverage
|
|
|
|
FROM scratch AS test-coverage
|
|
COPY --from=test /tmp/coverage /
|