-
Notifications
You must be signed in to change notification settings - Fork 0
97 lines (86 loc) · 3.64 KB
/
Copy pathrelease.yml
File metadata and controls
97 lines (86 loc) · 3.64 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
# Copyright (c) 2019-2026 Truestamp, Inc.
# SPDX-License-Identifier: MIT
name: Release
on:
push:
tags:
- "v*"
permissions:
contents: write
id-token: write # Required by cosign keyless signing (GitHub OIDC)
attestations: write # Required by actions/attest-build-provenance
pull-requests: write # Belt-and-braces; auto-merge step uses HOMEBREW_TAP_GITHUB_TOKEN
jobs:
# Quality gate: re-runs the full CI job (lint + staticcheck + gosec +
# govulncheck + race-enabled test matrix + build) on the tagged SHA.
# If anything fails here, goreleaser never starts — no half-published
# state to clean up. The duplicate work vs. the ci.yml run on main is
# cheap insurance against drift between the main-push and the tag.
ci:
name: CI gate
uses: ./.github/workflows/ci.yml
goreleaser:
name: GoReleaser
needs: ci
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
with:
fetch-depth: 0
- name: Install tools via mise
uses: jdx/mise-action@dba19683ed58901619b14f395a24841710cb4925 # v4
with:
experimental: true
# Pre-flight: catch a broken .goreleaser.yaml before the full
# cross-compile burns ~3 minutes and before we touch the GitHub
# Release API. Cheap (<1s) so always worth running.
- name: goreleaser check
run: mise exec -- goreleaser check
# Snapshot dry-run: exercises the full cross-compile matrix, SBOM
# generation, archive creation, and cask template rendering
# without publishing or signing. Surfaces platform-specific
# build breakage (e.g. a stdlib API that compiles on the
# developer's host but not on darwin/arm64) before the real
# release step tries to upload.
- name: goreleaser release --snapshot (dry run)
run: |
mise exec -- goreleaser release --snapshot --clean
# Discard snapshot artifacts — the real release below starts fresh.
rm -rf dist/
- name: Run GoReleaser
uses: goreleaser/goreleaser-action@5daf1e915a5f0af01ddbcd89a43b8061ff4f1a89 # v7
with:
distribution: goreleaser
version: latest
args: release --clean
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.HOMEBREW_TAP_GITHUB_TOKEN }}
- name: Merge homebrew-tap PR
continue-on-error: true
env:
GH_TOKEN: ${{ secrets.HOMEBREW_TAP_GITHUB_TOKEN }}
run: |
# GoReleaser opens a PR on truestamp/homebrew-tap from a
# branch named `goreleaser-{{ .Version }}`, where Version is
# the tag with any leading "v" stripped. ${GITHUB_REF_NAME}
# is the pushed tag (e.g. "v0.3.3").
#
# Direct `--merge` (no `--auto`): the tap's `protect-main`
# ruleset only blocks branch deletion / non-fast-forward
# pushes, so nothing gates mergeability. `--auto` requires
# a pending status check or review to queue against and
# rejects clean PRs with "Pull request is in clean status".
# The direct merge also arrives faster — no queue round-trip.
tag="${GITHUB_REF_NAME#v}"
branch="goreleaser-${tag}"
echo "Merging PR from branch ${branch}"
gh pr merge "${branch}" \
--repo truestamp/homebrew-tap \
--merge \
--delete-branch
- name: Attest build provenance
uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
with:
subject-path: "dist/checksums.txt"