mirror of
https://github.com/GMWalletApp/epusdt.git
synced 2026-07-07 18:26:16 +00:00
Merge pull request #20 from GMwalletApp/dev-runtime
build(release): compare final changelog against previous stable tag
This commit is contained in:
@@ -41,11 +41,27 @@ jobs:
|
|||||||
with:
|
with:
|
||||||
go-version-file: src/go.mod
|
go-version-file: src/go.mod
|
||||||
|
|
||||||
- name: Install Cosign
|
- name: Select Previous Stable Tag For Final Releases
|
||||||
uses: sigstore/cosign-installer@v4.1.1
|
run: |
|
||||||
|
current_tag="${GITHUB_REF_NAME}"
|
||||||
|
if [[ "$current_tag" == *-* ]]; then
|
||||||
|
echo "prerelease tag detected: $current_tag"
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
- name: Install Syft
|
previous_stable_tag="$(
|
||||||
uses: anchore/sbom-action/download-syft@v0.24.0
|
git tag --list 'v*' --sort=-version:refname |
|
||||||
|
grep -Fxv "$current_tag" |
|
||||||
|
grep -Ev -- '-' |
|
||||||
|
head -n 1
|
||||||
|
)"
|
||||||
|
|
||||||
|
if [[ -n "$previous_stable_tag" ]]; then
|
||||||
|
echo "using previous stable tag: $previous_stable_tag"
|
||||||
|
echo "GORELEASER_PREVIOUS_TAG=$previous_stable_tag" >> "$GITHUB_ENV"
|
||||||
|
else
|
||||||
|
echo "no previous stable tag found"
|
||||||
|
fi
|
||||||
|
|
||||||
- name: Run GoReleaser
|
- name: Run GoReleaser
|
||||||
uses: goreleaser/goreleaser-action@v7
|
uses: goreleaser/goreleaser-action@v7
|
||||||
@@ -60,7 +76,4 @@ jobs:
|
|||||||
- name: Attest Release Artifacts
|
- name: Attest Release Artifacts
|
||||||
uses: actions/attest@v4
|
uses: actions/attest@v4
|
||||||
with:
|
with:
|
||||||
subject-path: |
|
subject-checksums: src/dist/SHA256SUMS
|
||||||
src/dist/*.tar.gz
|
|
||||||
src/dist/*.zip
|
|
||||||
src/dist/*_checksums.txt
|
|
||||||
|
|||||||
+9
-13
@@ -23,9 +23,7 @@ Windows artifacts are published as `.zip`. Other platforms are published as `.ta
|
|||||||
|
|
||||||
Each release also publishes:
|
Each release also publishes:
|
||||||
|
|
||||||
- a checksum file
|
- a `SHA256SUMS` checksum file
|
||||||
- a Sigstore keyless signature bundle for the checksum file
|
|
||||||
- archive SBOM documents generated by Syft
|
|
||||||
- a GitHub build provenance attestation for the checksum file
|
- a GitHub build provenance attestation for the checksum file
|
||||||
|
|
||||||
## How to cut a release
|
## How to cut a release
|
||||||
@@ -48,23 +46,15 @@ git push origin v1.0.0
|
|||||||
|
|
||||||
## Verify a release
|
## Verify a release
|
||||||
|
|
||||||
Verify the checksum signature with Cosign:
|
|
||||||
|
|
||||||
```bash
|
|
||||||
cosign verify-blob \
|
|
||||||
--bundle epusdt_v1.0.0_checksums.txt.sigstore.json \
|
|
||||||
epusdt_v1.0.0_checksums.txt
|
|
||||||
```
|
|
||||||
|
|
||||||
Verify the GitHub build provenance attestation:
|
Verify the GitHub build provenance attestation:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
gh attestation verify epusdt_v1.0.0_checksums.txt -R GMwalletApp/epusdt
|
gh attestation verify SHA256SUMS -R GMwalletApp/epusdt
|
||||||
```
|
```
|
||||||
|
|
||||||
## Local validation
|
## Local validation
|
||||||
|
|
||||||
Install `cosign` and `syft`, then run a snapshot build locally before pushing a tag:
|
Run a snapshot build locally before pushing a tag:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
cd src
|
cd src
|
||||||
@@ -72,3 +62,9 @@ go run github.com/goreleaser/goreleaser/v2@latest release --snapshot --clean
|
|||||||
```
|
```
|
||||||
|
|
||||||
The resulting artifacts will be generated under `src/dist/`.
|
The resulting artifacts will be generated under `src/dist/`.
|
||||||
|
|
||||||
|
## Release candidates
|
||||||
|
|
||||||
|
If you use tags like `v1.2.3-rc1`, GoReleaser will mark the GitHub release as a prerelease.
|
||||||
|
|
||||||
|
For a final tag like `v1.2.3`, the release workflow forces GoReleaser to compare against the previous stable tag instead of the latest `rc` tag. This keeps the final changelog focused on stable-to-stable changes.
|
||||||
|
|||||||
+6
-16
@@ -28,7 +28,7 @@ archives:
|
|||||||
- id: epusdt
|
- id: epusdt
|
||||||
ids:
|
ids:
|
||||||
- epusdt
|
- epusdt
|
||||||
name_template: "{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}"
|
name_template: "{{ .ProjectName }}-{{ .Version }}-{{ .Os }}-{{ .Arch }}"
|
||||||
files:
|
files:
|
||||||
- .env.example
|
- .env.example
|
||||||
- static/**
|
- static/**
|
||||||
@@ -38,21 +38,7 @@ archives:
|
|||||||
- zip
|
- zip
|
||||||
|
|
||||||
checksum:
|
checksum:
|
||||||
name_template: "{{ .ProjectName }}_{{ .Version }}_checksums.txt"
|
name_template: "SHA256SUMS"
|
||||||
|
|
||||||
signs:
|
|
||||||
- cmd: cosign
|
|
||||||
signature: "${artifact}.sigstore.json"
|
|
||||||
args:
|
|
||||||
- "sign-blob"
|
|
||||||
- "--bundle=${signature}"
|
|
||||||
- "${artifact}"
|
|
||||||
- "--yes"
|
|
||||||
artifacts: checksum
|
|
||||||
|
|
||||||
sboms:
|
|
||||||
- id: archives
|
|
||||||
artifacts: archive
|
|
||||||
|
|
||||||
snapshot:
|
snapshot:
|
||||||
name_template: "{{ incpatch .Version }}-next"
|
name_template: "{{ incpatch .Version }}-next"
|
||||||
@@ -61,6 +47,7 @@ release:
|
|||||||
github:
|
github:
|
||||||
owner: GMwalletApp
|
owner: GMwalletApp
|
||||||
name: epusdt
|
name: epusdt
|
||||||
|
prerelease: auto
|
||||||
|
|
||||||
changelog:
|
changelog:
|
||||||
sort: asc
|
sort: asc
|
||||||
@@ -70,3 +57,6 @@ changelog:
|
|||||||
- "^test:"
|
- "^test:"
|
||||||
- "^chore:"
|
- "^chore:"
|
||||||
- "^ci:"
|
- "^ci:"
|
||||||
|
- "^fix\\(ci\\):"
|
||||||
|
- "^build\\(release\\):"
|
||||||
|
- "^Merge pull request"
|
||||||
|
|||||||
Reference in New Issue
Block a user