Merge pull request #20 from GMwalletApp/dev-runtime

build(release): compare final changelog against previous stable tag
This commit is contained in:
alphago9
2026-03-31 17:10:36 +08:00
committed by GitHub
3 changed files with 36 additions and 37 deletions
+21 -8
View File
@@ -41,11 +41,27 @@ jobs:
with:
go-version-file: src/go.mod
- name: Install Cosign
uses: sigstore/cosign-installer@v4.1.1
- name: Select Previous Stable Tag For Final Releases
run: |
current_tag="${GITHUB_REF_NAME}"
if [[ "$current_tag" == *-* ]]; then
echo "prerelease tag detected: $current_tag"
exit 0
fi
- name: Install Syft
uses: anchore/sbom-action/download-syft@v0.24.0
previous_stable_tag="$(
git tag --list 'v*' --sort=-version:refname |
grep -Fxv "$current_tag" |
grep -Ev -- '-' |
head -n 1
)"
if [[ -n "$previous_stable_tag" ]]; then
echo "using previous stable tag: $previous_stable_tag"
echo "GORELEASER_PREVIOUS_TAG=$previous_stable_tag" >> "$GITHUB_ENV"
else
echo "no previous stable tag found"
fi
- name: Run GoReleaser
uses: goreleaser/goreleaser-action@v7
@@ -60,7 +76,4 @@ jobs:
- name: Attest Release Artifacts
uses: actions/attest@v4
with:
subject-path: |
src/dist/*.tar.gz
src/dist/*.zip
src/dist/*_checksums.txt
subject-checksums: src/dist/SHA256SUMS
+9 -13
View File
@@ -23,9 +23,7 @@ Windows artifacts are published as `.zip`. Other platforms are published as `.ta
Each release also publishes:
- a checksum file
- a Sigstore keyless signature bundle for the checksum file
- archive SBOM documents generated by Syft
- a `SHA256SUMS` checksum file
- a GitHub build provenance attestation for the checksum file
## How to cut a release
@@ -48,23 +46,15 @@ git push origin v1.0.0
## Verify a release
Verify the checksum signature with Cosign:
```bash
cosign verify-blob \
--bundle epusdt_v1.0.0_checksums.txt.sigstore.json \
epusdt_v1.0.0_checksums.txt
```
Verify the GitHub build provenance attestation:
```bash
gh attestation verify epusdt_v1.0.0_checksums.txt -R GMwalletApp/epusdt
gh attestation verify SHA256SUMS -R GMwalletApp/epusdt
```
## Local validation
Install `cosign` and `syft`, then run a snapshot build locally before pushing a tag:
Run a snapshot build locally before pushing a tag:
```bash
cd src
@@ -72,3 +62,9 @@ go run github.com/goreleaser/goreleaser/v2@latest release --snapshot --clean
```
The resulting artifacts will be generated under `src/dist/`.
## Release candidates
If you use tags like `v1.2.3-rc1`, GoReleaser will mark the GitHub release as a prerelease.
For a final tag like `v1.2.3`, the release workflow forces GoReleaser to compare against the previous stable tag instead of the latest `rc` tag. This keeps the final changelog focused on stable-to-stable changes.
+6 -16
View File
@@ -28,7 +28,7 @@ archives:
- id: epusdt
ids:
- epusdt
name_template: "{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}"
name_template: "{{ .ProjectName }}-{{ .Version }}-{{ .Os }}-{{ .Arch }}"
files:
- .env.example
- static/**
@@ -38,21 +38,7 @@ archives:
- zip
checksum:
name_template: "{{ .ProjectName }}_{{ .Version }}_checksums.txt"
signs:
- cmd: cosign
signature: "${artifact}.sigstore.json"
args:
- "sign-blob"
- "--bundle=${signature}"
- "${artifact}"
- "--yes"
artifacts: checksum
sboms:
- id: archives
artifacts: archive
name_template: "SHA256SUMS"
snapshot:
name_template: "{{ incpatch .Version }}-next"
@@ -61,6 +47,7 @@ release:
github:
owner: GMwalletApp
name: epusdt
prerelease: auto
changelog:
sort: asc
@@ -70,3 +57,6 @@ changelog:
- "^test:"
- "^chore:"
- "^ci:"
- "^fix\\(ci\\):"
- "^build\\(release\\):"
- "^Merge pull request"