build(release): simplify release assets and prerelease behavior

This commit is contained in:
alphago9
2026-03-31 16:04:27 +08:00
parent 682aa3907a
commit 8927c0658f
3 changed files with 16 additions and 36 deletions
+9 -13
View File
@@ -23,9 +23,7 @@ Windows artifacts are published as `.zip`. Other platforms are published as `.ta
Each release also publishes:
- a checksum file
- a Sigstore keyless signature bundle for the checksum file
- archive SBOM documents generated by Syft
- a `SHA256SUMS` checksum file
- a GitHub build provenance attestation for the checksum file
## How to cut a release
@@ -48,23 +46,15 @@ git push origin v1.0.0
## Verify a release
Verify the checksum signature with Cosign:
```bash
cosign verify-blob \
--bundle epusdt_v1.0.0_checksums.txt.sigstore.json \
epusdt_v1.0.0_checksums.txt
```
Verify the GitHub build provenance attestation:
```bash
gh attestation verify epusdt_v1.0.0_checksums.txt -R GMwalletApp/epusdt
gh attestation verify SHA256SUMS -R GMwalletApp/epusdt
```
## Local validation
Install `cosign` and `syft`, then run a snapshot build locally before pushing a tag:
Run a snapshot build locally before pushing a tag:
```bash
cd src
@@ -72,3 +62,9 @@ go run github.com/goreleaser/goreleaser/v2@latest release --snapshot --clean
```
The resulting artifacts will be generated under `src/dist/`.
## Release candidates
If you use tags like `v1.2.3-rc1`, GoReleaser will mark the GitHub release as a prerelease.
If you want the final `v1.2.3` release notes to compare cleanly against the previous stable release, avoid keeping old `rc` tags around longer than needed.