diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index c7f8a11..2bdd67a 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -41,11 +41,27 @@ jobs: with: go-version-file: src/go.mod - - name: Install Cosign - uses: sigstore/cosign-installer@v4.1.1 + - name: Select Previous Stable Tag For Final Releases + run: | + current_tag="${GITHUB_REF_NAME}" + if [[ "$current_tag" == *-* ]]; then + echo "prerelease tag detected: $current_tag" + exit 0 + fi - - name: Install Syft - uses: anchore/sbom-action/download-syft@v0.24.0 + previous_stable_tag="$( + git tag --list 'v*' --sort=-version:refname | + grep -Fxv "$current_tag" | + grep -Ev -- '-' | + head -n 1 + )" + + if [[ -n "$previous_stable_tag" ]]; then + echo "using previous stable tag: $previous_stable_tag" + echo "GORELEASER_PREVIOUS_TAG=$previous_stable_tag" >> "$GITHUB_ENV" + else + echo "no previous stable tag found" + fi - name: Run GoReleaser uses: goreleaser/goreleaser-action@v7 @@ -60,7 +76,4 @@ jobs: - name: Attest Release Artifacts uses: actions/attest@v4 with: - subject-path: | - src/dist/*.tar.gz - src/dist/*.zip - src/dist/*_checksums.txt + subject-checksums: src/dist/SHA256SUMS diff --git a/RELEASING.md b/RELEASING.md index 64cf7f8..8cf14bc 100644 --- a/RELEASING.md +++ b/RELEASING.md @@ -23,9 +23,7 @@ Windows artifacts are published as `.zip`. Other platforms are published as `.ta Each release also publishes: -- a checksum file -- a Sigstore keyless signature bundle for the checksum file -- archive SBOM documents generated by Syft +- a `SHA256SUMS` checksum file - a GitHub build provenance attestation for the checksum file ## How to cut a release @@ -48,23 +46,15 @@ git push origin v1.0.0 ## Verify a release -Verify the checksum signature with Cosign: - -```bash -cosign verify-blob \ - --bundle epusdt_v1.0.0_checksums.txt.sigstore.json \ - epusdt_v1.0.0_checksums.txt -``` - Verify the GitHub build provenance attestation: ```bash -gh attestation verify epusdt_v1.0.0_checksums.txt -R GMwalletApp/epusdt +gh attestation verify SHA256SUMS -R GMwalletApp/epusdt ``` ## Local validation -Install `cosign` and `syft`, then run a snapshot build locally before pushing a tag: +Run a snapshot build locally before pushing a tag: ```bash cd src @@ -72,3 +62,9 @@ go run github.com/goreleaser/goreleaser/v2@latest release --snapshot --clean ``` The resulting artifacts will be generated under `src/dist/`. + +## Release candidates + +If you use tags like `v1.2.3-rc1`, GoReleaser will mark the GitHub release as a prerelease. + +For a final tag like `v1.2.3`, the release workflow forces GoReleaser to compare against the previous stable tag instead of the latest `rc` tag. This keeps the final changelog focused on stable-to-stable changes. diff --git a/src/.goreleaser.yaml b/src/.goreleaser.yaml index 8ca3083..34c00dd 100644 --- a/src/.goreleaser.yaml +++ b/src/.goreleaser.yaml @@ -28,7 +28,7 @@ archives: - id: epusdt ids: - epusdt - name_template: "{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}" + name_template: "{{ .ProjectName }}-{{ .Version }}-{{ .Os }}-{{ .Arch }}" files: - .env.example - static/** @@ -38,21 +38,7 @@ archives: - zip checksum: - name_template: "{{ .ProjectName }}_{{ .Version }}_checksums.txt" - -signs: - - cmd: cosign - signature: "${artifact}.sigstore.json" - args: - - "sign-blob" - - "--bundle=${signature}" - - "${artifact}" - - "--yes" - artifacts: checksum - -sboms: - - id: archives - artifacts: archive + name_template: "SHA256SUMS" snapshot: name_template: "{{ incpatch .Version }}-next" @@ -61,6 +47,7 @@ release: github: owner: GMwalletApp name: epusdt + prerelease: auto changelog: sort: asc @@ -70,3 +57,6 @@ changelog: - "^test:" - "^chore:" - "^ci:" + - "^fix\\(ci\\):" + - "^build\\(release\\):" + - "^Merge pull request"