diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index c09aeb6..438c7ca 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -40,12 +40,6 @@ jobs: with: go-version-file: src/go.mod - - name: Install Cosign - uses: sigstore/cosign-installer@v4.1.1 - - - name: Install Syft - uses: anchore/sbom-action/download-syft@v0.24.0 - - name: Run GoReleaser uses: goreleaser/goreleaser-action@v7 with: @@ -59,4 +53,4 @@ jobs: - name: Attest Release Checksums uses: actions/attest@v4 with: - subject-checksums: src/dist/epusdt_${{ github.ref_name }}_checksums.txt + subject-checksums: src/dist/SHA256SUMS diff --git a/RELEASING.md b/RELEASING.md index 64cf7f8..85cec54 100644 --- a/RELEASING.md +++ b/RELEASING.md @@ -23,9 +23,7 @@ Windows artifacts are published as `.zip`. Other platforms are published as `.ta Each release also publishes: -- a checksum file -- a Sigstore keyless signature bundle for the checksum file -- archive SBOM documents generated by Syft +- a `SHA256SUMS` checksum file - a GitHub build provenance attestation for the checksum file ## How to cut a release @@ -48,23 +46,15 @@ git push origin v1.0.0 ## Verify a release -Verify the checksum signature with Cosign: - -```bash -cosign verify-blob \ - --bundle epusdt_v1.0.0_checksums.txt.sigstore.json \ - epusdt_v1.0.0_checksums.txt -``` - Verify the GitHub build provenance attestation: ```bash -gh attestation verify epusdt_v1.0.0_checksums.txt -R GMwalletApp/epusdt +gh attestation verify SHA256SUMS -R GMwalletApp/epusdt ``` ## Local validation -Install `cosign` and `syft`, then run a snapshot build locally before pushing a tag: +Run a snapshot build locally before pushing a tag: ```bash cd src @@ -72,3 +62,9 @@ go run github.com/goreleaser/goreleaser/v2@latest release --snapshot --clean ``` The resulting artifacts will be generated under `src/dist/`. + +## Release candidates + +If you use tags like `v1.2.3-rc1`, GoReleaser will mark the GitHub release as a prerelease. + +If you want the final `v1.2.3` release notes to compare cleanly against the previous stable release, avoid keeping old `rc` tags around longer than needed. diff --git a/src/.goreleaser.yaml b/src/.goreleaser.yaml index 8ca3083..34c00dd 100644 --- a/src/.goreleaser.yaml +++ b/src/.goreleaser.yaml @@ -28,7 +28,7 @@ archives: - id: epusdt ids: - epusdt - name_template: "{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}" + name_template: "{{ .ProjectName }}-{{ .Version }}-{{ .Os }}-{{ .Arch }}" files: - .env.example - static/** @@ -38,21 +38,7 @@ archives: - zip checksum: - name_template: "{{ .ProjectName }}_{{ .Version }}_checksums.txt" - -signs: - - cmd: cosign - signature: "${artifact}.sigstore.json" - args: - - "sign-blob" - - "--bundle=${signature}" - - "${artifact}" - - "--yes" - artifacts: checksum - -sboms: - - id: archives - artifacts: archive + name_template: "SHA256SUMS" snapshot: name_template: "{{ incpatch .Version }}-next" @@ -61,6 +47,7 @@ release: github: owner: GMwalletApp name: epusdt + prerelease: auto changelog: sort: asc @@ -70,3 +57,6 @@ changelog: - "^test:" - "^chore:" - "^ci:" + - "^fix\\(ci\\):" + - "^build\\(release\\):" + - "^Merge pull request"