build(release): simplify release assets and prerelease behavior
This commit is contained in:
+9
-13
@@ -23,9 +23,7 @@ Windows artifacts are published as `.zip`. Other platforms are published as `.ta
|
||||
|
||||
Each release also publishes:
|
||||
|
||||
- a checksum file
|
||||
- a Sigstore keyless signature bundle for the checksum file
|
||||
- archive SBOM documents generated by Syft
|
||||
- a `SHA256SUMS` checksum file
|
||||
- a GitHub build provenance attestation for the checksum file
|
||||
|
||||
## How to cut a release
|
||||
@@ -48,23 +46,15 @@ git push origin v1.0.0
|
||||
|
||||
## Verify a release
|
||||
|
||||
Verify the checksum signature with Cosign:
|
||||
|
||||
```bash
|
||||
cosign verify-blob \
|
||||
--bundle epusdt_v1.0.0_checksums.txt.sigstore.json \
|
||||
epusdt_v1.0.0_checksums.txt
|
||||
```
|
||||
|
||||
Verify the GitHub build provenance attestation:
|
||||
|
||||
```bash
|
||||
gh attestation verify epusdt_v1.0.0_checksums.txt -R GMwalletApp/epusdt
|
||||
gh attestation verify SHA256SUMS -R GMwalletApp/epusdt
|
||||
```
|
||||
|
||||
## Local validation
|
||||
|
||||
Install `cosign` and `syft`, then run a snapshot build locally before pushing a tag:
|
||||
Run a snapshot build locally before pushing a tag:
|
||||
|
||||
```bash
|
||||
cd src
|
||||
@@ -72,3 +62,9 @@ go run github.com/goreleaser/goreleaser/v2@latest release --snapshot --clean
|
||||
```
|
||||
|
||||
The resulting artifacts will be generated under `src/dist/`.
|
||||
|
||||
## Release candidates
|
||||
|
||||
If you use tags like `v1.2.3-rc1`, GoReleaser will mark the GitHub release as a prerelease.
|
||||
|
||||
If you want the final `v1.2.3` release notes to compare cleanly against the previous stable release, avoid keeping old `rc` tags around longer than needed.
|
||||
|
||||
Reference in New Issue
Block a user