build(release): simplify release assets and prerelease behavior

This commit is contained in:
alphago9
2026-03-31 16:04:27 +08:00
parent 682aa3907a
commit 8927c0658f
3 changed files with 16 additions and 36 deletions
+1 -7
View File
@@ -40,12 +40,6 @@ jobs:
with: with:
go-version-file: src/go.mod go-version-file: src/go.mod
- name: Install Cosign
uses: sigstore/cosign-installer@v4.1.1
- name: Install Syft
uses: anchore/sbom-action/download-syft@v0.24.0
- name: Run GoReleaser - name: Run GoReleaser
uses: goreleaser/goreleaser-action@v7 uses: goreleaser/goreleaser-action@v7
with: with:
@@ -59,4 +53,4 @@ jobs:
- name: Attest Release Checksums - name: Attest Release Checksums
uses: actions/attest@v4 uses: actions/attest@v4
with: with:
subject-checksums: src/dist/epusdt_${{ github.ref_name }}_checksums.txt subject-checksums: src/dist/SHA256SUMS
+9 -13
View File
@@ -23,9 +23,7 @@ Windows artifacts are published as `.zip`. Other platforms are published as `.ta
Each release also publishes: Each release also publishes:
- a checksum file - a `SHA256SUMS` checksum file
- a Sigstore keyless signature bundle for the checksum file
- archive SBOM documents generated by Syft
- a GitHub build provenance attestation for the checksum file - a GitHub build provenance attestation for the checksum file
## How to cut a release ## How to cut a release
@@ -48,23 +46,15 @@ git push origin v1.0.0
## Verify a release ## Verify a release
Verify the checksum signature with Cosign:
```bash
cosign verify-blob \
--bundle epusdt_v1.0.0_checksums.txt.sigstore.json \
epusdt_v1.0.0_checksums.txt
```
Verify the GitHub build provenance attestation: Verify the GitHub build provenance attestation:
```bash ```bash
gh attestation verify epusdt_v1.0.0_checksums.txt -R GMwalletApp/epusdt gh attestation verify SHA256SUMS -R GMwalletApp/epusdt
``` ```
## Local validation ## Local validation
Install `cosign` and `syft`, then run a snapshot build locally before pushing a tag: Run a snapshot build locally before pushing a tag:
```bash ```bash
cd src cd src
@@ -72,3 +62,9 @@ go run github.com/goreleaser/goreleaser/v2@latest release --snapshot --clean
``` ```
The resulting artifacts will be generated under `src/dist/`. The resulting artifacts will be generated under `src/dist/`.
## Release candidates
If you use tags like `v1.2.3-rc1`, GoReleaser will mark the GitHub release as a prerelease.
If you want the final `v1.2.3` release notes to compare cleanly against the previous stable release, avoid keeping old `rc` tags around longer than needed.
+6 -16
View File
@@ -28,7 +28,7 @@ archives:
- id: epusdt - id: epusdt
ids: ids:
- epusdt - epusdt
name_template: "{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}" name_template: "{{ .ProjectName }}-{{ .Version }}-{{ .Os }}-{{ .Arch }}"
files: files:
- .env.example - .env.example
- static/** - static/**
@@ -38,21 +38,7 @@ archives:
- zip - zip
checksum: checksum:
name_template: "{{ .ProjectName }}_{{ .Version }}_checksums.txt" name_template: "SHA256SUMS"
signs:
- cmd: cosign
signature: "${artifact}.sigstore.json"
args:
- "sign-blob"
- "--bundle=${signature}"
- "${artifact}"
- "--yes"
artifacts: checksum
sboms:
- id: archives
artifacts: archive
snapshot: snapshot:
name_template: "{{ incpatch .Version }}-next" name_template: "{{ incpatch .Version }}-next"
@@ -61,6 +47,7 @@ release:
github: github:
owner: GMwalletApp owner: GMwalletApp
name: epusdt name: epusdt
prerelease: auto
changelog: changelog:
sort: asc sort: asc
@@ -70,3 +57,6 @@ changelog:
- "^test:" - "^test:"
- "^chore:" - "^chore:"
- "^ci:" - "^ci:"
- "^fix\\(ci\\):"
- "^build\\(release\\):"
- "^Merge pull request"