build(release): simplify release assets and prerelease behavior

This commit is contained in:
alphago9
2026-03-31 16:04:27 +08:00
parent 682aa3907a
commit 8927c0658f
3 changed files with 16 additions and 36 deletions
+1 -7
View File
@@ -40,12 +40,6 @@ jobs:
with:
go-version-file: src/go.mod
- name: Install Cosign
uses: sigstore/cosign-installer@v4.1.1
- name: Install Syft
uses: anchore/sbom-action/download-syft@v0.24.0
- name: Run GoReleaser
uses: goreleaser/goreleaser-action@v7
with:
@@ -59,4 +53,4 @@ jobs:
- name: Attest Release Checksums
uses: actions/attest@v4
with:
subject-checksums: src/dist/epusdt_${{ github.ref_name }}_checksums.txt
subject-checksums: src/dist/SHA256SUMS
+9 -13
View File
@@ -23,9 +23,7 @@ Windows artifacts are published as `.zip`. Other platforms are published as `.ta
Each release also publishes:
- a checksum file
- a Sigstore keyless signature bundle for the checksum file
- archive SBOM documents generated by Syft
- a `SHA256SUMS` checksum file
- a GitHub build provenance attestation for the checksum file
## How to cut a release
@@ -48,23 +46,15 @@ git push origin v1.0.0
## Verify a release
Verify the checksum signature with Cosign:
```bash
cosign verify-blob \
--bundle epusdt_v1.0.0_checksums.txt.sigstore.json \
epusdt_v1.0.0_checksums.txt
```
Verify the GitHub build provenance attestation:
```bash
gh attestation verify epusdt_v1.0.0_checksums.txt -R GMwalletApp/epusdt
gh attestation verify SHA256SUMS -R GMwalletApp/epusdt
```
## Local validation
Install `cosign` and `syft`, then run a snapshot build locally before pushing a tag:
Run a snapshot build locally before pushing a tag:
```bash
cd src
@@ -72,3 +62,9 @@ go run github.com/goreleaser/goreleaser/v2@latest release --snapshot --clean
```
The resulting artifacts will be generated under `src/dist/`.
## Release candidates
If you use tags like `v1.2.3-rc1`, GoReleaser will mark the GitHub release as a prerelease.
If you want the final `v1.2.3` release notes to compare cleanly against the previous stable release, avoid keeping old `rc` tags around longer than needed.
+6 -16
View File
@@ -28,7 +28,7 @@ archives:
- id: epusdt
ids:
- epusdt
name_template: "{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}"
name_template: "{{ .ProjectName }}-{{ .Version }}-{{ .Os }}-{{ .Arch }}"
files:
- .env.example
- static/**
@@ -38,21 +38,7 @@ archives:
- zip
checksum:
name_template: "{{ .ProjectName }}_{{ .Version }}_checksums.txt"
signs:
- cmd: cosign
signature: "${artifact}.sigstore.json"
args:
- "sign-blob"
- "--bundle=${signature}"
- "${artifact}"
- "--yes"
artifacts: checksum
sboms:
- id: archives
artifacts: archive
name_template: "SHA256SUMS"
snapshot:
name_template: "{{ incpatch .Version }}-next"
@@ -61,6 +47,7 @@ release:
github:
owner: GMwalletApp
name: epusdt
prerelease: auto
changelog:
sort: asc
@@ -70,3 +57,6 @@ changelog:
- "^test:"
- "^chore:"
- "^ci:"
- "^fix\\(ci\\):"
- "^build\\(release\\):"
- "^Merge pull request"