theauth-go/.goreleaser.yml at main · glincker/theauth-go · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
# .goreleaser.yml
# goreleaser v2.x config for theauth-go (library release, no binary)
# Docs: https://goreleaser.com/customization/
version: 2

project_name: theauth-go

before:
  hooks:
    - go mod tidy
    - go test ./...

# No binaries -- this is a Go library. The stub satisfies goreleaser's
# requirement that at least one build block exists.
builds:
  - skip: true

# Attach a source archive (tar.gz) of the repo at the tag so downstream
# compliance tools and air-gapped consumers have a reproducible snapshot.
source:
  enabled: true
  name_template: "{{ .ProjectName }}-{{ .Tag }}"
  format: tar.gz

checksum:
  name_template: "checksums.txt"
  algorithm: sha256

# SBOM (CycloneDX JSON) generated by syft over the source tree.
# syft must be installed in the runner; the release workflow installs it.
sboms:
  - artifacts: source
    args:
      - "$artifact"
      - "--file"
      - "$document"
      - "--output"
      - "cyclonedx-json"
    cmd: syft
    documents:
      - "{{ .ArtifactName }}.sbom.json"
    id: source-sbom

# Keyless Sigstore/cosign signing via GitHub Actions OIDC.
# Produces a .sig (signature) and .cert (Rekor transparency-log entry)
# file alongside every artifact.
signs:
  - cmd: cosign
    artifacts: all
    output: true
    args:
      - sign-blob
      - "--output-signature=${signature}"
      - "--output-certificate=${certificate}"
      - "--yes"
      - "${artifact}"
    env:
      - COSIGN_EXPERIMENTAL=1

changelog:
  # Parse changelog from CHANGELOG.md (Keep-a-Changelog format).
  use: github
  sort: asc
  abbrev: -1
  groups:
    - title: "Breaking changes"
      regexp: "^.*!:.*$"
      order: 0
    - title: "New features"
      regexp: "^feat(\\(.*\\))?:"
      order: 1
    - title: "Bug fixes"
      regexp: "^fix(\\(.*\\))?:"
      order: 2
    - title: "Performance"
      regexp: "^perf(\\(.*\\))?:"
      order: 3
    - title: "Other changes"
      order: 999
  filters:
    exclude:
      - "^chore:"
      - "^docs:"
      - "^test:"
      - "Merge pull request"
      - "Merge branch"

release:
  github:
    owner: glincker
    name: theauth-go
  # draft: false means the release goes live immediately on tag push.
  draft: false
  # prerelease: auto detects -alpha, -beta, -rc suffixes.
  prerelease: auto
  name_template: "{{ .Tag }}"
  footer: |
    **Verify this release**

    ```bash
    # Download the SBOM and its Sigstore signature from the release assets, then:
    cosign verify-blob \
      --certificate-identity "https://github.com/glincker/theauth-go/.github/workflows/release.yml@refs/tags/{{ .Tag }}" \
      --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
      --signature theauth-go-{{ .Tag }}.tar.gz.sbom.json.sig \
      --certificate theauth-go-{{ .Tag }}.tar.gz.sbom.json.cert \
      theauth-go-{{ .Tag }}.tar.gz.sbom.json
    ```

    Use this library: `go get github.com/glincker/theauth-go@{{ .Tag }}`