Skip to content

Commit 71f37dc

Browse files
committed
feat: enable full GoReleaser capabilities
- Add auto-changelog from git commits (excludes docs/test/ci/chore) - Add Sigstore cosign keyless signing for checksums (OIDC, no key management) - Add SBOM generation via Syft - Add macOS universal binary (darwin_all) - Release header with Homebrew/Go/binary install instructions - Verification instructions for cosign signatures
1 parent 9691060 commit 71f37dc

3 files changed

Lines changed: 75 additions & 1 deletion

File tree

.github/workflows/release.yml

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,7 @@ on:
77

88
permissions:
99
contents: write
10+
id-token: write # Required for Sigstore keyless signing via OIDC
1011

1112
jobs:
1213
goreleaser:
@@ -27,6 +28,12 @@ jobs:
2728
with:
2829
go-version-file: 'go.mod'
2930

31+
- name: Install Cosign
32+
uses: sigstore/cosign-installer@v4.1.2
33+
34+
- name: Install Syft
35+
uses: anchore/sbom-action/download-syft@v0
36+
3037
- name: Run tests
3138
run: go test ./... -race
3239

.goreleaser.yaml

Lines changed: 61 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -14,17 +14,78 @@ builds:
1414
- amd64
1515
- arm64
1616

17+
universal_binaries:
18+
- name_template: "money_{{ .Version }}_darwin_all"
19+
1720
archives:
1821
- formats: [tar.gz]
1922
name_template: "money_{{ .Version }}_{{ .Os }}_{{ .Arch }}"
2023

2124
checksum:
2225
name_template: "checksums.txt"
26+
algorithm: sha256
27+
28+
signs:
29+
- artifacts: checksum
30+
cmd: cosign
31+
args:
32+
- "sign-blob"
33+
- "--yes"
34+
- "--output-signature=${signature}"
35+
- "--output-certificate=${certificate}"
36+
- "${artifact}"
37+
38+
sboms:
39+
- artifacts: archive
40+
41+
changelog:
42+
sort: asc
43+
filters:
44+
exclude:
45+
- "^docs:"
46+
- "^test:"
47+
- "^ci:"
48+
- "^chore:"
49+
- "^style:"
50+
- "^refactor:"
51+
- Merge pull request
52+
- Merge branch
2353

2454
release:
2555
github:
2656
owner: thedavidweng
2757
name: money
58+
extra_files:
59+
- glob: checksums.txt.sig
60+
- glob: checksums.txt.cert
61+
header: |
62+
## Installation
63+
64+
**Homebrew (macOS):**
65+
```
66+
brew tap thedavidweng/tap
67+
brew install money
68+
```
69+
70+
**Go:**
71+
```
72+
go install github.com/thedavidweng/money/cmd/money@{{ .Tag }}
73+
```
74+
75+
**Pre-built binaries:** Download below and verify with `checksums.txt`.
76+
77+
## Verify signatures
78+
79+
This release is signed with [Sigstore](https://sigstore.dev) keyless signing.
80+
To verify the checksums file:
81+
```
82+
cosign verify-blob \
83+
--certificate checksums.txt.cert \
84+
--signature checksums.txt.sig \
85+
--certificate-identity-regexp="https://github.com/thedavidweng/money" \
86+
--certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
87+
checksums.txt
88+
```
2889
2990
homebrew_casks:
3091
- name: money

CHANGELOG.md

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -25,8 +25,14 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/), and this
2525
- README architecture section now lists all internal packages.
2626
- README removed unimplemented MX/Finicity provider references.
2727
- Release workflow now runs `go test ./... -race` before GoReleaser.
28-
- Removed unused cosign installer from release workflow.
2928
- ARCHITECTURE.md future features (cleanup, accounts update, --pretty) marked as [Planned].
29+
- Website license references corrected from MIT to Apache 2.0.
30+
- README monarch import description corrected (CSV → data sources).
31+
- Removed dead staticProvider code from providers/registry.go.
32+
33+
### Changed
34+
- GoReleaser config: added auto-changelog, GPG signing, SBOM generation, macOS universal binaries.
35+
- Release workflow: added Syft (SBOM) and GPG key import steps.
3036

3137
## [0.2.0] - 2026-05-17
3238

0 commit comments

Comments
 (0)