Release #17
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| version: | |
| description: "Release version (e.g. v1.0.0)" | |
| required: true | |
| type: string | |
| permissions: | |
| contents: write | |
| id-token: write | |
| jobs: | |
| release: | |
| name: Release | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Validate version format | |
| run: | | |
| VERSION="${{ github.event.inputs.version }}" | |
| if [[ ! "$VERSION" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then | |
| echo "Error: Version must match vX.Y.Z (e.g. v1.0.0)" | |
| exit 1 | |
| fi | |
| - name: Checkout code | |
| uses: actions/checkout@v6 | |
| with: | |
| token: ${{ secrets.RELEASE_TOKEN }} | |
| fetch-depth: 0 | |
| - name: Set up Go | |
| uses: actions/setup-go@v6 | |
| with: | |
| go-version: "1.25.9" | |
| cache: true | |
| - name: Install git-cliff | |
| run: pip install git-cliff | |
| - name: Install goreleaser | |
| uses: goreleaser/goreleaser-action@v6 | |
| with: | |
| install-only: true | |
| - name: Generate changelog | |
| run: | | |
| # Full changelog for CHANGELOG.md (committed to repo) | |
| make changelog VERSION=${{ github.event.inputs.version }} | |
| # Release notes for this version only (passed to goreleaser) | |
| git-cliff --tag ${{ github.event.inputs.version }} --latest --strip header -o RELEASE_NOTES.md | |
| - name: Commit changelog and tag release | |
| run: | | |
| VERSION="${{ github.event.inputs.version }}" | |
| git config user.name "github-actions[bot]" | |
| git config user.email "github-actions[bot]@users.noreply.github.com" | |
| git remote set-url origin https://x-access-token:${{ secrets.RELEASE_TOKEN }}@github.com/${{ github.repository }} | |
| git add CHANGELOG.md | |
| git commit -m "chore(release): update changelog for ${VERSION}" | |
| git tag "${VERSION}" | |
| git push origin main --tags | |
| - name: Install cosign | |
| uses: sigstore/cosign-installer@v3 | |
| - name: Build and release with goreleaser | |
| uses: goreleaser/goreleaser-action@v6 | |
| with: | |
| args: release --clean --release-notes RELEASE_NOTES.md | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.RELEASE_TOKEN }} | |
| HOMEBREW_TAP_TOKEN: ${{ secrets.HOMEBREW_TAP_TOKEN }} | |
| - name: Generate binary checksums | |
| run: | | |
| VERSION="${{ github.event.inputs.version }}" | |
| # Strip leading 'v' for goreleaser dist paths | |
| VER="${VERSION#v}" | |
| SUMFILE="dist/verda_${VER}_binary_SHA256SUMS" | |
| # Find raw binaries produced by goreleaser and checksum them | |
| for dir in dist/verda_*/; do | |
| # Skip archive directories (contain .tar.gz or .zip artifacts) | |
| [ -d "$dir" ] || continue | |
| BIN="" | |
| if [ -f "${dir}verda" ]; then | |
| BIN="${dir}verda" | |
| elif [ -f "${dir}verda.exe" ]; then | |
| BIN="${dir}verda.exe" | |
| else | |
| continue | |
| fi | |
| # Compute checksum with path relative to dist/ | |
| RELPATH="${BIN#dist/}" | |
| HASH=$(sha256sum "$BIN" | awk '{print $1}') | |
| echo "${HASH} ${RELPATH}" >> "$SUMFILE" | |
| done | |
| # Dedup in case build and archive staging dirs both matched | |
| sort -u -o "$SUMFILE" "$SUMFILE" | |
| if [ ! -s "$SUMFILE" ]; then | |
| echo "Error: no binary checksums generated" | |
| exit 1 | |
| fi | |
| echo "--- Binary checksums ---" | |
| cat "$SUMFILE" | |
| - name: Sign checksum files with cosign | |
| # Keyless signing via GitHub OIDC. The certificate identity will be: | |
| # https://github.com/verda-cloud/verda-cli/.github/workflows/release.yml@refs/heads/main | |
| # | |
| # To verify manually: | |
| # cosign verify-blob \ | |
| # --signature verda_<VER>_SHA256SUMS.sig \ | |
| # --certificate verda_<VER>_SHA256SUMS.pem \ | |
| # --certificate-identity-regexp "^https://github\.com/verda-cloud/verda-cli/\.github/workflows/release\.yml@refs/.*$" \ | |
| # --certificate-oidc-issuer https://token.actions.githubusercontent.com \ | |
| # verda_<VER>_SHA256SUMS | |
| run: | | |
| VERSION="${{ github.event.inputs.version }}" | |
| VER="${VERSION#v}" | |
| # Sign the archive checksums (produced by goreleaser) | |
| cosign sign-blob --yes \ | |
| --output-signature "dist/verda_${VER}_SHA256SUMS.sig" \ | |
| --output-certificate "dist/verda_${VER}_SHA256SUMS.pem" \ | |
| "dist/verda_${VER}_SHA256SUMS" | |
| # Sign the binary checksums | |
| cosign sign-blob --yes \ | |
| --output-signature "dist/verda_${VER}_binary_SHA256SUMS.sig" \ | |
| --output-certificate "dist/verda_${VER}_binary_SHA256SUMS.pem" \ | |
| "dist/verda_${VER}_binary_SHA256SUMS" | |
| - name: Upload signing artifacts to release | |
| env: | |
| GH_TOKEN: ${{ secrets.RELEASE_TOKEN }} | |
| run: | | |
| VERSION="${{ github.event.inputs.version }}" | |
| VER="${VERSION#v}" | |
| gh release upload "${VERSION}" \ | |
| "dist/verda_${VER}_binary_SHA256SUMS" \ | |
| "dist/verda_${VER}_binary_SHA256SUMS.sig" \ | |
| "dist/verda_${VER}_binary_SHA256SUMS.pem" \ | |
| "dist/verda_${VER}_SHA256SUMS.sig" \ | |
| "dist/verda_${VER}_SHA256SUMS.pem" |