semctx/.goreleaser.yaml at base · dwisiswant0/semctx · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
version: 2

before:
  hooks: ["go mod verify"]

builds:
  - main: ./cmd/semctx
    env: ["CGO_ENABLED=0"]
    goos: ["linux", "darwin", "windows"]
    goarch:
      - "386"
      - amd64
      - arm
      - arm64
      - loong64
      - mips
      - mips64
      - mips64le
      - mipsle
      - ppc64
      - ppc64le
      - riscv64
      - s390x
      - wasm
    ldflags:
      - -s -w
      - -X {{ .ModulePath }}/internal/version.Version={{ .Tag }}
      - -X {{ .ModulePath }}/internal/version.Commit={{ .FullCommit }}
      - -X {{ .ModulePath }}/internal/version.Date={{ .Date }}
    ignore:
      - goos: windows
        goarch: arm

archives:
  - formats: ["binary"]
    name_template: >-
      {{- .ProjectName }}_{{- .Tag }}-
      {{- .Os }}_
      {{- if eq .Arch "amd64" }}x86_64
      {{- else if eq .Arch "386" }}i386
      {{- else }}{{ .Arch }}{{ end }}

binary_signs:
  - cmd: gpg2
    args:
      - --detach-sign
      - --armor
      - --local-user={{ .Env.GPG_EMAIL }}
      - --output=${signature}
      - ${artifact}
    signature: >-
      {{- .ProjectName }}_{{- .Tag }}-
      {{- .Os }}_
      {{- if eq .Arch "amd64" }}x86_64
      {{- else if eq .Arch "386" }}i386
      {{- else }}{{ .Arch }}{{ end }}.sig
    output: true

checksum:
  name_template: "{{ .ProjectName }}_{{ .Tag }}-checksums.txt"

sboms:
  - artifacts: binary
    documents:
      - >-
        {{- .ProjectName }}_{{- .Tag }}-
        {{- .Os }}_
        {{- if eq .Arch "amd64" }}x86_64
        {{- else if eq .Arch "386" }}i386
        {{- else }}{{ .Arch }}{{ end }}.spdx.sbom

snapshot:
  version_template: "{{ .Tag }}-{{ .ShortCommit }}"

changelog:
  sort: asc
  filters:
    exclude:
      - "^build"
      - "^chore"
      - "^ci"
      - "^docs"
      - "^refactor"
      - "^test"
      - Merge pull request
      - Merge branch

release:
  draft: true
  prerelease: auto
  footer: |
    ## Verify

    > [!IMPORTANT]
    > Verify the integrity and security of release assets before running them. This reduces risks from unverified files.

    Check the checksums first:

    ```bash
    sha256sum --check --ignore-missing {{ .ProjectName }}_{{ .Tag }}-checksums.txt
    ```

    Then, confirm authenticity with GPG signatures:

    ```bash
    gpg2 --import {{ .ProjectName }}_{{ .Tag }}.pub.asc
    gpg2 --verify {{ .ProjectName }}_{{ .Tag }}-OS_ARCH.sig {{ .ProjectName }}_{{ .Tag }}-OS_ARCH
    ```
  name_template: "{{ .ProjectName }} {{ .Tag }}"
  extra_files:
    - glob: "{{ .ProjectName }}_{{ .Tag }}.pub.asc"