File tree Expand file tree Collapse file tree 1 file changed +32
-0
lines changed
Expand file tree Collapse file tree 1 file changed +32
-0
lines changed Original file line number Diff line number Diff line change 1616
1717* [ Usage] ( #usage )
1818 * [ Workflow] ( #workflow )
19+ * [ Verification] ( #verification )
1920 * [ Run on new tag] ( #run-on-new-tag )
2021 * [ Signing] ( #signing )
2122 * [ Upload artifacts] ( #upload-artifacts )
7778
7879> ** IMPORTANT** : note the ` fetch-depth: 0 ` input in ` Checkout ` step. It is required for the changelog to work correctly.
7980
81+ ### Verification
82+
83+ The action verifies the integrity of the downloaded GoReleaser archive
84+ against the published ` checksums.txt ` automatically — no configuration
85+ required.
86+
87+ If [ ` cosign ` ] ( https://docs.sigstore.dev/cosign/ ) is available on ` PATH ` , the
88+ action will additionally verify the cosign sigstore signature of the
89+ checksums file against the GoReleaser release workflow's OIDC identity. If
90+ ` cosign ` isn't installed, this step is silently skipped.
91+
92+ To enable signature verification, install cosign before running the action:
93+
94+ ``` yaml
95+ -
96+ name : Install cosign
97+ uses : sigstore/cosign-installer@v3
98+ -
99+ name : Run GoReleaser
100+ uses : goreleaser/goreleaser-action@v7
101+ with :
102+ distribution : goreleaser
103+ version : ' ~> v2'
104+ args : release --clean
105+ env :
106+ GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }}
107+ ` ` `
108+
109+ Both checksum and signature verification work for tagged releases and the
110+ ` nightly` channel.
111+
80112# ## Run on new tag
81113
82114If you want to run GoReleaser only on new tag, you can use this event :
You can’t perform that action at this time.
0 commit comments