Conversation
There was a problem hiding this comment.
Pull Request Overview
This PR adds retry logic to improve reliability when downloading GoReleaser releases JSON data from remote endpoints. The change addresses potential network issues that could cause transient failures when fetching release information.
- Introduces a generic retry mechanism with configurable retries and timeout
- Wraps HTTP requests to the GoReleaser releases endpoint with retry logic
- Refactors existing HTTP client usage to utilize the new retry functionality
Comments suppressed due to low confidence (1)
src/github.ts:115
- Creating a new HttpClient instance on each retry attempt is inefficient. Consider creating the HttpClient once outside the retry function or reusing the same instance.
const http: httpm.HttpClient = new httpm.HttpClient('goreleaser-action');
scornet256
added a commit
to scornet256/gogitlabber
that referenced
this pull request
May 18, 2026
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) | action | major | `v6` → `v7` | --- ### Release Notes <details> <summary>goreleaser/goreleaser-action (goreleaser/goreleaser-action)</summary> ### [`v7.2.1`](https://github.com/goreleaser/goreleaser-action/releases/tag/v7.2.1) [Compare Source](goreleaser/goreleaser-action@v7.2.0...v7.2.1) This fully removes the usage of the old `nightly` moving tag. **Full Changelog**: <goreleaser/goreleaser-action@v7.2.0...v7.2.1> ### [`v7.2.0`](https://github.com/goreleaser/goreleaser-action/releases/tag/v7.2.0) [Compare Source](goreleaser/goreleaser-action@v7.1.0...v7.2.0) #### What's Changed - test: cover install across release eras by [@​caarlos0](https://github.com/caarlos0) in [#​555](goreleaser/goreleaser-action#555) - feat: add `version-file` input by [@​caarlos0](https://github.com/caarlos0) in [#​556](goreleaser/goreleaser-action#556) - feat: resolve nightly to latest vX.Y.Z-<sha>-nightly release by [@​caarlos0](https://github.com/caarlos0) in [#​558](goreleaser/goreleaser-action#558) **Full Changelog**: <goreleaser/goreleaser-action@v7...v7.2.0> ### [`v7.1.0`](https://github.com/goreleaser/goreleaser-action/releases/tag/v7.1.0) [Compare Source](goreleaser/goreleaser-action@v7...v7.1.0) #### What's Changed - feat: verify release checksum and cosign signature by [@​caarlos0](https://github.com/caarlos0) in [#​550](goreleaser/goreleaser-action#550) - docs: document cosign verification in README by [@​caarlos0](https://github.com/caarlos0) in [#​553](goreleaser/goreleaser-action#553) - docs: Upgrade import GPG action version by [@​flecno](https://github.com/flecno) in [#​547](goreleaser/goreleaser-action#547) - ci: drop docker-bake in favor of plain npm by [@​caarlos0](https://github.com/caarlos0) in [#​551](goreleaser/goreleaser-action#551) - ci: add release-major-tag workflow by [@​caarlos0](https://github.com/caarlos0) in [#​552](goreleaser/goreleaser-action#552) - ci: drop pre-cosign-v3 goreleaser versions from tests by [@​caarlos0](https://github.com/caarlos0) in [#​554](goreleaser/goreleaser-action#554) - ci(deps): bump the actions group with 2 updates by [@​dependabot](https://github.com/dependabot)\[bot] in [#​543](goreleaser/goreleaser-action#543) - ci(deps): bump the actions group with 5 updates by [@​dependabot](https://github.com/dependabot)\[bot] in [#​546](goreleaser/goreleaser-action#546) - chore(deps): bump undici from 6.23.0 to 6.24.1 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​545](goreleaser/goreleaser-action#545) #### New Contributors - [@​flecno](https://github.com/flecno) made their first contribution in [#​547](goreleaser/goreleaser-action#547) **Full Changelog**: <goreleaser/goreleaser-action@v7...v7.1.0> ### [`v7.0.0`](https://github.com/goreleaser/goreleaser-action/releases/tag/v7.0.0) [Compare Source](goreleaser/goreleaser-action@v7...v7) #### What's Changed - feat!: node 24, update deps, rm yarn, ESM by [@​caarlos0](https://github.com/caarlos0) in [#​533](goreleaser/goreleaser-action#533) - sec: pin github action versions by [@​caarlos0](https://github.com/caarlos0) in [#​514](goreleaser/goreleaser-action#514) - docs: Upgrade checkout GitHub Action in README.md by [@​dunglas](https://github.com/dunglas) in [#​507](goreleaser/goreleaser-action#507) - chore(deps): bump actions/checkout from 4 to 5 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​504](goreleaser/goreleaser-action#504) - ci(deps): bump the actions group with 2 updates by [@​dependabot](https://github.com/dependabot)\[bot] in [#​517](goreleaser/goreleaser-action#517) - ci(deps): bump the actions group with 2 updates by [@​dependabot](https://github.com/dependabot)\[bot] in [#​523](goreleaser/goreleaser-action#523) - ci(deps): bump docker/bake-action from 6.9.0 to 6.10.0 in the actions group by [@​dependabot](https://github.com/dependabot)\[bot] in [#​526](goreleaser/goreleaser-action#526) - ci(deps): bump the actions group across 1 directory with 4 updates by [@​dependabot](https://github.com/dependabot)\[bot] in [#​532](goreleaser/goreleaser-action#532) - ci(deps): bump actions/checkout from 6.0.1 to 6.0.2 in the actions group by [@​dependabot](https://github.com/dependabot)\[bot] in [#​534](goreleaser/goreleaser-action#534) - chore(deps): bump the npm group across 1 directory with 4 updates by [@​dependabot](https://github.com/dependabot)\[bot] in [#​536](goreleaser/goreleaser-action#536) - chore(deps): bump [@​actions/http-client](https://github.com/actions/http-client) from 3.0.2 to 4.0.0 in the npm group by [@​dependabot](https://github.com/dependabot)\[bot] in [#​537](goreleaser/goreleaser-action#537) - ci(deps): bump docker/setup-buildx-action from 3.10.0 to 3.12.0 in the actions group by [@​dependabot](https://github.com/dependabot)\[bot] in [#​538](goreleaser/goreleaser-action#538) - chore(deps): bump semver from 7.7.3 to 7.7.4 in the npm group by [@​dependabot](https://github.com/dependabot)\[bot] in [#​539](goreleaser/goreleaser-action#539) **Full Changelog**: <goreleaser/goreleaser-action@v6...v7.0.0> ### [`v7`](goreleaser/goreleaser-action@v6.4.0...v7) [Compare Source](goreleaser/goreleaser-action@v6.4.0...v7) ### [`v6.4.0`](https://github.com/goreleaser/goreleaser-action/releases/tag/v6.4.0) [Compare Source](goreleaser/goreleaser-action@v6.3.0...v6.4.0) #### What's Changed - ci: set contents read as default workflow permissions by [@​crazy-max](https://github.com/crazy-max) in [#​494](goreleaser/goreleaser-action#494) - fix: support .config directory for goreleaser config files by [@​haya14busa](https://github.com/haya14busa) in [#​500](goreleaser/goreleaser-action#500) - chore(deps): bump semver from 7.7.1 to 7.7.2 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​495](goreleaser/goreleaser-action#495) - chore(deps): bump brace-expansion from 1.1.11 to 1.1.12 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​498](goreleaser/goreleaser-action#498) - fix: do not get releases.json if version is specific by [@​caarlos0](https://github.com/caarlos0) in [#​502](goreleaser/goreleaser-action#502) - chore(deps): bump undici from 5.28.5 to 5.29.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​496](goreleaser/goreleaser-action#496) - feat: retry downloading releases json by [@​caarlos0](https://github.com/caarlos0) in [#​503](goreleaser/goreleaser-action#503) #### New Contributors - [@​haya14busa](https://github.com/haya14busa) made their first contribution in [#​500](goreleaser/goreleaser-action#500) **Full Changelog**: <goreleaser/goreleaser-action@v6.3.0...v6.4.0> ### [`v6.3.0`](https://github.com/goreleaser/goreleaser-action/releases/tag/v6.3.0) [Compare Source](goreleaser/goreleaser-action@v6.2.1...v6.3.0) - Bump undici from 5.28.3 to 5.28.5 in [#​488](goreleaser/goreleaser-action#488) **Full Changelog**: <goreleaser/goreleaser-action@v6.2.1...v6.3.0> ### [`v6.2.1`](https://github.com/goreleaser/goreleaser-action/releases/tag/v6.2.1) [Compare Source](goreleaser/goreleaser-action@v6.2.0...v6.2.1) #### What's Changed This version of the actions adds support for GoReleaser Pro v2.7.0 versioning (which dropped the `-pro` suffix). Older versions should work fine. > \[!WARNING] > This version is **required** for GoReleaser Pro v2.7.0+. > Read more [here](https://goreleaser.com/blog/goreleaser-v2.7/). **Full Changelog**: <goreleaser/goreleaser-action@v6.2.0...v6.2.1> ### [`v6.2.0`](https://github.com/goreleaser/goreleaser-action/releases/tag/v6.2.0) [Compare Source](goreleaser/goreleaser-action@v6.1.0...v6.2.0) #### What's Changed This version of the actions adds support for GoReleaser Pro v2.7.0 versioning (which dropped the `-pro` suffix). Older versions should work fine. > \[!WARNING] > This version is **required** for GoReleaser Pro v2.7.0+. > Read more [here](https://goreleaser.com/blog/goreleaser-v2.7/). **Full Changelog**: <goreleaser/goreleaser-action@v6.1.0...v6.2.0> ### [`v6.1.0`](https://github.com/goreleaser/goreleaser-action/releases/tag/v6.1.0) [Compare Source](goreleaser/goreleaser-action@v6...v6.1.0) #### What's Changed - chore(deps): bump braces from 3.0.2 to 3.0.3 by [@​dependabot](https://github.com/dependabot) in [#​467](goreleaser/goreleaser-action#467) - chore(deps): bump docker/bake-action from 4 to 5 by [@​dependabot](https://github.com/dependabot) in [#​468](goreleaser/goreleaser-action#468) - chore(deps): bump semver from 7.6.2 to 7.6.3 by [@​dependabot](https://github.com/dependabot) in [#​470](goreleaser/goreleaser-action#470) - chore(deps): bump [@​actions/http-client](https://github.com/actions/http-client) from 2.2.1 to 2.2.2 by [@​dependabot](https://github.com/dependabot) in [#​473](goreleaser/goreleaser-action#473) - chore(deps): bump [@​actions/http-client](https://github.com/actions/http-client) from 2.2.2 to 2.2.3 by [@​dependabot](https://github.com/dependabot) in [#​474](goreleaser/goreleaser-action#474) - chore(deps): bump micromatch from 4.0.5 to 4.0.8 by [@​dependabot](https://github.com/dependabot) in [#​475](goreleaser/goreleaser-action#475) - chore(deps): bump [@​actions/core](https://github.com/actions/core) from 1.10.1 to 1.11.1 by [@​dependabot](https://github.com/dependabot) in [#​478](goreleaser/goreleaser-action#478) - docs: bump upload-artifact version by [@​dunglas](https://github.com/dunglas) in [#​479](goreleaser/goreleaser-action#479) - chore: update generated content by [@​crazy-max](https://github.com/crazy-max) in [#​480](goreleaser/goreleaser-action#480) #### New Contributors - [@​dunglas](https://github.com/dunglas) made their first contribution in [#​479](goreleaser/goreleaser-action#479) **Full Changelog**: <goreleaser/goreleaser-action@v6.0.0...v6.1.0> </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNjUuMiIsInVwZGF0ZWRJblZlciI6IjQzLjE2NS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Reviewed-on: https://git.simoncor.net/golang/gogitlabber/pulls/2
ziemowit-orlikowski
added a commit
to Elmnt-Internal/goreleaser-action
that referenced
this pull request
Jun 22, 2026
* chore(deps): bump @actions/core from 1.10.1 to 1.11.1 (goreleaser#478) Bumps [@actions/core](https://github.com/actions/toolkit/tree/HEAD/packages/core) from 1.10.1 to 1.11.1. - [Changelog](https://github.com/actions/toolkit/blob/main/packages/core/RELEASES.md) - [Commits](https://github.com/actions/toolkit/commits/HEAD/packages/core) --- updated-dependencies: - dependency-name: "@actions/core" dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * docs: bump upload-artifact version (goreleaser#479) * chore: update generated content (goreleaser#480) * chore(deps): bump cross-spawn from 7.0.3 to 7.0.6 (goreleaser#482) Bumps [cross-spawn](https://github.com/moxystudio/node-cross-spawn) from 7.0.3 to 7.0.6. - [Changelog](https://github.com/moxystudio/node-cross-spawn/blob/master/CHANGELOG.md) - [Commits](moxystudio/node-cross-spawn@v7.0.3...v7.0.6) --- updated-dependencies: - dependency-name: cross-spawn dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * feat: update for goreleaser v2.7 * chore(deps): update actions Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com> * chore(deps): update semver and tool-cache Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com> * test: fix configs * test: fixes * chore(deps): bake vendor Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com> * chore(deps): bump codecov/codecov-action from 4 to 5 (goreleaser#481) * chore(deps): bump codecov/codecov-action from 4 to 5 Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 4 to 5. - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](codecov/codecov-action@v4...v5) --- updated-dependencies: - dependency-name: codecov/codecov-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> * ci: fix deprecated codecov input --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: CrazyMax <1951866+crazy-max@users.noreply.github.com> * chore(deps): bump undici from 5.28.3 to 5.28.5 (goreleaser#488) * chore(deps): bump undici from 5.28.3 to 5.28.5 Bumps [undici](https://github.com/nodejs/undici) from 5.28.3 to 5.28.5. - [Release notes](https://github.com/nodejs/undici/releases) - [Commits](nodejs/undici@v5.28.3...v5.28.5) --- updated-dependencies: - dependency-name: undici dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> * chore: update generated content --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: CrazyMax <1951866+crazy-max@users.noreply.github.com> * ci: update bake-action to v6 (goreleaser#493) * ci: set contents read as default workflow permissions (goreleaser#494) * fix: support .config directory for goreleaser config files (goreleaser#500) * fix: support .config directory for goreleaser config files Add support for .config/goreleaser.yaml and .config/goreleaser.yml configuration files to match GoReleaser's official search order. * run $ docker buildx bake build * chore(deps): bump semver from 7.7.1 to 7.7.2 (goreleaser#495) * chore(deps): bump semver from 7.7.1 to 7.7.2 Bumps [semver](https://github.com/npm/node-semver) from 7.7.1 to 7.7.2. - [Release notes](https://github.com/npm/node-semver/releases) - [Changelog](https://github.com/npm/node-semver/blob/main/CHANGELOG.md) - [Commits](npm/node-semver@v7.7.1...v7.7.2) --- updated-dependencies: - dependency-name: semver dependency-version: 7.7.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> * chore: update generated content --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: CrazyMax <1951866+crazy-max@users.noreply.github.com> * chore(deps): bump brace-expansion from 1.1.11 to 1.1.12 (goreleaser#498) Bumps [brace-expansion](https://github.com/juliangruber/brace-expansion) from 1.1.11 to 1.1.12. - [Release notes](https://github.com/juliangruber/brace-expansion/releases) - [Commits](juliangruber/brace-expansion@1.1.11...v1.1.12) --- updated-dependencies: - dependency-name: brace-expansion dependency-version: 1.1.12 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * fix: do not get releases.json if version is specific (goreleaser#502) closes goreleaser#489 * chore(deps): bump undici from 5.28.5 to 5.29.0 (goreleaser#496) * chore(deps): bump undici from 5.28.5 to 5.29.0 Bumps [undici](https://github.com/nodejs/undici) from 5.28.5 to 5.29.0. - [Release notes](https://github.com/nodejs/undici/releases) - [Commits](nodejs/undici@v5.28.5...v5.29.0) --- updated-dependencies: - dependency-name: undici dependency-version: 5.29.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> * chore: update generated content --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: CrazyMax <1951866+crazy-max@users.noreply.github.com> * feat: retry downloading releases json (goreleaser#503) refs https://github.com/orgs/goreleaser/discussions/5954 * chore(deps): bump actions/checkout from 4 to 5 (goreleaser#504) Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 5. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v4...v5) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '5' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * docs: upgrade checkout GitHub Action in README.md (goreleaser#507) * sec: pin github action versions (goreleaser#514) using caarlos0/pinata Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com> * ci: update dependabot Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com> * fix: typo Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com> * ci(deps): bump the actions group with 2 updates (goreleaser#517) Bumps the actions group with 2 updates: [actions/setup-go](https://github.com/actions/setup-go) and [actions/upload-artifact](https://github.com/actions/upload-artifact). Updates `actions/setup-go` from 5.5.0 to 6.0.0 - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](actions/setup-go@d35c59a...4469467) Updates `actions/upload-artifact` from 4.6.2 to 5.0.0 - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@ea165f8...330a01c) --- updated-dependencies: - dependency-name: actions/setup-go dependency-version: 6.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: actions/upload-artifact dependency-version: 5.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * ci(deps): bump the actions group with 2 updates (goreleaser#523) Bumps the actions group with 2 updates: [actions/checkout](https://github.com/actions/checkout) and [actions/setup-go](https://github.com/actions/setup-go). Updates `actions/checkout` from 5.0.0 to 6.0.0 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@08c6903...1af3b93) Updates `actions/setup-go` from 6.0.0 to 6.1.0 - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](actions/setup-go@4469467...4dc6199) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: actions/setup-go dependency-version: 6.1.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * ci(deps): bump docker/bake-action in the actions group (goreleaser#526) Bumps the actions group with 1 update: [docker/bake-action](https://github.com/docker/bake-action). Updates `docker/bake-action` from 6.9.0 to 6.10.0 - [Release notes](https://github.com/docker/bake-action/releases) - [Commits](docker/bake-action@3acf805...5be5f02) --- updated-dependencies: - dependency-name: docker/bake-action dependency-version: 6.10.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * ci(deps): bump the actions group across 1 directory with 4 updates (goreleaser#532) Bumps the actions group with 4 updates in the / directory: [actions/checkout](https://github.com/actions/checkout), [actions/setup-go](https://github.com/actions/setup-go), [actions/upload-artifact](https://github.com/actions/upload-artifact) and [codecov/codecov-action](https://github.com/codecov/codecov-action). Updates `actions/checkout` from 6.0.0 to 6.0.1 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@1af3b93...8e8c483) Updates `actions/setup-go` from 6.1.0 to 6.2.0 - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](actions/setup-go@4dc6199...7a3fe6c) Updates `actions/upload-artifact` from 5.0.0 to 6.0.0 - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@330a01c...b7c566a) Updates `codecov/codecov-action` from 5.5.1 to 5.5.2 - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](codecov/codecov-action@5a10915...671740a) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: actions/setup-go dependency-version: 6.2.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions - dependency-name: actions/upload-artifact dependency-version: 6.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: codecov/codecov-action dependency-version: 5.5.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * ci(deps): bump actions/checkout from 6.0.1 to 6.0.2 in the actions group (goreleaser#534) Bumps the actions group with 1 update: [actions/checkout](https://github.com/actions/checkout). Updates `actions/checkout` from 6.0.1 to 6.0.2 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@8e8c483...de0fac2) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * feat!: node 24, update deps, rm yarn, ESM (goreleaser#533) * chore(deps): bump the npm group across 1 directory with 7 updates Bumps the npm group with 7 updates in the / directory: | Package | From | To | | --- | --- | --- | | [@actions/core](https://github.com/actions/toolkit/tree/HEAD/packages/core) | `1.11.1` | `2.0.2` | | [@actions/exec](https://github.com/actions/toolkit/tree/HEAD/packages/exec) | `1.1.1` | `2.0.0` | | [@actions/http-client](https://github.com/actions/toolkit/tree/HEAD/packages/http-client) | `2.2.3` | `3.0.1` | | [@actions/tool-cache](https://github.com/actions/toolkit/tree/HEAD/packages/tool-cache) | `2.0.2` | `3.0.0` | | [js-yaml](https://github.com/nodeca/js-yaml) | `4.1.0` | `4.1.1` | | [semver](https://github.com/npm/node-semver) | `7.7.2` | `7.7.3` | | [yargs](https://github.com/yargs/yargs) | `17.7.2` | `18.0.0` | Updates `@actions/core` from 1.11.1 to 2.0.2 - [Changelog](https://github.com/actions/toolkit/blob/main/packages/core/RELEASES.md) - [Commits](https://github.com/actions/toolkit/commits/HEAD/packages/core) Updates `@actions/exec` from 1.1.1 to 2.0.0 - [Changelog](https://github.com/actions/toolkit/blob/main/packages/exec/RELEASES.md) - [Commits](https://github.com/actions/toolkit/commits/HEAD/packages/exec) Updates `@actions/http-client` from 2.2.3 to 3.0.1 - [Changelog](https://github.com/actions/toolkit/blob/main/packages/http-client/RELEASES.md) - [Commits](https://github.com/actions/toolkit/commits/HEAD/packages/http-client) Updates `@actions/tool-cache` from 2.0.2 to 3.0.0 - [Changelog](https://github.com/actions/toolkit/blob/main/packages/tool-cache/RELEASES.md) - [Commits](https://github.com/actions/toolkit/commits/HEAD/packages/tool-cache) Updates `js-yaml` from 4.1.0 to 4.1.1 - [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md) - [Commits](nodeca/js-yaml@4.1.0...4.1.1) Updates `semver` from 7.7.2 to 7.7.3 - [Release notes](https://github.com/npm/node-semver/releases) - [Changelog](https://github.com/npm/node-semver/blob/main/CHANGELOG.md) - [Commits](npm/node-semver@v7.7.2...v7.7.3) Updates `yargs` from 17.7.2 to 18.0.0 - [Release notes](https://github.com/yargs/yargs/releases) - [Changelog](https://github.com/yargs/yargs/blob/main/CHANGELOG.md) - [Commits](yargs/yargs@v17.7.2...v18.0.0) --- updated-dependencies: - dependency-name: "@actions/core" dependency-version: 2.0.2 dependency-type: direct:production update-type: version-update:semver-major dependency-group: npm - dependency-name: "@actions/exec" dependency-version: 2.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: npm - dependency-name: "@actions/http-client" dependency-version: 3.0.1 dependency-type: direct:production update-type: version-update:semver-major dependency-group: npm - dependency-name: "@actions/tool-cache" dependency-version: 3.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: npm - dependency-name: js-yaml dependency-version: 4.1.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: npm - dependency-name: semver dependency-version: 7.7.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: npm - dependency-name: yargs dependency-version: 18.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: npm ... Signed-off-by: dependabot[bot] <support@github.com> * refactor: remove yarn, update to node 24 Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com> * chore: review Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com> * fix: stable Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * ci: add job to automate dependabot pre-checkin/vendor Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com> * chore: gitignore Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com> * chore(deps): bump the npm group across 1 directory with 4 updates (goreleaser#536) * chore(deps): bump the npm group across 1 directory with 4 updates Bumps the npm group with 3 updates in the / directory: [@actions/core](https://github.com/actions/toolkit/tree/HEAD/packages/core), [@actions/exec](https://github.com/actions/toolkit/tree/HEAD/packages/exec) and [@actions/tool-cache](https://github.com/actions/toolkit/tree/HEAD/packages/tool-cache). Updates `@actions/core` from 2.0.2 to 3.0.0 - [Changelog](https://github.com/actions/toolkit/blob/main/packages/core/RELEASES.md) - [Commits](https://github.com/actions/toolkit/commits/HEAD/packages/core) Updates `@actions/exec` from 2.0.0 to 3.0.0 - [Changelog](https://github.com/actions/toolkit/blob/main/packages/exec/RELEASES.md) - [Commits](https://github.com/actions/toolkit/commits/HEAD/packages/exec) Updates `@actions/http-client` from 3.0.1 to 3.0.2 - [Changelog](https://github.com/actions/toolkit/blob/main/packages/http-client/RELEASES.md) - [Commits](https://github.com/actions/toolkit/commits/HEAD/packages/http-client) Updates `@actions/tool-cache` from 3.0.0 to 4.0.0 - [Changelog](https://github.com/actions/toolkit/blob/main/packages/tool-cache/RELEASES.md) - [Commits](https://github.com/actions/toolkit/commits/@actions/cache@4.0.0/packages/tool-cache) --- updated-dependencies: - dependency-name: "@actions/core" dependency-version: 3.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: npm - dependency-name: "@actions/exec" dependency-version: 3.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: npm - dependency-name: "@actions/http-client" dependency-version: 3.0.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: npm - dependency-name: "@actions/tool-cache" dependency-version: 4.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: npm ... Signed-off-by: dependabot[bot] <support@github.com> * chore: update dist and vendor * chore: rm provenance Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com> * test: use esm in jest Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com> * ci: fix npm run test Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com> * chore(deps): bump @actions/http-client from 3.0.2 to 4.0.0 in the npm group (goreleaser#537) * chore(deps): bump @actions/http-client in the npm group Bumps the npm group with 1 update: [@actions/http-client](https://github.com/actions/toolkit/tree/HEAD/packages/http-client). Updates `@actions/http-client` from 3.0.2 to 4.0.0 - [Changelog](https://github.com/actions/toolkit/blob/main/packages/http-client/RELEASES.md) - [Commits](https://github.com/actions/toolkit/commits/@actions/cache@4.0.0/packages/http-client) --- updated-dependencies: - dependency-name: "@actions/http-client" dependency-version: 4.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: npm ... Signed-off-by: dependabot[bot] <support@github.com> * chore: update dist and vendor --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * ci(deps): bump docker/setup-buildx-action in the actions group (goreleaser#538) Bumps the actions group with 1 update: [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action). Updates `docker/setup-buildx-action` from 3.10.0 to 3.12.0 - [Release notes](https://github.com/docker/setup-buildx-action/releases) - [Commits](docker/setup-buildx-action@b5ca514...8d2750c) --- updated-dependencies: - dependency-name: docker/setup-buildx-action dependency-version: 3.12.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump semver from 7.7.3 to 7.7.4 in the npm group (goreleaser#539) * chore(deps): bump semver from 7.7.3 to 7.7.4 in the npm group Bumps the npm group with 1 update: [semver](https://github.com/npm/node-semver). Updates `semver` from 7.7.3 to 7.7.4 - [Release notes](https://github.com/npm/node-semver/releases) - [Changelog](https://github.com/npm/node-semver/blob/main/CHANGELOG.md) - [Commits](npm/node-semver@v7.7.3...v7.7.4) --- updated-dependencies: - dependency-name: semver dependency-version: 7.7.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: npm ... Signed-off-by: dependabot[bot] <support@github.com> * chore: update dist and vendor --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * chore: gitignore provenance.json Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com> * ci: update dependabot settings Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com> * fix: gitignore Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com> * fix: yargs usage Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com> * docs: update * fix: bake vendor Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com> * ci(deps): bump the actions group with 2 updates (goreleaser#543) Bumps the actions group with 2 updates: [actions/setup-go](https://github.com/actions/setup-go) and [actions/upload-artifact](https://github.com/actions/upload-artifact). Updates `actions/setup-go` from 6.2.0 to 6.3.0 - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](actions/setup-go@7a3fe6c...4b73464) Updates `actions/upload-artifact` from 6.0.0 to 7.0.0 - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@b7c566a...bbbca2d) --- updated-dependencies: - dependency-name: actions/setup-go dependency-version: 6.3.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions - dependency-name: actions/upload-artifact dependency-version: 7.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump undici from 6.23.0 to 6.24.1 (goreleaser#545) Bumps [undici](https://github.com/nodejs/undici) from 6.23.0 to 6.24.1. - [Release notes](https://github.com/nodejs/undici/releases) - [Commits](nodejs/undici@v6.23.0...v6.24.1) --- updated-dependencies: - dependency-name: undici dependency-version: 6.24.1 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: update Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com> * fix: use new static URL Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com> * clean: leftover files from node 22(?) Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com> * ci(deps): bump the actions group with 5 updates (goreleaser#546) * ci(deps): bump the actions group with 5 updates Bumps the actions group with 5 updates: | Package | From | To | | --- | --- | --- | | [actions/setup-go](https://github.com/actions/setup-go) | `6.3.0` | `6.4.0` | | [crazy-max/ghaction-import-gpg](https://github.com/crazy-max/ghaction-import-gpg) | `6.3.0` | `7.0.0` | | [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) | `3.12.0` | `4.0.0` | | [docker/bake-action](https://github.com/docker/bake-action) | `6.10.0` | `7.0.0` | | [codecov/codecov-action](https://github.com/codecov/codecov-action) | `5.5.2` | `6.0.0` | Updates `actions/setup-go` from 6.3.0 to 6.4.0 - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](actions/setup-go@4b73464...4a36011) Updates `crazy-max/ghaction-import-gpg` from 6.3.0 to 7.0.0 - [Release notes](https://github.com/crazy-max/ghaction-import-gpg/releases) - [Commits](crazy-max/ghaction-import-gpg@e89d409...2dc316d) Updates `docker/setup-buildx-action` from 3.12.0 to 4.0.0 - [Release notes](https://github.com/docker/setup-buildx-action/releases) - [Commits](docker/setup-buildx-action@8d2750c...4d04d5d) Updates `docker/bake-action` from 6.10.0 to 7.0.0 - [Release notes](https://github.com/docker/bake-action/releases) - [Commits](docker/bake-action@5be5f02...8249049) Updates `codecov/codecov-action` from 5.5.2 to 6.0.0 - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](codecov/codecov-action@671740a...57e3a13) --- updated-dependencies: - dependency-name: actions/setup-go dependency-version: 6.4.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions - dependency-name: crazy-max/ghaction-import-gpg dependency-version: 7.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: docker/setup-buildx-action dependency-version: 4.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: docker/bake-action dependency-version: 7.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: codecov/codecov-action dependency-version: 6.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> * ci: switch to matrix subaction for bake --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: CrazyMax <1951866+crazy-max@users.noreply.github.com> * docs: Upgrade import GPG action version (goreleaser#547) * feat: verify release checksum and cosign signature (goreleaser#550) * feat: verify release checksum and cosign signature Download checksums.txt for the release and verify the SHA-256 of the downloaded archive against it. When cosign is available in PATH, also download checksums.txt.sigstore.json and verify the signature against the goreleaser/goreleaser-pro release workflow identity. Both steps degrade gracefully (with a warning) when the corresponding artifacts or tooling are missing. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * test: use install() for checksum e2e tests Drop the http-client download helper from verifyChecksum integration tests; call goreleaser.install() instead so the test exercises the public API path and avoids duplicating download logic. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: add CONTRIBUTING with pre-commit workflow Document the docker buildx bake pre-checkin / test / validate sequence contributors need before pushing, and call out the Alpine-built dist/ gotcha so PRs don't bounce on build-validate. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * build: drop docker-bake in favor of plain npm (goreleaser#551) * build: drop docker-bake in favor of plain npm Every TypeScript action maintained by actions/* (checkout, setup-node, setup-go, cache, upload-artifact) uses plain npm scripts. The bake setup is a docker/* org convention and adds friction for TS work: contributors need Docker, the dev loop is ~10x slower than npm, and Alpine-vs-host byte drift in dist/index.js makes PRs bounce. Replace with the standard pattern: - .node-version pins Node 24 so contributors and CI agree - npm scripts (build, lint, format, test, pre-checkin) replace bake targets one-for-one - validate.yml runs lint + a check-dist diff (mirrors actions/setup-node) and a vendor check that npm install --package-lock-only is a no-op - test.yml uses setup-node + sigstore/cosign-installer, drops bake-action - dependabot-build.yml regenerates dist via npm instead of bake CONTRIBUTING.md and README development section updated to match. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * build: align scripts and workflows with actions/* convention Match the standard layout used by actions/checkout, actions/setup-node, etc.: - package.json scripts: split format/format-check (Prettier) from lint/lint:fix (ESLint), and have pre-checkin run all four (format, lint:fix, build, test) in that order. - validate.yml lint job runs format-check + lint as separate steps. - test.yml drops the redundant --coverage flag (now in the test script). - Drop dependabot-build.yml: actions/* don't auto-rebuild dist on dependabot PRs; the check-dist style validate / build job catches drift and a maintainer rebuilds locally if needed. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * ci: add release-major-tag workflow (goreleaser#552) * build: drop docker-bake in favor of plain npm Every TypeScript action maintained by actions/* (checkout, setup-node, setup-go, cache, upload-artifact) uses plain npm scripts. The bake setup is a docker/* org convention and adds friction for TS work: contributors need Docker, the dev loop is ~10x slower than npm, and Alpine-vs-host byte drift in dist/index.js makes PRs bounce. Replace with the standard pattern: - .node-version pins Node 24 so contributors and CI agree - npm scripts (build, lint, format, test, pre-checkin) replace bake targets one-for-one - validate.yml runs lint + a check-dist diff (mirrors actions/setup-node) and a vendor check that npm install --package-lock-only is a no-op - test.yml uses setup-node + sigstore/cosign-installer, drops bake-action - dependabot-build.yml regenerates dist via npm instead of bake CONTRIBUTING.md and README development section updated to match. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * build: align scripts and workflows with actions/* convention Match the standard layout used by actions/checkout, actions/setup-node, etc.: - package.json scripts: split format/format-check (Prettier) from lint/lint:fix (ESLint), and have pre-checkin run all four (format, lint:fix, build, test) in that order. - validate.yml lint job runs format-check + lint as separate steps. - test.yml drops the redundant --coverage flag (now in the test script). - Drop dependabot-build.yml: actions/* don't auto-rebuild dist on dependabot PRs; the check-dist style validate / build job catches drift and a maintainer rebuilds locally if needed. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * ci: add release-major-tag workflow Adopts the actions/checkout pattern (workflow_dispatch with target + major_version inputs that force-pushes the major tag). Doubles as a rollback tool. Documented in CONTRIBUTING under a 'Releasing' section. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * ci: drop irrelevant pin comment from release-major-tag Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: document cosign verification in README (goreleaser#553) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * ci: drop pre-cosign-v3 goreleaser versions from tests (goreleaser#554) GoReleaser v2.13.0 was the first release to ship the cosign v3 sigstore-bundle 'checksums.txt.sigstore.json' alongside the archive. Earlier releases only publish a cosign v2 detached '.sig', which the action's verifier does not understand and silently skips. Drop '~> 1.26' / '~> 2.6' / 'v0.182.0' / '~> v1' from the matrix and the install tests; pin '~> 2.13' as the minimum-supported version we actively exercise in CI. Document v2.13.0 as the minimum cosign- verifiable version in the README. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * test: cover install across release eras (goreleaser#555) Add install tests pinned to versions that exercise every release era so we don't regress the graceful-skip path for releases that pre-date the cosign v3 sigstore bundle: - v0.182.0 pre-checksums-signing - v1.26.2 cosign v2 detached .sig only - v2.12.4 last release before sigstore bundles - v2.13.0 first release with sigstore bundle (minimum verifiable) - v2.15.3 recent release with sigstore bundle Plus an explicit verifyChecksum integration test that installs v2.12.4 with cosign in PATH to confirm the cosign step is skipped (not failed) when the sigstore bundle is absent. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat: add `version-file` input (goreleaser#556) Resolves the GoReleaser version from a file. Currently supports the asdf/mise `.tool-versions` format; resolved value takes precedence over the `version` input. # .tool-versions goreleaser 2.13.0 - uses: goreleaser/goreleaser-action@v7 with: version-file: .tool-versions args: release --clean Path is resolved relative to `workdir` unless absolute. Bare semvers are auto-prefixed with `v`; constraint expressions and `latest` are returned as-is. Multiple fallback versions per asdf convention are accepted but only the first is used. Refs goreleaser#541 Closes goreleaser#542 Co-authored-by: Anthony Couvreur <22034450+acouvreur@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat: resolve nightly to latest vX.Y.Z-<sha>-nightly release (goreleaser#558) * feat: resolve nightly to latest vX.Y.Z-<sha>-nightly release Query GitHub releases API to resolve the 'nightly' version input to the latest immutable nightly tag, replacing the moving 'nightly' tag that is being removed for supply-chain hardening. Refs goreleaser/goreleaser#6550 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat: keep legacy 'nightly' tag working during transition Fall back to the moving 'nightly' tag when no immutable vX.Y.Z-<sha>-nightly release is found, so the action keeps working between this release and the goreleaser nightly switchover. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * test: assert isNightlyTag accepts legacy fallback Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: accept nightly tags without 'v' prefix goreleaser-pro publishes nightly releases as e.g. 2.16.0-eaeb08c50-nightly (no 'v' prefix). Make the nightly tag regex tolerate either form, and split the integration tests so OSS asserts the legacy fallback while Pro asserts the new <version>-<sha>-nightly format. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Revert "fix: accept nightly tags without 'v' prefix" The missing 'v' prefix on the goreleaser-pro nightly was a release mistake; new nightlies will keep the 'v' prefix. This reverts commit 7673f7f. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * ci: pass GITHUB_TOKEN to tests The new nightly resolution hits api.github.com/repos/.../releases, which is rate-limited for unauthenticated requests. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: note GITHUB_TOKEN need for nightly resolution Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * refactor: drop legacy 'nightly' tag fallback Both goreleaser and goreleaser-pro now publish nightly releases as vX.Y.Z-<sha>-nightly, so the action no longer needs to special-case or fall back to the moving 'nightly' tag. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * ci(nightly): pass GITHUB_TOKEN to nightly integration job Releases API is rate-limited for unauthenticated requests. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * ci(deps): bump the actions group with 3 updates (goreleaser#560) Bumps the actions group with 3 updates: [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer), [actions/upload-artifact](https://github.com/actions/upload-artifact) and [actions/setup-node](https://github.com/actions/setup-node). Updates `sigstore/cosign-installer` from 3.9.2 to 4.1.1 - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](sigstore/cosign-installer@d58896d...cad07c2) Updates `actions/upload-artifact` from 7.0.0 to 7.0.1 - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@bbbca2d...043fb46) Updates `actions/setup-node` from 5.0.0 to 6.4.0 - [Release notes](https://github.com/actions/setup-node/releases) - [Commits](actions/setup-node@a0853c2...48b55a0) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-version: 4.1.1 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: actions/upload-artifact dependency-version: 7.0.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: actions/setup-node dependency-version: 6.4.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * ci: update actions Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com> * fix: nightly resolution to select newest published release (goreleaser#562) * fix(nightly): pick latest nightly by published_at GitHub's /releases endpoint is not reliably ordered by published_at, so resolveNightly could pick an older nightly than the most recent one. Filter, sort by published_at desc, and take the first. * test(nightly): add regression coverage for release ordering --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> * ci(deps): bump the actions group with 3 updates (goreleaser#563) Bumps the actions group with 3 updates: [actions/checkout](https://github.com/actions/checkout), [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) and [codecov/codecov-action](https://github.com/codecov/codecov-action). Updates `actions/checkout` from 6.0.2 to 6.0.3 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@de0fac2...df4cb1c) Updates `sigstore/cosign-installer` from 4.1.1 to 4.1.2 - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](sigstore/cosign-installer@cad07c2...6f9f177) Updates `codecov/codecov-action` from 6.0.0 to 6.0.1 - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](codecov/codecov-action@57e3a13...e79a696) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: sigstore/cosign-installer dependency-version: 4.1.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: codecov/codecov-action dependency-version: 6.0.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Kévin Dunglas <kevin@dunglas.fr> Co-authored-by: CrazyMax <1951866+crazy-max@users.noreply.github.com> Co-authored-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com> Co-authored-by: haya14busa <haya14busa@gmail.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Timo <flecno@flecno.de> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: Anthony Couvreur <22034450+acouvreur@users.noreply.github.com> Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
refs https://github.com/orgs/goreleaser/discussions/5954