Skip to content

feat: add version-file input#542

Closed
acouvreur wants to merge 5 commits into
goreleaser:masterfrom
acouvreur:add-version-file-input
Closed

feat: add version-file input#542
acouvreur wants to merge 5 commits into
goreleaser:masterfrom
acouvreur:add-version-file-input

Conversation

@acouvreur

@acouvreur acouvreur commented Feb 24, 2026

Copy link
Copy Markdown
Contributor

You can now use .tool-versions file to specify GoReleaser version to download

Closes #541


Testing

With version-file referencing a non-existing file

Typo .tools-version instead of .tool-versions

image

sablierapp/sablier@0700179

With version-file referencing .tool-versions file

image

sablierapp/sablier@94739c4

No version specified

image

sablierapp/sablier@d5d4432

You can now use .tool-versions file to specify GoReleaser version to download
@acouvreur acouvreur marked this pull request as draft February 24, 2026 00:49
@acouvreur acouvreur marked this pull request as ready for review February 24, 2026 00:55

@caarlos0 caarlos0 left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks good - could you add tests as well? there's a bunch in there, you can follow their lead

@acouvreur

Copy link
Copy Markdown
Contributor Author

@caarlos0 just added a test file!

@codecov

codecov Bot commented Feb 25, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 68.78%. Comparing base (14707cd) to head (9307d0b).
⚠️ Report is 66 commits behind head on master.

Additional details and impacted files
@@            Coverage Diff             @@
##           master     #542      +/-   ##
==========================================
+ Coverage   66.92%   68.78%   +1.86%     
==========================================
  Files           3        4       +1     
  Lines         130      157      +27     
  Branches       23       43      +20     
==========================================
+ Hits           87      108      +21     
- Misses         27       49      +22     
+ Partials       16        0      -16     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@acouvreur

Copy link
Copy Markdown
Contributor Author

Hey sorry about the missing unused imports, I will clean it up

@acouvreur

Copy link
Copy Markdown
Contributor Author

@caarlos0 I've updated the test file to remove the unused imports, tell me if that
s good for you!

Comment thread src/version.ts Outdated
Comment on lines +10 to +14
if (requestedVersion && versionFilePath) {
core.warning(
`Both version (${requestedVersion}) and version-file (${versionFilePath}) inputs are specified, only version will be used`
);
}

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i wonder if it would be better to simplify all this making version-file having precedence

so, if version-file is given, use it, or error

otherwise, use version, which would also mean we don't need to manually default to ~> v2

wdyt?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it is a better solution indeed because then I can revert all the changes about how the default version is computed.

I've taken much inspiration from the current implementation in the goreleaser action, so I've essentially implemented the same behavior.

Let me change it with your suggestion.

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds support for selecting the GoReleaser version via a version-file input (currently .tool-versions), with parsing logic and tests.

Changes:

  • Introduced getRequestedVersion() to resolve version from version or version-file.
  • Wired resolved version into the installation flow in src/main.ts.
  • Documented the new input and added Jest coverage for version resolution.

Reviewed changes

Copilot reviewed 6 out of 7 changed files in this pull request and generated 7 comments.

Show a summary per file
File Description
src/version.ts Adds logic to resolve GoReleaser version from .tool-versions (or fall back to version).
src/main.ts Uses resolved version when installing GoReleaser.
src/context.ts Adds versionFile input wiring.
action.yml Declares new version-file input.
tests/version.test.ts Adds Jest tests for version resolution behavior.
README.md Documents version-file and updates TOC / inputs list.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/version.ts
Comment on lines +11 to +18
const workingDirectory = inputs.workdir;
if (workingDirectory) {
versionFilePath = path.join(workingDirectory, versionFilePath);
}

if (!fs.existsSync(versionFilePath)) {
throw new Error(`The specified GoReleaser version file at: ${versionFilePath} does not exist`);
}

Copilot AI Mar 3, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This always resolves version-file relative to workdir when workdir is set (including common monorepo setups where workdir is a subdirectory). That makes it impossible to reference a version file in the repo root while also using a non-root workdir, despite the docs saying the path can be relative to the root or workdir. Consider resolving relative paths by checking both candidates (repo root path first, then path.join(workdir, versionFile)), or updating the docs to state that version-file is interpreted relative to workdir when provided.

Copilot uses AI. Check for mistakes.
Comment thread src/version.ts
if (path.basename(versionFilePath) === '.tool-versions') {
// asdf/mise file.
const match = content.match(/^goreleaser\s+([^\n#]+)/m);
requestedVersion = match ? 'v' + match[1].trim().replace(/^v/gi, '') : '';

Copilot AI Mar 3, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If .tool-versions doesn’t contain a goreleaser ... entry, this sets requestedVersion to an empty string, which will likely cause a confusing failure later during install. Prefer throwing a clear error when no matching entry is found (e.g., file exists but no goreleaser line), so users get an actionable message.

Suggested change
requestedVersion = match ? 'v' + match[1].trim().replace(/^v/gi, '') : '';
if (!match) {
throw new Error(
`No 'goreleaser' entry found in ${versionFilePath}. ` +
"Please add a line like 'goreleaser <version>' or specify the version input directly."
);
}
requestedVersion = 'v' + match[1].trim().replace(/^v/gi, '');

Copilot uses AI. Check for mistakes.
Comment thread src/version.ts

if (path.basename(versionFilePath) === '.tool-versions') {
// asdf/mise file.
const match = content.match(/^goreleaser\s+([^\n#]+)/m);

Copilot AI Mar 3, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The parser requires goreleaser to start at column 0. .tool-versions files sometimes contain leading whitespace; allowing optional leading spaces (e.g., ^\\s*goreleaser\\s+... with the m flag) would make the parsing more robust without changing intended behavior.

Suggested change
const match = content.match(/^goreleaser\s+([^\n#]+)/m);
const match = content.match(/^\s*goreleaser\s+([^\n#]+)/m);

Copilot uses AI. Check for mistakes.
Comment thread __tests__/version.test.ts
expect(v).toBe('v1.2.3');
});

it('parses .tool-versions and returns v-prefixed version', () => {

Copilot AI Mar 3, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There isn’t a test covering the case where .tool-versions exists but has no goreleaser entry (or has a malformed one). If getRequestedVersion() is updated to throw a specific error for that scenario (recommended), please add a Jest test asserting that behavior (ideally also asserting the error message).

Copilot uses AI. Check for mistakes.
Comment thread __tests__/version.test.ts
expect(v).toBe('v1.2.3');
});

it('when both version and version-file are provided, version-file takes precedence', () => {

Copilot AI Mar 3, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There isn’t a test covering the case where .tool-versions exists but has no goreleaser entry (or has a malformed one). If getRequestedVersion() is updated to throw a specific error for that scenario (recommended), please add a Jest test asserting that behavior (ideally also asserting the error message).

Copilot uses AI. Check for mistakes.
Comment thread __tests__/version.test.ts
const v = getRequestedVersion(inputs);
expect(v).toBe('v1.2.3');
});

Copilot AI Mar 3, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There isn’t a test covering the case where .tool-versions exists but has no goreleaser entry (or has a malformed one). If getRequestedVersion() is updated to throw a specific error for that scenario (recommended), please add a Jest test asserting that behavior (ideally also asserting the error message).

Suggested change
it('throws when .tool-versions exists but has no goreleaser entry', () => {
const toolVersionsPath = path.join(tmpDir, '.tool-versions');
fs.writeFileSync(toolVersionsPath, 'nodejs 20.0.0\n');
const inputs: Inputs = {
distribution: 'goreleaser',
version: '',
versionFile: '.tool-versions',
args: '',
workdir: tmpDir,
installOnly: false
};
expect(() => getRequestedVersion(inputs)).toThrow(/goreleaser/i);
});
it('throws when .tool-versions has a malformed goreleaser entry', () => {
const toolVersionsPath = path.join(tmpDir, '.tool-versions');
fs.writeFileSync(toolVersionsPath, 'goreleaser not-a-version\n');
const inputs: Inputs = {
distribution: 'goreleaser',
version: '',
versionFile: '.tool-versions',
args: '',
workdir: tmpDir,
installOnly: false
};
expect(() => getRequestedVersion(inputs)).toThrow(/goreleaser/i);
});

Copilot uses AI. Check for mistakes.
Comment thread __tests__/version.test.ts
expect(() => getRequestedVersion(inputs)).toThrow();
});

it('throws when version-file is an unsupported type', () => {

Copilot AI Mar 3, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There isn’t a test covering the case where .tool-versions exists but has no goreleaser entry (or has a malformed one). If getRequestedVersion() is updated to throw a specific error for that scenario (recommended), please add a Jest test asserting that behavior (ideally also asserting the error message).

Copilot uses AI. Check for mistakes.
caarlos0 added a commit that referenced this pull request Apr 18, 2026
Resolves the GoReleaser version from a file. Currently supports the
asdf/mise `.tool-versions` format; resolved value takes precedence
over the `version` input.

  # .tool-versions
  goreleaser 2.13.0

  - uses: goreleaser/goreleaser-action@v7
    with:
      version-file: .tool-versions
      args: release --clean

Path is resolved relative to `workdir` unless absolute. Bare semvers
are auto-prefixed with `v`; constraint expressions and `latest` are
returned as-is. Multiple fallback versions per asdf convention are
accepted but only the first is used.

Refs #541
Closes #542

Co-authored-by: Anthony Couvreur <22034450+acouvreur@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@caarlos0

Copy link
Copy Markdown
Member

Hi @acouvreur — thanks a lot for this contribution! I'm taking the work over in #556 to add more test coverage and tighten parsing edge cases (inline comments, asdf fallback lists, error messages). The original feature design is preserved. Crediting you as co-author on the commit.

@caarlos0

Copy link
Copy Markdown
Member

merged in #556 - thanks!

pull Bot pushed a commit to Ausaci/goreleaser-action that referenced this pull request Apr 24, 2026
Resolves the GoReleaser version from a file. Currently supports the
asdf/mise `.tool-versions` format; resolved value takes precedence
over the `version` input.

  # .tool-versions
  goreleaser 2.13.0

  - uses: goreleaser/goreleaser-action@v7
    with:
      version-file: .tool-versions
      args: release --clean

Path is resolved relative to `workdir` unless absolute. Bare semvers
are auto-prefixed with `v`; constraint expressions and `latest` are
returned as-is. Multiple fallback versions per asdf convention are
accepted but only the first is used.

Refs goreleaser#541
Closes goreleaser#542

Co-authored-by: Anthony Couvreur <22034450+acouvreur@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
ziemowit-orlikowski added a commit to Elmnt-Internal/goreleaser-action that referenced this pull request Jun 22, 2026
* chore(deps): bump @actions/core from 1.10.1 to 1.11.1 (goreleaser#478)

Bumps [@actions/core](https://github.com/actions/toolkit/tree/HEAD/packages/core) from 1.10.1 to 1.11.1.
- [Changelog](https://github.com/actions/toolkit/blob/main/packages/core/RELEASES.md)
- [Commits](https://github.com/actions/toolkit/commits/HEAD/packages/core)

---
updated-dependencies:
- dependency-name: "@actions/core"
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* docs: bump upload-artifact version (goreleaser#479)

* chore: update generated content (goreleaser#480)

* chore(deps): bump cross-spawn from 7.0.3 to 7.0.6 (goreleaser#482)

Bumps [cross-spawn](https://github.com/moxystudio/node-cross-spawn) from 7.0.3 to 7.0.6.
- [Changelog](https://github.com/moxystudio/node-cross-spawn/blob/master/CHANGELOG.md)
- [Commits](moxystudio/node-cross-spawn@v7.0.3...v7.0.6)

---
updated-dependencies:
- dependency-name: cross-spawn
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* feat: update for goreleaser v2.7

* chore(deps): update actions

Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>

* chore(deps): update semver and tool-cache

Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>

* test: fix configs

* test: fixes

* chore(deps): bake vendor

Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>

* chore(deps): bump codecov/codecov-action from 4 to 5 (goreleaser#481)

* chore(deps): bump codecov/codecov-action from 4 to 5

Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 4 to 5.
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md)
- [Commits](codecov/codecov-action@v4...v5)

---
updated-dependencies:
- dependency-name: codecov/codecov-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

* ci: fix deprecated codecov input

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>

* chore(deps): bump undici from 5.28.3 to 5.28.5 (goreleaser#488)

* chore(deps): bump undici from 5.28.3 to 5.28.5

Bumps [undici](https://github.com/nodejs/undici) from 5.28.3 to 5.28.5.
- [Release notes](https://github.com/nodejs/undici/releases)
- [Commits](nodejs/undici@v5.28.3...v5.28.5)

---
updated-dependencies:
- dependency-name: undici
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>

* chore: update generated content

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>

* ci: update bake-action to v6 (goreleaser#493)

* ci: set contents read as default workflow permissions (goreleaser#494)

* fix: support .config directory for goreleaser config files  (goreleaser#500)

* fix: support .config directory for goreleaser config files

Add support for .config/goreleaser.yaml and .config/goreleaser.yml
configuration files to match GoReleaser's official search order.

* run $ docker buildx bake build

* chore(deps): bump semver from 7.7.1 to 7.7.2 (goreleaser#495)

* chore(deps): bump semver from 7.7.1 to 7.7.2

Bumps [semver](https://github.com/npm/node-semver) from 7.7.1 to 7.7.2.
- [Release notes](https://github.com/npm/node-semver/releases)
- [Changelog](https://github.com/npm/node-semver/blob/main/CHANGELOG.md)
- [Commits](npm/node-semver@v7.7.1...v7.7.2)

---
updated-dependencies:
- dependency-name: semver
  dependency-version: 7.7.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* chore: update generated content

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>

* chore(deps): bump brace-expansion from 1.1.11 to 1.1.12 (goreleaser#498)

Bumps [brace-expansion](https://github.com/juliangruber/brace-expansion) from 1.1.11 to 1.1.12.
- [Release notes](https://github.com/juliangruber/brace-expansion/releases)
- [Commits](juliangruber/brace-expansion@1.1.11...v1.1.12)

---
updated-dependencies:
- dependency-name: brace-expansion
  dependency-version: 1.1.12
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* fix: do not get releases.json if version is specific (goreleaser#502)

closes goreleaser#489

* chore(deps): bump undici from 5.28.5 to 5.29.0 (goreleaser#496)

* chore(deps): bump undici from 5.28.5 to 5.29.0

Bumps [undici](https://github.com/nodejs/undici) from 5.28.5 to 5.29.0.
- [Release notes](https://github.com/nodejs/undici/releases)
- [Commits](nodejs/undici@v5.28.5...v5.29.0)

---
updated-dependencies:
- dependency-name: undici
  dependency-version: 5.29.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>

* chore: update generated content

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>

* feat: retry downloading releases json (goreleaser#503)

refs https://github.com/orgs/goreleaser/discussions/5954

* chore(deps): bump actions/checkout from 4 to 5 (goreleaser#504)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 5.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@v4...v5)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '5'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* docs: upgrade checkout GitHub Action in README.md (goreleaser#507)

* sec: pin github action versions (goreleaser#514)

using caarlos0/pinata

Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>

* ci: update dependabot

Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>

* fix: typo

Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>

* ci(deps): bump the actions group with 2 updates (goreleaser#517)

Bumps the actions group with 2 updates: [actions/setup-go](https://github.com/actions/setup-go) and [actions/upload-artifact](https://github.com/actions/upload-artifact).


Updates `actions/setup-go` from 5.5.0 to 6.0.0
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](actions/setup-go@d35c59a...4469467)

Updates `actions/upload-artifact` from 4.6.2 to 5.0.0
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](actions/upload-artifact@ea165f8...330a01c)

---
updated-dependencies:
- dependency-name: actions/setup-go
  dependency-version: 6.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions
- dependency-name: actions/upload-artifact
  dependency-version: 5.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci(deps): bump the actions group with 2 updates (goreleaser#523)

Bumps the actions group with 2 updates: [actions/checkout](https://github.com/actions/checkout) and [actions/setup-go](https://github.com/actions/setup-go).


Updates `actions/checkout` from 5.0.0 to 6.0.0
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@08c6903...1af3b93)

Updates `actions/setup-go` from 6.0.0 to 6.1.0
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](actions/setup-go@4469467...4dc6199)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions
- dependency-name: actions/setup-go
  dependency-version: 6.1.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci(deps): bump docker/bake-action in the actions group (goreleaser#526)

Bumps the actions group with 1 update: [docker/bake-action](https://github.com/docker/bake-action).


Updates `docker/bake-action` from 6.9.0 to 6.10.0
- [Release notes](https://github.com/docker/bake-action/releases)
- [Commits](docker/bake-action@3acf805...5be5f02)

---
updated-dependencies:
- dependency-name: docker/bake-action
  dependency-version: 6.10.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci(deps): bump the actions group across 1 directory with 4 updates (goreleaser#532)

Bumps the actions group with 4 updates in the / directory: [actions/checkout](https://github.com/actions/checkout), [actions/setup-go](https://github.com/actions/setup-go), [actions/upload-artifact](https://github.com/actions/upload-artifact) and [codecov/codecov-action](https://github.com/codecov/codecov-action).


Updates `actions/checkout` from 6.0.0 to 6.0.1
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@1af3b93...8e8c483)

Updates `actions/setup-go` from 6.1.0 to 6.2.0
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](actions/setup-go@4dc6199...7a3fe6c)

Updates `actions/upload-artifact` from 5.0.0 to 6.0.0
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](actions/upload-artifact@330a01c...b7c566a)

Updates `codecov/codecov-action` from 5.5.1 to 5.5.2
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md)
- [Commits](codecov/codecov-action@5a10915...671740a)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions
- dependency-name: actions/setup-go
  dependency-version: 6.2.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions
- dependency-name: actions/upload-artifact
  dependency-version: 6.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions
- dependency-name: codecov/codecov-action
  dependency-version: 5.5.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci(deps): bump actions/checkout from 6.0.1 to 6.0.2 in the actions group (goreleaser#534)

Bumps the actions group with 1 update: [actions/checkout](https://github.com/actions/checkout).


Updates `actions/checkout` from 6.0.1 to 6.0.2
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@8e8c483...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* feat!: node 24, update deps, rm yarn, ESM (goreleaser#533)

* chore(deps): bump the npm group across 1 directory with 7 updates

Bumps the npm group with 7 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [@actions/core](https://github.com/actions/toolkit/tree/HEAD/packages/core) | `1.11.1` | `2.0.2` |
| [@actions/exec](https://github.com/actions/toolkit/tree/HEAD/packages/exec) | `1.1.1` | `2.0.0` |
| [@actions/http-client](https://github.com/actions/toolkit/tree/HEAD/packages/http-client) | `2.2.3` | `3.0.1` |
| [@actions/tool-cache](https://github.com/actions/toolkit/tree/HEAD/packages/tool-cache) | `2.0.2` | `3.0.0` |
| [js-yaml](https://github.com/nodeca/js-yaml) | `4.1.0` | `4.1.1` |
| [semver](https://github.com/npm/node-semver) | `7.7.2` | `7.7.3` |
| [yargs](https://github.com/yargs/yargs) | `17.7.2` | `18.0.0` |



Updates `@actions/core` from 1.11.1 to 2.0.2
- [Changelog](https://github.com/actions/toolkit/blob/main/packages/core/RELEASES.md)
- [Commits](https://github.com/actions/toolkit/commits/HEAD/packages/core)

Updates `@actions/exec` from 1.1.1 to 2.0.0
- [Changelog](https://github.com/actions/toolkit/blob/main/packages/exec/RELEASES.md)
- [Commits](https://github.com/actions/toolkit/commits/HEAD/packages/exec)

Updates `@actions/http-client` from 2.2.3 to 3.0.1
- [Changelog](https://github.com/actions/toolkit/blob/main/packages/http-client/RELEASES.md)
- [Commits](https://github.com/actions/toolkit/commits/HEAD/packages/http-client)

Updates `@actions/tool-cache` from 2.0.2 to 3.0.0
- [Changelog](https://github.com/actions/toolkit/blob/main/packages/tool-cache/RELEASES.md)
- [Commits](https://github.com/actions/toolkit/commits/HEAD/packages/tool-cache)

Updates `js-yaml` from 4.1.0 to 4.1.1
- [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md)
- [Commits](nodeca/js-yaml@4.1.0...4.1.1)

Updates `semver` from 7.7.2 to 7.7.3
- [Release notes](https://github.com/npm/node-semver/releases)
- [Changelog](https://github.com/npm/node-semver/blob/main/CHANGELOG.md)
- [Commits](npm/node-semver@v7.7.2...v7.7.3)

Updates `yargs` from 17.7.2 to 18.0.0
- [Release notes](https://github.com/yargs/yargs/releases)
- [Changelog](https://github.com/yargs/yargs/blob/main/CHANGELOG.md)
- [Commits](yargs/yargs@v17.7.2...v18.0.0)

---
updated-dependencies:
- dependency-name: "@actions/core"
  dependency-version: 2.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: npm
- dependency-name: "@actions/exec"
  dependency-version: 2.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: npm
- dependency-name: "@actions/http-client"
  dependency-version: 3.0.1
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: npm
- dependency-name: "@actions/tool-cache"
  dependency-version: 3.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: npm
- dependency-name: js-yaml
  dependency-version: 4.1.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm
- dependency-name: semver
  dependency-version: 7.7.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm
- dependency-name: yargs
  dependency-version: 18.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: npm
...

Signed-off-by: dependabot[bot] <support@github.com>

* refactor: remove yarn, update to node 24

Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>

* chore: review

Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>

* fix: stable

Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: add job to automate dependabot pre-checkin/vendor

Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>

* chore: gitignore

Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>

* chore(deps): bump the npm group across 1 directory with 4 updates (goreleaser#536)

* chore(deps): bump the npm group across 1 directory with 4 updates

Bumps the npm group with 3 updates in the / directory: [@actions/core](https://github.com/actions/toolkit/tree/HEAD/packages/core), [@actions/exec](https://github.com/actions/toolkit/tree/HEAD/packages/exec) and [@actions/tool-cache](https://github.com/actions/toolkit/tree/HEAD/packages/tool-cache).


Updates `@actions/core` from 2.0.2 to 3.0.0
- [Changelog](https://github.com/actions/toolkit/blob/main/packages/core/RELEASES.md)
- [Commits](https://github.com/actions/toolkit/commits/HEAD/packages/core)

Updates `@actions/exec` from 2.0.0 to 3.0.0
- [Changelog](https://github.com/actions/toolkit/blob/main/packages/exec/RELEASES.md)
- [Commits](https://github.com/actions/toolkit/commits/HEAD/packages/exec)

Updates `@actions/http-client` from 3.0.1 to 3.0.2
- [Changelog](https://github.com/actions/toolkit/blob/main/packages/http-client/RELEASES.md)
- [Commits](https://github.com/actions/toolkit/commits/HEAD/packages/http-client)

Updates `@actions/tool-cache` from 3.0.0 to 4.0.0
- [Changelog](https://github.com/actions/toolkit/blob/main/packages/tool-cache/RELEASES.md)
- [Commits](https://github.com/actions/toolkit/commits/@actions/cache@4.0.0/packages/tool-cache)

---
updated-dependencies:
- dependency-name: "@actions/core"
  dependency-version: 3.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: npm
- dependency-name: "@actions/exec"
  dependency-version: 3.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: npm
- dependency-name: "@actions/http-client"
  dependency-version: 3.0.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm
- dependency-name: "@actions/tool-cache"
  dependency-version: 4.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: npm
...

Signed-off-by: dependabot[bot] <support@github.com>

* chore: update dist and vendor

* chore: rm provenance

Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>

* test: use esm in jest

Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>

* ci: fix npm run test

Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>

* chore(deps): bump @actions/http-client from 3.0.2 to 4.0.0 in the npm group (goreleaser#537)

* chore(deps): bump @actions/http-client in the npm group

Bumps the npm group with 1 update: [@actions/http-client](https://github.com/actions/toolkit/tree/HEAD/packages/http-client).


Updates `@actions/http-client` from 3.0.2 to 4.0.0
- [Changelog](https://github.com/actions/toolkit/blob/main/packages/http-client/RELEASES.md)
- [Commits](https://github.com/actions/toolkit/commits/@actions/cache@4.0.0/packages/http-client)

---
updated-dependencies:
- dependency-name: "@actions/http-client"
  dependency-version: 4.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: npm
...

Signed-off-by: dependabot[bot] <support@github.com>

* chore: update dist and vendor

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* ci(deps): bump docker/setup-buildx-action in the actions group (goreleaser#538)

Bumps the actions group with 1 update: [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action).


Updates `docker/setup-buildx-action` from 3.10.0 to 3.12.0
- [Release notes](https://github.com/docker/setup-buildx-action/releases)
- [Commits](docker/setup-buildx-action@b5ca514...8d2750c)

---
updated-dependencies:
- dependency-name: docker/setup-buildx-action
  dependency-version: 3.12.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump semver from 7.7.3 to 7.7.4 in the npm group (goreleaser#539)

* chore(deps): bump semver from 7.7.3 to 7.7.4 in the npm group

Bumps the npm group with 1 update: [semver](https://github.com/npm/node-semver).


Updates `semver` from 7.7.3 to 7.7.4
- [Release notes](https://github.com/npm/node-semver/releases)
- [Changelog](https://github.com/npm/node-semver/blob/main/CHANGELOG.md)
- [Commits](npm/node-semver@v7.7.3...v7.7.4)

---
updated-dependencies:
- dependency-name: semver
  dependency-version: 7.7.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm
...

Signed-off-by: dependabot[bot] <support@github.com>

* chore: update dist and vendor

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: gitignore provenance.json

Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>

* ci: update dependabot settings

Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>

* fix: gitignore

Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>

* fix: yargs usage

Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>

* docs: update

* fix: bake vendor

Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>

* ci(deps): bump the actions group with 2 updates (goreleaser#543)

Bumps the actions group with 2 updates: [actions/setup-go](https://github.com/actions/setup-go) and [actions/upload-artifact](https://github.com/actions/upload-artifact).


Updates `actions/setup-go` from 6.2.0 to 6.3.0
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](actions/setup-go@7a3fe6c...4b73464)

Updates `actions/upload-artifact` from 6.0.0 to 7.0.0
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](actions/upload-artifact@b7c566a...bbbca2d)

---
updated-dependencies:
- dependency-name: actions/setup-go
  dependency-version: 6.3.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions
- dependency-name: actions/upload-artifact
  dependency-version: 7.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump undici from 6.23.0 to 6.24.1 (goreleaser#545)

Bumps [undici](https://github.com/nodejs/undici) from 6.23.0 to 6.24.1.
- [Release notes](https://github.com/nodejs/undici/releases)
- [Commits](nodejs/undici@v6.23.0...v6.24.1)

---
updated-dependencies:
- dependency-name: undici
  dependency-version: 6.24.1
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: update

Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>

* fix: use new static URL

Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>

* clean: leftover files from node 22(?)

Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>

* ci(deps): bump the actions group with 5 updates (goreleaser#546)

* ci(deps): bump the actions group with 5 updates

Bumps the actions group with 5 updates:

| Package | From | To |
| --- | --- | --- |
| [actions/setup-go](https://github.com/actions/setup-go) | `6.3.0` | `6.4.0` |
| [crazy-max/ghaction-import-gpg](https://github.com/crazy-max/ghaction-import-gpg) | `6.3.0` | `7.0.0` |
| [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) | `3.12.0` | `4.0.0` |
| [docker/bake-action](https://github.com/docker/bake-action) | `6.10.0` | `7.0.0` |
| [codecov/codecov-action](https://github.com/codecov/codecov-action) | `5.5.2` | `6.0.0` |


Updates `actions/setup-go` from 6.3.0 to 6.4.0
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](actions/setup-go@4b73464...4a36011)

Updates `crazy-max/ghaction-import-gpg` from 6.3.0 to 7.0.0
- [Release notes](https://github.com/crazy-max/ghaction-import-gpg/releases)
- [Commits](crazy-max/ghaction-import-gpg@e89d409...2dc316d)

Updates `docker/setup-buildx-action` from 3.12.0 to 4.0.0
- [Release notes](https://github.com/docker/setup-buildx-action/releases)
- [Commits](docker/setup-buildx-action@8d2750c...4d04d5d)

Updates `docker/bake-action` from 6.10.0 to 7.0.0
- [Release notes](https://github.com/docker/bake-action/releases)
- [Commits](docker/bake-action@5be5f02...8249049)

Updates `codecov/codecov-action` from 5.5.2 to 6.0.0
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md)
- [Commits](codecov/codecov-action@671740a...57e3a13)

---
updated-dependencies:
- dependency-name: actions/setup-go
  dependency-version: 6.4.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions
- dependency-name: crazy-max/ghaction-import-gpg
  dependency-version: 7.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions
- dependency-name: docker/setup-buildx-action
  dependency-version: 4.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions
- dependency-name: docker/bake-action
  dependency-version: 7.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions
- dependency-name: codecov/codecov-action
  dependency-version: 6.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions
...

Signed-off-by: dependabot[bot] <support@github.com>

* ci: switch to matrix subaction for bake

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>

* docs: Upgrade import GPG action version (goreleaser#547)

* feat: verify release checksum and cosign signature (goreleaser#550)

* feat: verify release checksum and cosign signature

Download checksums.txt for the release and verify the SHA-256 of the
downloaded archive against it. When cosign is available in PATH, also
download checksums.txt.sigstore.json and verify the signature against
the goreleaser/goreleaser-pro release workflow identity. Both steps
degrade gracefully (with a warning) when the corresponding artifacts
or tooling are missing.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* test: use install() for checksum e2e tests

Drop the http-client download helper from verifyChecksum integration
tests; call goreleaser.install() instead so the test exercises the
public API path and avoids duplicating download logic.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* docs: add CONTRIBUTING with pre-commit workflow

Document the docker buildx bake pre-checkin / test / validate sequence
contributors need before pushing, and call out the Alpine-built dist/
gotcha so PRs don't bounce on build-validate.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* build: drop docker-bake in favor of plain npm (goreleaser#551)

* build: drop docker-bake in favor of plain npm

Every TypeScript action maintained by actions/* (checkout, setup-node,
setup-go, cache, upload-artifact) uses plain npm scripts. The bake
setup is a docker/* org convention and adds friction for TS work:
contributors need Docker, the dev loop is ~10x slower than npm, and
Alpine-vs-host byte drift in dist/index.js makes PRs bounce.

Replace with the standard pattern:
- .node-version pins Node 24 so contributors and CI agree
- npm scripts (build, lint, format, test, pre-checkin) replace bake
  targets one-for-one
- validate.yml runs lint + a check-dist diff (mirrors actions/setup-node)
  and a vendor check that npm install --package-lock-only is a no-op
- test.yml uses setup-node + sigstore/cosign-installer, drops bake-action
- dependabot-build.yml regenerates dist via npm instead of bake

CONTRIBUTING.md and README development section updated to match.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* build: align scripts and workflows with actions/* convention

Match the standard layout used by actions/checkout, actions/setup-node,
etc.:

- package.json scripts: split format/format-check (Prettier) from
  lint/lint:fix (ESLint), and have pre-checkin run all four (format,
  lint:fix, build, test) in that order.
- validate.yml lint job runs format-check + lint as separate steps.
- test.yml drops the redundant --coverage flag (now in the test script).
- Drop dependabot-build.yml: actions/* don't auto-rebuild dist on
  dependabot PRs; the check-dist style validate / build job catches
  drift and a maintainer rebuilds locally if needed.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* ci: add release-major-tag workflow (goreleaser#552)

* build: drop docker-bake in favor of plain npm

Every TypeScript action maintained by actions/* (checkout, setup-node,
setup-go, cache, upload-artifact) uses plain npm scripts. The bake
setup is a docker/* org convention and adds friction for TS work:
contributors need Docker, the dev loop is ~10x slower than npm, and
Alpine-vs-host byte drift in dist/index.js makes PRs bounce.

Replace with the standard pattern:
- .node-version pins Node 24 so contributors and CI agree
- npm scripts (build, lint, format, test, pre-checkin) replace bake
  targets one-for-one
- validate.yml runs lint + a check-dist diff (mirrors actions/setup-node)
  and a vendor check that npm install --package-lock-only is a no-op
- test.yml uses setup-node + sigstore/cosign-installer, drops bake-action
- dependabot-build.yml regenerates dist via npm instead of bake

CONTRIBUTING.md and README development section updated to match.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* build: align scripts and workflows with actions/* convention

Match the standard layout used by actions/checkout, actions/setup-node,
etc.:

- package.json scripts: split format/format-check (Prettier) from
  lint/lint:fix (ESLint), and have pre-checkin run all four (format,
  lint:fix, build, test) in that order.
- validate.yml lint job runs format-check + lint as separate steps.
- test.yml drops the redundant --coverage flag (now in the test script).
- Drop dependabot-build.yml: actions/* don't auto-rebuild dist on
  dependabot PRs; the check-dist style validate / build job catches
  drift and a maintainer rebuilds locally if needed.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* ci: add release-major-tag workflow

Adopts the actions/checkout pattern (workflow_dispatch with target +
major_version inputs that force-pushes the major tag). Doubles as a
rollback tool. Documented in CONTRIBUTING under a 'Releasing' section.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* ci: drop irrelevant pin comment from release-major-tag

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* docs: document cosign verification in README (goreleaser#553)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* ci: drop pre-cosign-v3 goreleaser versions from tests (goreleaser#554)

GoReleaser v2.13.0 was the first release to ship the cosign v3
sigstore-bundle 'checksums.txt.sigstore.json' alongside the archive.
Earlier releases only publish a cosign v2 detached '.sig', which the
action's verifier does not understand and silently skips.

Drop '~> 1.26' / '~> 2.6' / 'v0.182.0' / '~> v1' from the matrix and
the install tests; pin '~> 2.13' as the minimum-supported version we
actively exercise in CI. Document v2.13.0 as the minimum cosign-
verifiable version in the README.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* test: cover install across release eras (goreleaser#555)

Add install tests pinned to versions that exercise every release era so
we don't regress the graceful-skip path for releases that pre-date the
cosign v3 sigstore bundle:

- v0.182.0  pre-checksums-signing
- v1.26.2   cosign v2 detached .sig only
- v2.12.4   last release before sigstore bundles
- v2.13.0   first release with sigstore bundle (minimum verifiable)
- v2.15.3   recent release with sigstore bundle

Plus an explicit verifyChecksum integration test that installs v2.12.4
with cosign in PATH to confirm the cosign step is skipped (not failed)
when the sigstore bundle is absent.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* feat: add `version-file` input (goreleaser#556)

Resolves the GoReleaser version from a file. Currently supports the
asdf/mise `.tool-versions` format; resolved value takes precedence
over the `version` input.

  # .tool-versions
  goreleaser 2.13.0

  - uses: goreleaser/goreleaser-action@v7
    with:
      version-file: .tool-versions
      args: release --clean

Path is resolved relative to `workdir` unless absolute. Bare semvers
are auto-prefixed with `v`; constraint expressions and `latest` are
returned as-is. Multiple fallback versions per asdf convention are
accepted but only the first is used.

Refs goreleaser#541
Closes goreleaser#542

Co-authored-by: Anthony Couvreur <22034450+acouvreur@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* feat: resolve nightly to latest vX.Y.Z-<sha>-nightly release (goreleaser#558)

* feat: resolve nightly to latest vX.Y.Z-<sha>-nightly release

Query GitHub releases API to resolve the 'nightly' version input to the
latest immutable nightly tag, replacing the moving 'nightly' tag that is
being removed for supply-chain hardening.

Refs goreleaser/goreleaser#6550

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* feat: keep legacy 'nightly' tag working during transition

Fall back to the moving 'nightly' tag when no immutable
vX.Y.Z-<sha>-nightly release is found, so the action keeps working
between this release and the goreleaser nightly switchover.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* test: assert isNightlyTag accepts legacy fallback

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: accept nightly tags without 'v' prefix

goreleaser-pro publishes nightly releases as e.g. 2.16.0-eaeb08c50-nightly
(no 'v' prefix). Make the nightly tag regex tolerate either form, and
split the integration tests so OSS asserts the legacy fallback while
Pro asserts the new <version>-<sha>-nightly format.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Revert "fix: accept nightly tags without 'v' prefix"

The missing 'v' prefix on the goreleaser-pro nightly was a release
mistake; new nightlies will keep the 'v' prefix.

This reverts commit 7673f7f.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* ci: pass GITHUB_TOKEN to tests

The new nightly resolution hits api.github.com/repos/.../releases,
which is rate-limited for unauthenticated requests.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* docs: note GITHUB_TOKEN need for nightly resolution

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* refactor: drop legacy 'nightly' tag fallback

Both goreleaser and goreleaser-pro now publish nightly releases as
vX.Y.Z-<sha>-nightly, so the action no longer needs to special-case
or fall back to the moving 'nightly' tag.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* ci(nightly): pass GITHUB_TOKEN to nightly integration job

Releases API is rate-limited for unauthenticated requests.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* ci(deps): bump the actions group with 3 updates (goreleaser#560)

Bumps the actions group with 3 updates: [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer), [actions/upload-artifact](https://github.com/actions/upload-artifact) and [actions/setup-node](https://github.com/actions/setup-node).


Updates `sigstore/cosign-installer` from 3.9.2 to 4.1.1
- [Release notes](https://github.com/sigstore/cosign-installer/releases)
- [Commits](sigstore/cosign-installer@d58896d...cad07c2)

Updates `actions/upload-artifact` from 7.0.0 to 7.0.1
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](actions/upload-artifact@bbbca2d...043fb46)

Updates `actions/setup-node` from 5.0.0 to 6.4.0
- [Release notes](https://github.com/actions/setup-node/releases)
- [Commits](actions/setup-node@a0853c2...48b55a0)

---
updated-dependencies:
- dependency-name: sigstore/cosign-installer
  dependency-version: 4.1.1
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions
- dependency-name: actions/upload-artifact
  dependency-version: 7.0.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions
- dependency-name: actions/setup-node
  dependency-version: 6.4.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: update actions

Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>

* fix: nightly resolution to select newest published release (goreleaser#562)

* fix(nightly): pick latest nightly by published_at

GitHub's /releases endpoint is not reliably ordered by published_at,
so resolveNightly could pick an older nightly than the most recent
one. Filter, sort by published_at desc, and take the first.

* test(nightly): add regression coverage for release ordering

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>

* ci(deps): bump the actions group with 3 updates (goreleaser#563)

Bumps the actions group with 3 updates: [actions/checkout](https://github.com/actions/checkout), [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) and [codecov/codecov-action](https://github.com/codecov/codecov-action).


Updates `actions/checkout` from 6.0.2 to 6.0.3
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@de0fac2...df4cb1c)

Updates `sigstore/cosign-installer` from 4.1.1 to 4.1.2
- [Release notes](https://github.com/sigstore/cosign-installer/releases)
- [Commits](sigstore/cosign-installer@cad07c2...6f9f177)

Updates `codecov/codecov-action` from 6.0.0 to 6.0.1
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md)
- [Commits](codecov/codecov-action@57e3a13...e79a696)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions
- dependency-name: sigstore/cosign-installer
  dependency-version: 4.1.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions
- dependency-name: codecov/codecov-action
  dependency-version: 6.0.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Kévin Dunglas <kevin@dunglas.fr>
Co-authored-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
Co-authored-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>
Co-authored-by: haya14busa <haya14busa@gmail.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Timo <flecno@flecno.de>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Anthony Couvreur <22034450+acouvreur@users.noreply.github.com>
Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Add a version file input

3 participants