feat: add version-file input#542
Conversation
You can now use .tool-versions file to specify GoReleaser version to download
caarlos0
left a comment
There was a problem hiding this comment.
looks good - could you add tests as well? there's a bunch in there, you can follow their lead
|
@caarlos0 just added a test file! |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #542 +/- ##
==========================================
+ Coverage 66.92% 68.78% +1.86%
==========================================
Files 3 4 +1
Lines 130 157 +27
Branches 23 43 +20
==========================================
+ Hits 87 108 +21
- Misses 27 49 +22
+ Partials 16 0 -16 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
|
Hey sorry about the missing unused imports, I will clean it up |
|
@caarlos0 I've updated the test file to remove the unused imports, tell me if that |
| if (requestedVersion && versionFilePath) { | ||
| core.warning( | ||
| `Both version (${requestedVersion}) and version-file (${versionFilePath}) inputs are specified, only version will be used` | ||
| ); | ||
| } |
There was a problem hiding this comment.
i wonder if it would be better to simplify all this making version-file having precedence
so, if version-file is given, use it, or error
otherwise, use version, which would also mean we don't need to manually default to ~> v2
wdyt?
There was a problem hiding this comment.
I think it is a better solution indeed because then I can revert all the changes about how the default version is computed.
I've taken much inspiration from the current implementation in the goreleaser action, so I've essentially implemented the same behavior.
Let me change it with your suggestion.
There was a problem hiding this comment.
Pull request overview
Adds support for selecting the GoReleaser version via a version-file input (currently .tool-versions), with parsing logic and tests.
Changes:
- Introduced
getRequestedVersion()to resolve version fromversionorversion-file. - Wired resolved version into the installation flow in
src/main.ts. - Documented the new input and added Jest coverage for version resolution.
Reviewed changes
Copilot reviewed 6 out of 7 changed files in this pull request and generated 7 comments.
Show a summary per file
| File | Description |
|---|---|
| src/version.ts | Adds logic to resolve GoReleaser version from .tool-versions (or fall back to version). |
| src/main.ts | Uses resolved version when installing GoReleaser. |
| src/context.ts | Adds versionFile input wiring. |
| action.yml | Declares new version-file input. |
| tests/version.test.ts | Adds Jest tests for version resolution behavior. |
| README.md | Documents version-file and updates TOC / inputs list. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| const workingDirectory = inputs.workdir; | ||
| if (workingDirectory) { | ||
| versionFilePath = path.join(workingDirectory, versionFilePath); | ||
| } | ||
|
|
||
| if (!fs.existsSync(versionFilePath)) { | ||
| throw new Error(`The specified GoReleaser version file at: ${versionFilePath} does not exist`); | ||
| } |
There was a problem hiding this comment.
This always resolves version-file relative to workdir when workdir is set (including common monorepo setups where workdir is a subdirectory). That makes it impossible to reference a version file in the repo root while also using a non-root workdir, despite the docs saying the path can be relative to the root or workdir. Consider resolving relative paths by checking both candidates (repo root path first, then path.join(workdir, versionFile)), or updating the docs to state that version-file is interpreted relative to workdir when provided.
| if (path.basename(versionFilePath) === '.tool-versions') { | ||
| // asdf/mise file. | ||
| const match = content.match(/^goreleaser\s+([^\n#]+)/m); | ||
| requestedVersion = match ? 'v' + match[1].trim().replace(/^v/gi, '') : ''; |
There was a problem hiding this comment.
If .tool-versions doesn’t contain a goreleaser ... entry, this sets requestedVersion to an empty string, which will likely cause a confusing failure later during install. Prefer throwing a clear error when no matching entry is found (e.g., file exists but no goreleaser line), so users get an actionable message.
| requestedVersion = match ? 'v' + match[1].trim().replace(/^v/gi, '') : ''; | |
| if (!match) { | |
| throw new Error( | |
| `No 'goreleaser' entry found in ${versionFilePath}. ` + | |
| "Please add a line like 'goreleaser <version>' or specify the version input directly." | |
| ); | |
| } | |
| requestedVersion = 'v' + match[1].trim().replace(/^v/gi, ''); |
|
|
||
| if (path.basename(versionFilePath) === '.tool-versions') { | ||
| // asdf/mise file. | ||
| const match = content.match(/^goreleaser\s+([^\n#]+)/m); |
There was a problem hiding this comment.
The parser requires goreleaser to start at column 0. .tool-versions files sometimes contain leading whitespace; allowing optional leading spaces (e.g., ^\\s*goreleaser\\s+... with the m flag) would make the parsing more robust without changing intended behavior.
| const match = content.match(/^goreleaser\s+([^\n#]+)/m); | |
| const match = content.match(/^\s*goreleaser\s+([^\n#]+)/m); |
| expect(v).toBe('v1.2.3'); | ||
| }); | ||
|
|
||
| it('parses .tool-versions and returns v-prefixed version', () => { |
There was a problem hiding this comment.
There isn’t a test covering the case where .tool-versions exists but has no goreleaser entry (or has a malformed one). If getRequestedVersion() is updated to throw a specific error for that scenario (recommended), please add a Jest test asserting that behavior (ideally also asserting the error message).
| expect(v).toBe('v1.2.3'); | ||
| }); | ||
|
|
||
| it('when both version and version-file are provided, version-file takes precedence', () => { |
There was a problem hiding this comment.
There isn’t a test covering the case where .tool-versions exists but has no goreleaser entry (or has a malformed one). If getRequestedVersion() is updated to throw a specific error for that scenario (recommended), please add a Jest test asserting that behavior (ideally also asserting the error message).
| const v = getRequestedVersion(inputs); | ||
| expect(v).toBe('v1.2.3'); | ||
| }); | ||
|
|
There was a problem hiding this comment.
There isn’t a test covering the case where .tool-versions exists but has no goreleaser entry (or has a malformed one). If getRequestedVersion() is updated to throw a specific error for that scenario (recommended), please add a Jest test asserting that behavior (ideally also asserting the error message).
| it('throws when .tool-versions exists but has no goreleaser entry', () => { | |
| const toolVersionsPath = path.join(tmpDir, '.tool-versions'); | |
| fs.writeFileSync(toolVersionsPath, 'nodejs 20.0.0\n'); | |
| const inputs: Inputs = { | |
| distribution: 'goreleaser', | |
| version: '', | |
| versionFile: '.tool-versions', | |
| args: '', | |
| workdir: tmpDir, | |
| installOnly: false | |
| }; | |
| expect(() => getRequestedVersion(inputs)).toThrow(/goreleaser/i); | |
| }); | |
| it('throws when .tool-versions has a malformed goreleaser entry', () => { | |
| const toolVersionsPath = path.join(tmpDir, '.tool-versions'); | |
| fs.writeFileSync(toolVersionsPath, 'goreleaser not-a-version\n'); | |
| const inputs: Inputs = { | |
| distribution: 'goreleaser', | |
| version: '', | |
| versionFile: '.tool-versions', | |
| args: '', | |
| workdir: tmpDir, | |
| installOnly: false | |
| }; | |
| expect(() => getRequestedVersion(inputs)).toThrow(/goreleaser/i); | |
| }); |
| expect(() => getRequestedVersion(inputs)).toThrow(); | ||
| }); | ||
|
|
||
| it('throws when version-file is an unsupported type', () => { |
There was a problem hiding this comment.
There isn’t a test covering the case where .tool-versions exists but has no goreleaser entry (or has a malformed one). If getRequestedVersion() is updated to throw a specific error for that scenario (recommended), please add a Jest test asserting that behavior (ideally also asserting the error message).
Resolves the GoReleaser version from a file. Currently supports the
asdf/mise `.tool-versions` format; resolved value takes precedence
over the `version` input.
# .tool-versions
goreleaser 2.13.0
- uses: goreleaser/goreleaser-action@v7
with:
version-file: .tool-versions
args: release --clean
Path is resolved relative to `workdir` unless absolute. Bare semvers
are auto-prefixed with `v`; constraint expressions and `latest` are
returned as-is. Multiple fallback versions per asdf convention are
accepted but only the first is used.
Refs #541
Closes #542
Co-authored-by: Anthony Couvreur <22034450+acouvreur@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
|
Hi @acouvreur — thanks a lot for this contribution! I'm taking the work over in #556 to add more test coverage and tighten parsing edge cases (inline comments, asdf fallback lists, error messages). The original feature design is preserved. Crediting you as co-author on the commit. |
|
merged in #556 - thanks! |
Resolves the GoReleaser version from a file. Currently supports the
asdf/mise `.tool-versions` format; resolved value takes precedence
over the `version` input.
# .tool-versions
goreleaser 2.13.0
- uses: goreleaser/goreleaser-action@v7
with:
version-file: .tool-versions
args: release --clean
Path is resolved relative to `workdir` unless absolute. Bare semvers
are auto-prefixed with `v`; constraint expressions and `latest` are
returned as-is. Multiple fallback versions per asdf convention are
accepted but only the first is used.
Refs goreleaser#541
Closes goreleaser#542
Co-authored-by: Anthony Couvreur <22034450+acouvreur@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* chore(deps): bump @actions/core from 1.10.1 to 1.11.1 (goreleaser#478) Bumps [@actions/core](https://github.com/actions/toolkit/tree/HEAD/packages/core) from 1.10.1 to 1.11.1. - [Changelog](https://github.com/actions/toolkit/blob/main/packages/core/RELEASES.md) - [Commits](https://github.com/actions/toolkit/commits/HEAD/packages/core) --- updated-dependencies: - dependency-name: "@actions/core" dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * docs: bump upload-artifact version (goreleaser#479) * chore: update generated content (goreleaser#480) * chore(deps): bump cross-spawn from 7.0.3 to 7.0.6 (goreleaser#482) Bumps [cross-spawn](https://github.com/moxystudio/node-cross-spawn) from 7.0.3 to 7.0.6. - [Changelog](https://github.com/moxystudio/node-cross-spawn/blob/master/CHANGELOG.md) - [Commits](moxystudio/node-cross-spawn@v7.0.3...v7.0.6) --- updated-dependencies: - dependency-name: cross-spawn dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * feat: update for goreleaser v2.7 * chore(deps): update actions Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com> * chore(deps): update semver and tool-cache Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com> * test: fix configs * test: fixes * chore(deps): bake vendor Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com> * chore(deps): bump codecov/codecov-action from 4 to 5 (goreleaser#481) * chore(deps): bump codecov/codecov-action from 4 to 5 Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 4 to 5. - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](codecov/codecov-action@v4...v5) --- updated-dependencies: - dependency-name: codecov/codecov-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> * ci: fix deprecated codecov input --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: CrazyMax <1951866+crazy-max@users.noreply.github.com> * chore(deps): bump undici from 5.28.3 to 5.28.5 (goreleaser#488) * chore(deps): bump undici from 5.28.3 to 5.28.5 Bumps [undici](https://github.com/nodejs/undici) from 5.28.3 to 5.28.5. - [Release notes](https://github.com/nodejs/undici/releases) - [Commits](nodejs/undici@v5.28.3...v5.28.5) --- updated-dependencies: - dependency-name: undici dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> * chore: update generated content --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: CrazyMax <1951866+crazy-max@users.noreply.github.com> * ci: update bake-action to v6 (goreleaser#493) * ci: set contents read as default workflow permissions (goreleaser#494) * fix: support .config directory for goreleaser config files (goreleaser#500) * fix: support .config directory for goreleaser config files Add support for .config/goreleaser.yaml and .config/goreleaser.yml configuration files to match GoReleaser's official search order. * run $ docker buildx bake build * chore(deps): bump semver from 7.7.1 to 7.7.2 (goreleaser#495) * chore(deps): bump semver from 7.7.1 to 7.7.2 Bumps [semver](https://github.com/npm/node-semver) from 7.7.1 to 7.7.2. - [Release notes](https://github.com/npm/node-semver/releases) - [Changelog](https://github.com/npm/node-semver/blob/main/CHANGELOG.md) - [Commits](npm/node-semver@v7.7.1...v7.7.2) --- updated-dependencies: - dependency-name: semver dependency-version: 7.7.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> * chore: update generated content --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: CrazyMax <1951866+crazy-max@users.noreply.github.com> * chore(deps): bump brace-expansion from 1.1.11 to 1.1.12 (goreleaser#498) Bumps [brace-expansion](https://github.com/juliangruber/brace-expansion) from 1.1.11 to 1.1.12. - [Release notes](https://github.com/juliangruber/brace-expansion/releases) - [Commits](juliangruber/brace-expansion@1.1.11...v1.1.12) --- updated-dependencies: - dependency-name: brace-expansion dependency-version: 1.1.12 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * fix: do not get releases.json if version is specific (goreleaser#502) closes goreleaser#489 * chore(deps): bump undici from 5.28.5 to 5.29.0 (goreleaser#496) * chore(deps): bump undici from 5.28.5 to 5.29.0 Bumps [undici](https://github.com/nodejs/undici) from 5.28.5 to 5.29.0. - [Release notes](https://github.com/nodejs/undici/releases) - [Commits](nodejs/undici@v5.28.5...v5.29.0) --- updated-dependencies: - dependency-name: undici dependency-version: 5.29.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> * chore: update generated content --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: CrazyMax <1951866+crazy-max@users.noreply.github.com> * feat: retry downloading releases json (goreleaser#503) refs https://github.com/orgs/goreleaser/discussions/5954 * chore(deps): bump actions/checkout from 4 to 5 (goreleaser#504) Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 5. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v4...v5) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '5' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * docs: upgrade checkout GitHub Action in README.md (goreleaser#507) * sec: pin github action versions (goreleaser#514) using caarlos0/pinata Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com> * ci: update dependabot Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com> * fix: typo Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com> * ci(deps): bump the actions group with 2 updates (goreleaser#517) Bumps the actions group with 2 updates: [actions/setup-go](https://github.com/actions/setup-go) and [actions/upload-artifact](https://github.com/actions/upload-artifact). Updates `actions/setup-go` from 5.5.0 to 6.0.0 - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](actions/setup-go@d35c59a...4469467) Updates `actions/upload-artifact` from 4.6.2 to 5.0.0 - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@ea165f8...330a01c) --- updated-dependencies: - dependency-name: actions/setup-go dependency-version: 6.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: actions/upload-artifact dependency-version: 5.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * ci(deps): bump the actions group with 2 updates (goreleaser#523) Bumps the actions group with 2 updates: [actions/checkout](https://github.com/actions/checkout) and [actions/setup-go](https://github.com/actions/setup-go). Updates `actions/checkout` from 5.0.0 to 6.0.0 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@08c6903...1af3b93) Updates `actions/setup-go` from 6.0.0 to 6.1.0 - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](actions/setup-go@4469467...4dc6199) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: actions/setup-go dependency-version: 6.1.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * ci(deps): bump docker/bake-action in the actions group (goreleaser#526) Bumps the actions group with 1 update: [docker/bake-action](https://github.com/docker/bake-action). Updates `docker/bake-action` from 6.9.0 to 6.10.0 - [Release notes](https://github.com/docker/bake-action/releases) - [Commits](docker/bake-action@3acf805...5be5f02) --- updated-dependencies: - dependency-name: docker/bake-action dependency-version: 6.10.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * ci(deps): bump the actions group across 1 directory with 4 updates (goreleaser#532) Bumps the actions group with 4 updates in the / directory: [actions/checkout](https://github.com/actions/checkout), [actions/setup-go](https://github.com/actions/setup-go), [actions/upload-artifact](https://github.com/actions/upload-artifact) and [codecov/codecov-action](https://github.com/codecov/codecov-action). Updates `actions/checkout` from 6.0.0 to 6.0.1 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@1af3b93...8e8c483) Updates `actions/setup-go` from 6.1.0 to 6.2.0 - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](actions/setup-go@4dc6199...7a3fe6c) Updates `actions/upload-artifact` from 5.0.0 to 6.0.0 - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@330a01c...b7c566a) Updates `codecov/codecov-action` from 5.5.1 to 5.5.2 - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](codecov/codecov-action@5a10915...671740a) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: actions/setup-go dependency-version: 6.2.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions - dependency-name: actions/upload-artifact dependency-version: 6.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: codecov/codecov-action dependency-version: 5.5.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * ci(deps): bump actions/checkout from 6.0.1 to 6.0.2 in the actions group (goreleaser#534) Bumps the actions group with 1 update: [actions/checkout](https://github.com/actions/checkout). Updates `actions/checkout` from 6.0.1 to 6.0.2 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@8e8c483...de0fac2) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * feat!: node 24, update deps, rm yarn, ESM (goreleaser#533) * chore(deps): bump the npm group across 1 directory with 7 updates Bumps the npm group with 7 updates in the / directory: | Package | From | To | | --- | --- | --- | | [@actions/core](https://github.com/actions/toolkit/tree/HEAD/packages/core) | `1.11.1` | `2.0.2` | | [@actions/exec](https://github.com/actions/toolkit/tree/HEAD/packages/exec) | `1.1.1` | `2.0.0` | | [@actions/http-client](https://github.com/actions/toolkit/tree/HEAD/packages/http-client) | `2.2.3` | `3.0.1` | | [@actions/tool-cache](https://github.com/actions/toolkit/tree/HEAD/packages/tool-cache) | `2.0.2` | `3.0.0` | | [js-yaml](https://github.com/nodeca/js-yaml) | `4.1.0` | `4.1.1` | | [semver](https://github.com/npm/node-semver) | `7.7.2` | `7.7.3` | | [yargs](https://github.com/yargs/yargs) | `17.7.2` | `18.0.0` | Updates `@actions/core` from 1.11.1 to 2.0.2 - [Changelog](https://github.com/actions/toolkit/blob/main/packages/core/RELEASES.md) - [Commits](https://github.com/actions/toolkit/commits/HEAD/packages/core) Updates `@actions/exec` from 1.1.1 to 2.0.0 - [Changelog](https://github.com/actions/toolkit/blob/main/packages/exec/RELEASES.md) - [Commits](https://github.com/actions/toolkit/commits/HEAD/packages/exec) Updates `@actions/http-client` from 2.2.3 to 3.0.1 - [Changelog](https://github.com/actions/toolkit/blob/main/packages/http-client/RELEASES.md) - [Commits](https://github.com/actions/toolkit/commits/HEAD/packages/http-client) Updates `@actions/tool-cache` from 2.0.2 to 3.0.0 - [Changelog](https://github.com/actions/toolkit/blob/main/packages/tool-cache/RELEASES.md) - [Commits](https://github.com/actions/toolkit/commits/HEAD/packages/tool-cache) Updates `js-yaml` from 4.1.0 to 4.1.1 - [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md) - [Commits](nodeca/js-yaml@4.1.0...4.1.1) Updates `semver` from 7.7.2 to 7.7.3 - [Release notes](https://github.com/npm/node-semver/releases) - [Changelog](https://github.com/npm/node-semver/blob/main/CHANGELOG.md) - [Commits](npm/node-semver@v7.7.2...v7.7.3) Updates `yargs` from 17.7.2 to 18.0.0 - [Release notes](https://github.com/yargs/yargs/releases) - [Changelog](https://github.com/yargs/yargs/blob/main/CHANGELOG.md) - [Commits](yargs/yargs@v17.7.2...v18.0.0) --- updated-dependencies: - dependency-name: "@actions/core" dependency-version: 2.0.2 dependency-type: direct:production update-type: version-update:semver-major dependency-group: npm - dependency-name: "@actions/exec" dependency-version: 2.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: npm - dependency-name: "@actions/http-client" dependency-version: 3.0.1 dependency-type: direct:production update-type: version-update:semver-major dependency-group: npm - dependency-name: "@actions/tool-cache" dependency-version: 3.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: npm - dependency-name: js-yaml dependency-version: 4.1.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: npm - dependency-name: semver dependency-version: 7.7.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: npm - dependency-name: yargs dependency-version: 18.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: npm ... Signed-off-by: dependabot[bot] <support@github.com> * refactor: remove yarn, update to node 24 Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com> * chore: review Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com> * fix: stable Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * ci: add job to automate dependabot pre-checkin/vendor Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com> * chore: gitignore Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com> * chore(deps): bump the npm group across 1 directory with 4 updates (goreleaser#536) * chore(deps): bump the npm group across 1 directory with 4 updates Bumps the npm group with 3 updates in the / directory: [@actions/core](https://github.com/actions/toolkit/tree/HEAD/packages/core), [@actions/exec](https://github.com/actions/toolkit/tree/HEAD/packages/exec) and [@actions/tool-cache](https://github.com/actions/toolkit/tree/HEAD/packages/tool-cache). Updates `@actions/core` from 2.0.2 to 3.0.0 - [Changelog](https://github.com/actions/toolkit/blob/main/packages/core/RELEASES.md) - [Commits](https://github.com/actions/toolkit/commits/HEAD/packages/core) Updates `@actions/exec` from 2.0.0 to 3.0.0 - [Changelog](https://github.com/actions/toolkit/blob/main/packages/exec/RELEASES.md) - [Commits](https://github.com/actions/toolkit/commits/HEAD/packages/exec) Updates `@actions/http-client` from 3.0.1 to 3.0.2 - [Changelog](https://github.com/actions/toolkit/blob/main/packages/http-client/RELEASES.md) - [Commits](https://github.com/actions/toolkit/commits/HEAD/packages/http-client) Updates `@actions/tool-cache` from 3.0.0 to 4.0.0 - [Changelog](https://github.com/actions/toolkit/blob/main/packages/tool-cache/RELEASES.md) - [Commits](https://github.com/actions/toolkit/commits/@actions/cache@4.0.0/packages/tool-cache) --- updated-dependencies: - dependency-name: "@actions/core" dependency-version: 3.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: npm - dependency-name: "@actions/exec" dependency-version: 3.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: npm - dependency-name: "@actions/http-client" dependency-version: 3.0.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: npm - dependency-name: "@actions/tool-cache" dependency-version: 4.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: npm ... Signed-off-by: dependabot[bot] <support@github.com> * chore: update dist and vendor * chore: rm provenance Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com> * test: use esm in jest Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com> * ci: fix npm run test Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com> * chore(deps): bump @actions/http-client from 3.0.2 to 4.0.0 in the npm group (goreleaser#537) * chore(deps): bump @actions/http-client in the npm group Bumps the npm group with 1 update: [@actions/http-client](https://github.com/actions/toolkit/tree/HEAD/packages/http-client). Updates `@actions/http-client` from 3.0.2 to 4.0.0 - [Changelog](https://github.com/actions/toolkit/blob/main/packages/http-client/RELEASES.md) - [Commits](https://github.com/actions/toolkit/commits/@actions/cache@4.0.0/packages/http-client) --- updated-dependencies: - dependency-name: "@actions/http-client" dependency-version: 4.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: npm ... Signed-off-by: dependabot[bot] <support@github.com> * chore: update dist and vendor --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * ci(deps): bump docker/setup-buildx-action in the actions group (goreleaser#538) Bumps the actions group with 1 update: [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action). Updates `docker/setup-buildx-action` from 3.10.0 to 3.12.0 - [Release notes](https://github.com/docker/setup-buildx-action/releases) - [Commits](docker/setup-buildx-action@b5ca514...8d2750c) --- updated-dependencies: - dependency-name: docker/setup-buildx-action dependency-version: 3.12.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump semver from 7.7.3 to 7.7.4 in the npm group (goreleaser#539) * chore(deps): bump semver from 7.7.3 to 7.7.4 in the npm group Bumps the npm group with 1 update: [semver](https://github.com/npm/node-semver). Updates `semver` from 7.7.3 to 7.7.4 - [Release notes](https://github.com/npm/node-semver/releases) - [Changelog](https://github.com/npm/node-semver/blob/main/CHANGELOG.md) - [Commits](npm/node-semver@v7.7.3...v7.7.4) --- updated-dependencies: - dependency-name: semver dependency-version: 7.7.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: npm ... Signed-off-by: dependabot[bot] <support@github.com> * chore: update dist and vendor --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * chore: gitignore provenance.json Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com> * ci: update dependabot settings Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com> * fix: gitignore Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com> * fix: yargs usage Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com> * docs: update * fix: bake vendor Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com> * ci(deps): bump the actions group with 2 updates (goreleaser#543) Bumps the actions group with 2 updates: [actions/setup-go](https://github.com/actions/setup-go) and [actions/upload-artifact](https://github.com/actions/upload-artifact). Updates `actions/setup-go` from 6.2.0 to 6.3.0 - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](actions/setup-go@7a3fe6c...4b73464) Updates `actions/upload-artifact` from 6.0.0 to 7.0.0 - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@b7c566a...bbbca2d) --- updated-dependencies: - dependency-name: actions/setup-go dependency-version: 6.3.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions - dependency-name: actions/upload-artifact dependency-version: 7.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump undici from 6.23.0 to 6.24.1 (goreleaser#545) Bumps [undici](https://github.com/nodejs/undici) from 6.23.0 to 6.24.1. - [Release notes](https://github.com/nodejs/undici/releases) - [Commits](nodejs/undici@v6.23.0...v6.24.1) --- updated-dependencies: - dependency-name: undici dependency-version: 6.24.1 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: update Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com> * fix: use new static URL Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com> * clean: leftover files from node 22(?) Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com> * ci(deps): bump the actions group with 5 updates (goreleaser#546) * ci(deps): bump the actions group with 5 updates Bumps the actions group with 5 updates: | Package | From | To | | --- | --- | --- | | [actions/setup-go](https://github.com/actions/setup-go) | `6.3.0` | `6.4.0` | | [crazy-max/ghaction-import-gpg](https://github.com/crazy-max/ghaction-import-gpg) | `6.3.0` | `7.0.0` | | [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) | `3.12.0` | `4.0.0` | | [docker/bake-action](https://github.com/docker/bake-action) | `6.10.0` | `7.0.0` | | [codecov/codecov-action](https://github.com/codecov/codecov-action) | `5.5.2` | `6.0.0` | Updates `actions/setup-go` from 6.3.0 to 6.4.0 - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](actions/setup-go@4b73464...4a36011) Updates `crazy-max/ghaction-import-gpg` from 6.3.0 to 7.0.0 - [Release notes](https://github.com/crazy-max/ghaction-import-gpg/releases) - [Commits](crazy-max/ghaction-import-gpg@e89d409...2dc316d) Updates `docker/setup-buildx-action` from 3.12.0 to 4.0.0 - [Release notes](https://github.com/docker/setup-buildx-action/releases) - [Commits](docker/setup-buildx-action@8d2750c...4d04d5d) Updates `docker/bake-action` from 6.10.0 to 7.0.0 - [Release notes](https://github.com/docker/bake-action/releases) - [Commits](docker/bake-action@5be5f02...8249049) Updates `codecov/codecov-action` from 5.5.2 to 6.0.0 - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](codecov/codecov-action@671740a...57e3a13) --- updated-dependencies: - dependency-name: actions/setup-go dependency-version: 6.4.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions - dependency-name: crazy-max/ghaction-import-gpg dependency-version: 7.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: docker/setup-buildx-action dependency-version: 4.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: docker/bake-action dependency-version: 7.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: codecov/codecov-action dependency-version: 6.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> * ci: switch to matrix subaction for bake --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: CrazyMax <1951866+crazy-max@users.noreply.github.com> * docs: Upgrade import GPG action version (goreleaser#547) * feat: verify release checksum and cosign signature (goreleaser#550) * feat: verify release checksum and cosign signature Download checksums.txt for the release and verify the SHA-256 of the downloaded archive against it. When cosign is available in PATH, also download checksums.txt.sigstore.json and verify the signature against the goreleaser/goreleaser-pro release workflow identity. Both steps degrade gracefully (with a warning) when the corresponding artifacts or tooling are missing. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * test: use install() for checksum e2e tests Drop the http-client download helper from verifyChecksum integration tests; call goreleaser.install() instead so the test exercises the public API path and avoids duplicating download logic. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: add CONTRIBUTING with pre-commit workflow Document the docker buildx bake pre-checkin / test / validate sequence contributors need before pushing, and call out the Alpine-built dist/ gotcha so PRs don't bounce on build-validate. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * build: drop docker-bake in favor of plain npm (goreleaser#551) * build: drop docker-bake in favor of plain npm Every TypeScript action maintained by actions/* (checkout, setup-node, setup-go, cache, upload-artifact) uses plain npm scripts. The bake setup is a docker/* org convention and adds friction for TS work: contributors need Docker, the dev loop is ~10x slower than npm, and Alpine-vs-host byte drift in dist/index.js makes PRs bounce. Replace with the standard pattern: - .node-version pins Node 24 so contributors and CI agree - npm scripts (build, lint, format, test, pre-checkin) replace bake targets one-for-one - validate.yml runs lint + a check-dist diff (mirrors actions/setup-node) and a vendor check that npm install --package-lock-only is a no-op - test.yml uses setup-node + sigstore/cosign-installer, drops bake-action - dependabot-build.yml regenerates dist via npm instead of bake CONTRIBUTING.md and README development section updated to match. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * build: align scripts and workflows with actions/* convention Match the standard layout used by actions/checkout, actions/setup-node, etc.: - package.json scripts: split format/format-check (Prettier) from lint/lint:fix (ESLint), and have pre-checkin run all four (format, lint:fix, build, test) in that order. - validate.yml lint job runs format-check + lint as separate steps. - test.yml drops the redundant --coverage flag (now in the test script). - Drop dependabot-build.yml: actions/* don't auto-rebuild dist on dependabot PRs; the check-dist style validate / build job catches drift and a maintainer rebuilds locally if needed. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * ci: add release-major-tag workflow (goreleaser#552) * build: drop docker-bake in favor of plain npm Every TypeScript action maintained by actions/* (checkout, setup-node, setup-go, cache, upload-artifact) uses plain npm scripts. The bake setup is a docker/* org convention and adds friction for TS work: contributors need Docker, the dev loop is ~10x slower than npm, and Alpine-vs-host byte drift in dist/index.js makes PRs bounce. Replace with the standard pattern: - .node-version pins Node 24 so contributors and CI agree - npm scripts (build, lint, format, test, pre-checkin) replace bake targets one-for-one - validate.yml runs lint + a check-dist diff (mirrors actions/setup-node) and a vendor check that npm install --package-lock-only is a no-op - test.yml uses setup-node + sigstore/cosign-installer, drops bake-action - dependabot-build.yml regenerates dist via npm instead of bake CONTRIBUTING.md and README development section updated to match. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * build: align scripts and workflows with actions/* convention Match the standard layout used by actions/checkout, actions/setup-node, etc.: - package.json scripts: split format/format-check (Prettier) from lint/lint:fix (ESLint), and have pre-checkin run all four (format, lint:fix, build, test) in that order. - validate.yml lint job runs format-check + lint as separate steps. - test.yml drops the redundant --coverage flag (now in the test script). - Drop dependabot-build.yml: actions/* don't auto-rebuild dist on dependabot PRs; the check-dist style validate / build job catches drift and a maintainer rebuilds locally if needed. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * ci: add release-major-tag workflow Adopts the actions/checkout pattern (workflow_dispatch with target + major_version inputs that force-pushes the major tag). Doubles as a rollback tool. Documented in CONTRIBUTING under a 'Releasing' section. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * ci: drop irrelevant pin comment from release-major-tag Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: document cosign verification in README (goreleaser#553) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * ci: drop pre-cosign-v3 goreleaser versions from tests (goreleaser#554) GoReleaser v2.13.0 was the first release to ship the cosign v3 sigstore-bundle 'checksums.txt.sigstore.json' alongside the archive. Earlier releases only publish a cosign v2 detached '.sig', which the action's verifier does not understand and silently skips. Drop '~> 1.26' / '~> 2.6' / 'v0.182.0' / '~> v1' from the matrix and the install tests; pin '~> 2.13' as the minimum-supported version we actively exercise in CI. Document v2.13.0 as the minimum cosign- verifiable version in the README. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * test: cover install across release eras (goreleaser#555) Add install tests pinned to versions that exercise every release era so we don't regress the graceful-skip path for releases that pre-date the cosign v3 sigstore bundle: - v0.182.0 pre-checksums-signing - v1.26.2 cosign v2 detached .sig only - v2.12.4 last release before sigstore bundles - v2.13.0 first release with sigstore bundle (minimum verifiable) - v2.15.3 recent release with sigstore bundle Plus an explicit verifyChecksum integration test that installs v2.12.4 with cosign in PATH to confirm the cosign step is skipped (not failed) when the sigstore bundle is absent. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat: add `version-file` input (goreleaser#556) Resolves the GoReleaser version from a file. Currently supports the asdf/mise `.tool-versions` format; resolved value takes precedence over the `version` input. # .tool-versions goreleaser 2.13.0 - uses: goreleaser/goreleaser-action@v7 with: version-file: .tool-versions args: release --clean Path is resolved relative to `workdir` unless absolute. Bare semvers are auto-prefixed with `v`; constraint expressions and `latest` are returned as-is. Multiple fallback versions per asdf convention are accepted but only the first is used. Refs goreleaser#541 Closes goreleaser#542 Co-authored-by: Anthony Couvreur <22034450+acouvreur@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat: resolve nightly to latest vX.Y.Z-<sha>-nightly release (goreleaser#558) * feat: resolve nightly to latest vX.Y.Z-<sha>-nightly release Query GitHub releases API to resolve the 'nightly' version input to the latest immutable nightly tag, replacing the moving 'nightly' tag that is being removed for supply-chain hardening. Refs goreleaser/goreleaser#6550 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat: keep legacy 'nightly' tag working during transition Fall back to the moving 'nightly' tag when no immutable vX.Y.Z-<sha>-nightly release is found, so the action keeps working between this release and the goreleaser nightly switchover. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * test: assert isNightlyTag accepts legacy fallback Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: accept nightly tags without 'v' prefix goreleaser-pro publishes nightly releases as e.g. 2.16.0-eaeb08c50-nightly (no 'v' prefix). Make the nightly tag regex tolerate either form, and split the integration tests so OSS asserts the legacy fallback while Pro asserts the new <version>-<sha>-nightly format. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Revert "fix: accept nightly tags without 'v' prefix" The missing 'v' prefix on the goreleaser-pro nightly was a release mistake; new nightlies will keep the 'v' prefix. This reverts commit 7673f7f. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * ci: pass GITHUB_TOKEN to tests The new nightly resolution hits api.github.com/repos/.../releases, which is rate-limited for unauthenticated requests. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * docs: note GITHUB_TOKEN need for nightly resolution Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * refactor: drop legacy 'nightly' tag fallback Both goreleaser and goreleaser-pro now publish nightly releases as vX.Y.Z-<sha>-nightly, so the action no longer needs to special-case or fall back to the moving 'nightly' tag. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * ci(nightly): pass GITHUB_TOKEN to nightly integration job Releases API is rate-limited for unauthenticated requests. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * ci(deps): bump the actions group with 3 updates (goreleaser#560) Bumps the actions group with 3 updates: [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer), [actions/upload-artifact](https://github.com/actions/upload-artifact) and [actions/setup-node](https://github.com/actions/setup-node). Updates `sigstore/cosign-installer` from 3.9.2 to 4.1.1 - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](sigstore/cosign-installer@d58896d...cad07c2) Updates `actions/upload-artifact` from 7.0.0 to 7.0.1 - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@bbbca2d...043fb46) Updates `actions/setup-node` from 5.0.0 to 6.4.0 - [Release notes](https://github.com/actions/setup-node/releases) - [Commits](actions/setup-node@a0853c2...48b55a0) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-version: 4.1.1 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: actions/upload-artifact dependency-version: 7.0.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: actions/setup-node dependency-version: 6.4.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * ci: update actions Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com> * fix: nightly resolution to select newest published release (goreleaser#562) * fix(nightly): pick latest nightly by published_at GitHub's /releases endpoint is not reliably ordered by published_at, so resolveNightly could pick an older nightly than the most recent one. Filter, sort by published_at desc, and take the first. * test(nightly): add regression coverage for release ordering --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> * ci(deps): bump the actions group with 3 updates (goreleaser#563) Bumps the actions group with 3 updates: [actions/checkout](https://github.com/actions/checkout), [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) and [codecov/codecov-action](https://github.com/codecov/codecov-action). Updates `actions/checkout` from 6.0.2 to 6.0.3 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@de0fac2...df4cb1c) Updates `sigstore/cosign-installer` from 4.1.1 to 4.1.2 - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](sigstore/cosign-installer@cad07c2...6f9f177) Updates `codecov/codecov-action` from 6.0.0 to 6.0.1 - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](codecov/codecov-action@57e3a13...e79a696) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: sigstore/cosign-installer dependency-version: 4.1.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: codecov/codecov-action dependency-version: 6.0.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Kévin Dunglas <kevin@dunglas.fr> Co-authored-by: CrazyMax <1951866+crazy-max@users.noreply.github.com> Co-authored-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com> Co-authored-by: haya14busa <haya14busa@gmail.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Timo <flecno@flecno.de> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: Anthony Couvreur <22034450+acouvreur@users.noreply.github.com> Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
You can now use .tool-versions file to specify GoReleaser version to download
Closes #541
Testing
With
version-filereferencing a non-existing fileTypo
.tools-versioninstead of.tool-versionssablierapp/sablier@0700179
With
version-filereferencing.tool-versionsfilesablierapp/sablier@94739c4
No version specified
sablierapp/sablier@d5d4432