fix(ci): upgrade GoReleaser action to v6 for version: 2 config

[itsjeremyjohnson]

Upgrades goreleaser-action from v5 to v6 to support the version: 2 config format in .goreleaser.yaml.

Changes:

• goreleaser-action v5 -> v6 (supports GoReleaser v2 config format)
• Add workflow_dispatch for manual re-releases
• Use go-version-file: go.mod instead of hardcoded version
• Add config stash pattern for dispatch releases

Greptile Summary

This PR upgrades goreleaser-action from v5 to v6 to support the version: 2 config format already present in .goreleaser.yaml, and adds a workflow_dispatch trigger for manually re-releasing old tags using a config-stash pattern.

• Unquoted user input: Line 37 passes ${{ inputs.tag }} to git checkout without quotes, which can cause word-splitting or unexpected shell behavior if the input contains spaces or special characters.

Confidence Score: 4/5

Safe to merge after quoting the user-supplied tag input on the dispatch checkout step.

One P1 finding: unquoted user input in a shell run step that can cause word-splitting or unintended behavior for tags with special characters. All other changes (action version bump, go-version-file, stash pattern) are correct and well-structured.

.github/workflows/release.yml — specifically the unquoted inputs.tag on line 37.

Vulnerabilities

• Shell injection / word splitting (.github/workflows/release.yml, line 37): ${{ inputs.tag }} is interpolated unquoted into git checkout. A value with embedded spaces or metacharacters can cause unintended shell behavior. Access is gated behind write permission on the repo, but quoting is still required defensive practice.

Important Files Changed

Filename	Overview
.github/workflows/release.yml	Upgrades goreleaser-action v5→v6, adds workflow_dispatch for re-releases with config-stash pattern, and switches to go-version-file; one P1: unquoted user input on the git checkout step.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A([Trigger]) --> B{Event type?}
    B -- push tag v* --> C[Checkout repo at tag\nfetch-depth: 0]
    B -- workflow_dispatch --> C
    C --> D[Setup Go\ngo-version-file: go.mod]
    D --> E[Stash .goreleaser.yaml\n→ /tmp/.goreleaser.yaml]
    E --> F{workflow_dispatch?}
    F -- yes --> G[git checkout inputs.tag\n⚠ currently unquoted]
    F -- no --> H[Skip checkout]
    G --> I[GoReleaser v6\nrelease --clean --config /tmp/.goreleaser.yaml]
    H --> I
    I --> J[GitHub Release + Homebrew tap]

Loading

Prompt To Fix All With AI

This is a comment left during a code review.
Path: .github/workflows/release.yml
Line: 37

Comment:
**Unquoted user input in shell command**

`inputs.tag` is interpolated directly into the shell without quotes. If the tag value contains spaces or shell metacharacters, this causes word splitting or unexpected behavior. Even though `workflow_dispatch` requires write access, quoting is the correct defensive practice.

```suggestion
        run: git checkout "${{ inputs.tag }}"
```

How can I resolve this? If you propose a fix, please make it concise.

_{Reviews (1): Last reviewed commit: "fix(ci): upgrade GoReleaser action to v6..." | Re-trigger Greptile}

Greptile also left 1 inline comment on this PR.

[greptile-apps]

Unquoted user input in shell command

inputs.tag is interpolated directly into the shell without quotes. If the tag value contains spaces or shell metacharacters, this causes word splitting or unexpected behavior. Even though workflow_dispatch requires write access, quoting is the correct defensive practice.

Suggested change

	run: git checkout ${{ inputs.tag }}
	run: git checkout "${{ inputs.tag }}"

Prompt To Fix With AI

This is a comment left during a code review.
Path: .github/workflows/release.yml
Line: 37

Comment:
**Unquoted user input in shell command**

`inputs.tag` is interpolated directly into the shell without quotes. If the tag value contains spaces or shell metacharacters, this causes word splitting or unexpected behavior. Even though `workflow_dispatch` requires write access, quoting is the correct defensive practice.

```suggestion
        run: git checkout "${{ inputs.tag }}"
```

How can I resolve this? If you propose a fix, please make it concise.