authzed · miparnisari · Oct 8, 2025 · Oct 7, 2025 · miparnisari · Oct 7, 2025
diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
@@ -80,11 +80,19 @@ jobs:
         id: "goreleaser"
         with:
           distribution: "goreleaser-pro"
-          version: "2.3.2"
+          # NOTE: keep in sync with goreleaser version in other job.
+          # github actions don't allow yaml anchors.
+          version: "v2.12.5"
           args: "release -f .goreleaser.docker.yml --clean --split --snapshot"
         env:
           GORELEASER_KEY: "${{ secrets.GORELEASER_KEY }}"
       - name: "Obtain container image to scan"
-        run: 'echo "IMAGE_VERSION=$(jq .version dist/linux_amd64_v1/metadata.json --raw-output)" >> $GITHUB_ENV'
+        run: |
+          IMAGE_VERSION=$(jq .version dist/linux_amd64/metadata.json --raw-output)
+          if [ -z "$IMAGE_VERSION" ]; then
+            echo "Failed to extract version from metadata.json"
+            exit 1
+          fi
+          echo "IMAGE_VERSION=$IMAGE_VERSION" >> $GITHUB_ENV
       - name: "run trivy on release image"
         run: "docker run -v /var/run/docker.sock:/var/run/docker.sock aquasec/trivy image --format table --exit-code 1 --ignore-unfixed --vuln-type os,library --no-progress --severity CRITICAL,HIGH,MEDIUM authzed/zed:v${{ env.IMAGE_VERSION }}-amd64 --db-repository public.ecr.aws/aquasecurity/trivy-db --java-db-repository public.ecr.aws/aquasecurity/trivy-java-db"
diff --git a/.github/workflows/release-windows.yml b/.github/workflows/release-windows.yml
@@ -1,5 +1,5 @@
 ---
-name: "Release for Windows"
+name: "Release for Windows" # TODO why is this separate from release.yaml?
 on:  # yamllint disable-line rule:truthy
   push:
     tags:
@@ -29,9 +29,24 @@ jobs:
           distribution: "goreleaser-pro"
           # NOTE: keep in sync with goreleaser version in other job.
           # github actions don't allow yaml anchors.
-          version: "v2.3.2"
+          version: "v2.12.5"
           args: "release --clean --config=.goreleaser.windows.yml"
         env:
           GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
           GORELEASER_KEY: "${{ secrets.GORELEASER_KEY }}"
           CHOCOLATEY_API_KEY: "${{ secrets.CHOCOLATEY_API_KEY }}"
+      - name: "Notify in Slack if failure"
+        if: "${{ failure() }}"
+        uses: "slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a" # v2.1.1
+        with:
+          webhook: "${{ secrets.SLACK_BUILDS_WEBHOOK_URL }}"
+          webhook-type: "incoming-webhook"
+          payload: |
+            text: "Release failure."
+            blocks:
+              - type: "section"
+                text:
+                  type: "mrkdwn"
+                  text: |
+                    :x: @eng-oss Release failure. Please take a look.
+                    *Repository:* <${{ github.server_url }}/${{ github.repository }}|${{ github.repository }}>
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -1,5 +1,5 @@
 ---
-name: "release"
+name: "Release for Docker and MacOS"
 on:
   push:
     tags:
@@ -23,13 +23,28 @@ jobs:
           distribution: "goreleaser-pro"
           # NOTE: keep in sync with goreleaser version in other job.
           # github actions don't allow yaml anchors.
-          version: "2.3.2"
+          version: "v2.12.5"
           args: "release --clean"
         env:
           GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
           HOMEBREW_TAP_GITHUB_TOKEN: "${{ secrets.HOMEBREW_TAP_GITHUB_TOKEN }}"
           GORELEASER_KEY: "${{ secrets.GORELEASER_KEY }}"
           GEMFURY_PUSH_TOKEN: "${{ secrets.GEMFURY_PUSH_TOKEN }}"
+      - name: "Notify in Slack if failure"
+        if: "${{ failure() }}"
+        uses: "slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a" # v2.1.1
+        with:
+          webhook: "${{ secrets.SLACK_BUILDS_WEBHOOK_URL }}"
+          webhook-type: "incoming-webhook"
+          payload: |
+            text: "Release failure."
+            blocks:
+              - type: "section"
+                text:
+                  type: "mrkdwn"
+                  text: |
+                    :x: @eng-oss Release failure. Please take a look.
+                    *Repository:* <${{ github.server_url }}/${{ github.repository }}|${{ github.repository }}>
 
   docker:
     runs-on: "ubuntu-latest"
@@ -50,8 +65,23 @@ jobs:
           distribution: "goreleaser-pro"
           # NOTE: keep in sync with goreleaser version in other job.
           # github actions don't allow yaml anchors.
-          version: "2.3.2"
+          version: "v2.12.5"
           args: "release --config=.goreleaser.docker.yml --clean"
         env:
           GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
           GORELEASER_KEY: "${{ secrets.GORELEASER_KEY }}"
+      - name: "Notify in Slack if failure"
+        if: "${{ failure() }}"
+        uses: "slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a" # v2.1.1
+        with:
+          webhook: "${{ secrets.SLACK_BUILDS_WEBHOOK_URL }}"
+          webhook-type: "incoming-webhook"
+          payload: |
+            text: "Release failure."
+            blocks:
+              - type: "section"
+                text:
+                  type: "mrkdwn"
+                  text: |
+                    :x: @eng-oss Release failure. Please take a look.
+                    *Repository:* <${{ github.server_url }}/${{ github.repository }}|${{ github.repository }}>
diff --git a/.goreleaser.windows.yml b/.goreleaser.windows.yml
@@ -21,9 +21,9 @@ archives:
       - "LICENSE"
     format_overrides:
       - goos: "windows"
-        format: "zip"
+        formats: ["zip"]
 
-chocolatey:
+chocolateys:
   - name: "zed"
     package_source_url: "https://github.com/authzed/zed/releases"
     owners: "AuthZed, Inc"

diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -83,17 +83,17 @@ builds:
 
 archives:
   - id: "gnu"
-    builds:
+    ids:
       - "linux-amd64-gnu"
       - "linux-arm64-gnu"
     name_template: "{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}{{ if .Arm }}v{{ .Arm }}{{ end }}{{ if .Mips }}_{{ .Mips }}{{ end }}_gnu"
   - id: "musl"
-    builds:
+    ids:
       - "linux-amd64-musl"
       - "linux-arm64-musl"
     name_template: "{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}{{ if .Arm }}v{{ .Arm }}{{ end }}{{ if .Mips }}_{{ .Mips }}{{ end }}_musl"
   - id: "other"
-    builds:
+    ids:
       - "darwin-amd64"
       - "darwin-arm64"
       - "windows-amd64"
@@ -106,7 +106,7 @@ nfpms:
     description: &description "manage Authzed from your command line."
     license: &license "Apache 2.0"
     epoch: &epoch "0"
-    builds: ["linux-amd64-gnu", "linux-arm64-gnu"]
+    ids: ["linux-amd64-gnu", "linux-arm64-gnu"]
     formats: ["deb", "rpm"]
   - id: "musl"
     vendor: *vendor
@@ -115,7 +115,7 @@ nfpms:
     description: *description
     license: *license
     epoch: *epoch
-    builds: ["linux-amd64-musl", "linux-arm64-musl"]
+    ids: ["linux-amd64-musl", "linux-arm64-musl"]
     formats: ["apk"]
 
 furies: