Summary
proxy-warm only pings proxy.golang.org. Nothing verifies the end-to-end release: attestation validity, checksums match, pkg.go.dev has indexed the version.
Scope
New job post-release-verify in release.yml, needs [goreleaser, proxy-warm], if: inputs.dry_run != true:
gh release view $TAG --json assets — expected assets present.- Download tarball +
checksums.txt, verify SHA-256 match.
gh attestation verify syncmap-*-source.tar.gz --owner axonops exit 0.- Poll
pkg.go.dev/github.com/axonops/syncmap@$TAG for 200 within 5 min.
Acceptance criteria
- Job green on v1.0.1 release.
- Job fails clearly on any mismatch.
Source: devops agent.
Summary
proxy-warmonly pings proxy.golang.org. Nothing verifies the end-to-end release: attestation validity, checksums match, pkg.go.dev has indexed the version.Scope
New job
post-release-verifyin release.yml, needs[goreleaser, proxy-warm],if: inputs.dry_run != true:gh release view $TAG --json assets— expected assets present.checksums.txt, verify SHA-256 match.gh attestation verify syncmap-*-source.tar.gz --owner axonopsexit 0.pkg.go.dev/github.com/axonops/syncmap@$TAGfor 200 within 5 min.Acceptance criteria
Source: devops agent.