Skip to content

chore: release pipeline with goreleaser (binaries + deb/rpm + cosign) #81

Description

@chmmou

Set up an automated, signed release pipeline so a tag push produces installable artefacts.

Scope

  • .goreleaser.yaml building Linux + Windows × amd64/arm64 (4 binaries) with -ldflags wired to internal/version.{Version,Commit,Date}.
  • nfpm-based deb + rpm for Linux × amd64/arm64.
  • Tarball (tar.gz) for Linux/macOS, zip for Windows — raw "gobinary" artefact ships inside.
  • cosign keyless signing via GitHub OIDC for every artefact + SHA256SUMS.
  • .github/workflows/release.yml triggered by v* tags; uses goreleaser/goreleaser-action and sigstore/cosign-installer.

Out of scope (covered by follow-up): AUR PKGBUILD, Homebrew tap, AppImage.

Acceptance

  • git tag v0.0.0-test && git push --tags to a throwaway tag dry-runs the pipeline (or goreleaser release --snapshot --clean locally).
  • A real v0.x.y tag produces a GitHub Release with binaries, deb/rpm, SHA256SUMS, and *.sig / *.pem cosign attestations.
  • README gains a short "Install" section pointing at the Releases page + verification recipe (cosign verify-blob).

Metadata

Metadata

Assignees

Labels

area/buildBuild, CI, packaging, release pipelineenhancementNew feature or requestphase/releaseRelease engineering

Projects

Status
Done

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions