Set up an automated, signed release pipeline so a tag push produces installable artefacts.
Scope
.goreleaser.yaml building Linux + Windows × amd64/arm64 (4 binaries) with -ldflags wired to internal/version.{Version,Commit,Date}.
nfpm-based deb + rpm for Linux × amd64/arm64.
- Tarball (
tar.gz) for Linux/macOS, zip for Windows — raw "gobinary" artefact ships inside.
cosign keyless signing via GitHub OIDC for every artefact + SHA256SUMS.
.github/workflows/release.yml triggered by v* tags; uses goreleaser/goreleaser-action and sigstore/cosign-installer.
Out of scope (covered by follow-up): AUR PKGBUILD, Homebrew tap, AppImage.
Acceptance
git tag v0.0.0-test && git push --tags to a throwaway tag dry-runs the pipeline (or goreleaser release --snapshot --clean locally).
- A real
v0.x.y tag produces a GitHub Release with binaries, deb/rpm, SHA256SUMS, and *.sig / *.pem cosign attestations.
- README gains a short "Install" section pointing at the Releases page + verification recipe (
cosign verify-blob).
Set up an automated, signed release pipeline so a tag push produces installable artefacts.
Scope
.goreleaser.yamlbuilding Linux + Windows ×amd64/arm64(4 binaries) with-ldflagswired tointernal/version.{Version,Commit,Date}.nfpm-baseddeb+rpmfor Linux ×amd64/arm64.tar.gz) for Linux/macOS,zipfor Windows — raw "gobinary" artefact ships inside.cosignkeyless signing via GitHub OIDC for every artefact +SHA256SUMS..github/workflows/release.ymltriggered byv*tags; usesgoreleaser/goreleaser-actionandsigstore/cosign-installer.Out of scope (covered by follow-up): AUR
PKGBUILD, Homebrew tap, AppImage.Acceptance
git tag v0.0.0-test && git push --tagsto a throwaway tag dry-runs the pipeline (orgoreleaser release --snapshot --cleanlocally).v0.x.ytag produces a GitHub Release with binaries, deb/rpm,SHA256SUMS, and*.sig/*.pemcosign attestations.cosign verify-blob).