Add GoReleaser-based multi-platform distribution

[twangodev]

Replaces the hand-rolled build/release matrix with GoReleaser: produces archives, checksums, SBOMs, cosign signatures, deb/rpm/apk packages, a Homebrew cask, and a Scoop manifest, and adds a version-agnostic install.sh for curl | sh installs. Keeps the existing release-please flow (release.mode: append) and build-provenance attestation.

Requires repo secret TAP_GITHUB_TOKEN (PAT with contents:write on homebrew-tap + scoop-bucket) and a twangodev/scoop-bucket repo before the next tagged release.

Summary by CodeRabbit

• New Features

  • Added multiple installation methods: Homebrew (macOS), Scoop (Windows), and universal install script for macOS/Linux/FreeBSD.
  • Binaries now include cryptographic signatures and checksums for verification.

• Documentation

  • Updated getting started guide with comprehensive installation instructions.

[coderabbitai]

Warning

Review limit reached

@twangodev, we couldn't start this review because you've used your available PR reviews for now.

Your plan includes 1 review of capacity. Refill in 52 minutes and 28 seconds.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more review capacity refills, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than trial, open-source, and free plans. In all cases, review capacity refills continuously over time.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 48bb12a4-ad13-48fa-a549-88bcd19aa0ee

📥 Commits

Reviewing files that changed from the base of the PR and between fc48952 and 7820f67.

📒 Files selected for processing (4)

• .github/workflows/go.yml
• .goreleaser.yaml
• README.md
• install.sh

📝 Walkthrough

Walkthrough

This PR migrates the release pipeline from manual cross-platform Go builds and GitHub artifact uploads to an automated GoReleaser workflow. It introduces a .goreleaser.yaml configuration, updates the GitHub Actions workflow to orchestrate GoReleaser releases, adds a portable shell installer script, and updates documentation with comprehensive multi-platform installation instructions.

Changes

GoReleaser Release Automation

Layer / File(s)	Summary
GoReleaser build and artifact configuration .goreleaser.yaml	Configures build matrix (Darwin, Linux, FreeBSD with arm/386 exclusions), archive format (tar.gz/zip), artifact naming template, checksum generation, SBOM output, and Cosign-based signing with certificate and signature outputs.
Package and third-party publication configuration .goreleaser.yaml	Defines Linux package builds (deb/rpm/apk), Homebrew cask publication with token-based authentication, Scoop bucket updates, and GitHub release appending to the target repository.
GitHub Actions workflow: goreleaser-check and goreleaser jobs .github/workflows/go.yml	Replaces manual build and release jobs with a goreleaser-check job (PR/non-main validation) and a goreleaser job (triggered on release-please release_created == 'true') that installs cosign/Syft, executes GoReleaser, and performs build provenance attestation.
Installation script and documentation install.sh, README.md, .gitignore	Adds POSIX shell installer with OS/arch detection, checksum verification, and binary placement; updates README with installation instructions (Homebrew, Scoop, install script, Linux packages, manual download); adds .vscode/ and dist/ to .gitignore.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• twangodev/lfm-cli#74: Both PRs modify .github/workflows/go.yml to change release triggering and gating mechanisms (release-please outputs in #74 vs goreleaser-based release_created gating and new release jobs in the main PR).

Poem

🐰 A rabbit built a GoReleaser dream,
No more matrix builds or artifact streams—
Cross-platform binaries sign and attest,
Homebrew, Scoop, and packages blessed.
Now users just ./install.sh and fly! ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Add GoReleaser-based multi-platform distribution' directly describes the main change: replacing the hand-rolled build/release matrix with GoReleaser for multi-platform distribution.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/goreleaser-distribution

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This PR migrates the project’s release pipeline from a custom GitHub Actions build/release matrix to a GoReleaser-driven multi-platform distribution, and updates installation docs accordingly.

Changes:

• Add a GoReleaser config to produce archives, checksums, SBOMs, signatures, and OS packages, and publish to Homebrew/Scoop.
• Replace the previous matrix build/release workflow with GoReleaser-based release publishing and a config-check job.
• Add a version-agnostic install.sh and update README installation instructions.

Reviewed changes

Copilot reviewed 4 out of 5 changed files in this pull request and generated 8 comments.

Show a summary per file

File	Description
README.md	Updates “Getting Started” with Homebrew/Scoop/install-script/package install paths.
install.sh	Adds a curl-pipe-sh installer that downloads a release archive and verifies checksums.
.goreleaser.yaml	Introduces GoReleaser v2 config for builds, archives, SBOMs, signing, nfpm packages, and tap/bucket publishing.
.gitignore	Ignores GoReleaser dist/ output.
.github/workflows/go.yml	Replaces hand-rolled build/release jobs with GoReleaser check + release flow and provenance attestation.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Actionable comments posted: 5

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/go.yml (1)

3-5: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add the missing PR trigger for goreleaser-check.

goreleaser-check is gated for PRs, but the workflow only triggers on push, so PR validation won’t execute.

Suggested fix

 on:
   push:
+  pull_request:

Also applies to: 23-24

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/go.yml around lines 3 - 5, The workflow currently triggers
only on push; add a pull request trigger so the goreleaser-check job runs on PRs
by updating the top of .github/workflows/go.yml: under the existing "on:"
section add "pull_request:" (optionally mirroring branches/paths used by "push")
so the workflow named or referenced as goreleaser-check will also run for PR
events; ensure any branch filters match the push configuration.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/go.yml:
- Around line 23-25: The goreleaser-check job currently inherits default
GITHUB_TOKEN permissions; update the job definition for goreleaser-check to
explicitly scope token permissions to least-privilege by adding a permissions
block (e.g., permissions: contents: read) under the goreleaser-check job so the
check-only path only has read access to repository contents; locate the
goreleaser-check job name in the workflow and add the permissions entry there.
- Around line 27-33: The workflow currently pins actions by mutable tags (e.g.,
actions/checkout@v6, actions/setup-go@v6, goreleaser/goreleaser-action@v6 and
googleapis/release-please-action@v4); update .github/workflows/go.yml to use
immutable 40-hex commit SHAs instead of tags by replacing each uses: entry
(actions/checkout, actions/setup-go, goreleaser/goreleaser-action,
googleapis/release-please-action) with the corresponding repository commit SHA
(fetch the latest recommended SHA from each action's GitHub repo or release
notes) so the workflow is deterministically pinned, then commit the updated
go.yml and run the workflow to verify.
- Around line 27-29: Update both GitHub Actions checkout steps that use "uses:
actions/checkout@v6" to explicitly disable credential persistence by adding
persist-credentials: false to their step inputs; locate the two checkout steps
(the one currently specifying fetch-depth: 0 and the other similar step later)
and add persist-credentials: false alongside fetch-depth to prevent the runner
from storing the auth token in git config.

In `@install.sh`:
- Line 28: The installer currently maps "armv6l" into the arm build by matching
the case branch 'armv7l | armv6l | arm) arch="arm" ;;' which may install an
incompatible ARMv7 (GOARM=7) binary on ARMv6 devices; update the install.sh case
handling so that 'armv7l | arm) arch="arm" ;;' remains for supported ARMv7
targets and add an explicit 'armv6l' branch that prints a clear error message
and exits (referring to the 'arch' variable and the case branch in install.sh)
to refuse installation on ARMv6. Ensure the error explains the binary requires
ARMv7 (GOARM=7).

In `@README.md`:
- Around line 55-56: Update the README sentence that currently reads "Binaries
are built and signed (cosign + SBOM) on GitHub Actions" to explicitly state what
is signed and what is generated: indicate that the release process signs
checksum artifacts using cosign, that SBOMs are produced and attached separately
(not cosign-signed at the binary level), and mention where users can verify the
signed checksums (e.g., the "releases page" link text). Change the phrasing
around the "releases page" reference to reflect this clarification so readers
won't assume per-binary cosign signatures.

---

Outside diff comments:
In @.github/workflows/go.yml:
- Around line 3-5: The workflow currently triggers only on push; add a pull
request trigger so the goreleaser-check job runs on PRs by updating the top of
.github/workflows/go.yml: under the existing "on:" section add "pull_request:"
(optionally mirroring branches/paths used by "push") so the workflow named or
referenced as goreleaser-check will also run for PR events; ensure any branch
filters match the push configuration.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: b0856ecc-ad47-4239-9216-049df10bfa40

📥 Commits

Reviewing files that changed from the base of the PR and between 92c0d9b and fc48952.

📒 Files selected for processing (5)

• .github/workflows/go.yml
• .gitignore
• .goreleaser.yaml
• README.md
• install.sh