# Release workflow — runs when a vX.Y.Z tag is pushed (including mirror # pushes from somegit.dev). Drives GoReleaser to publish: # - static binaries (linux/darwin/windows × amd64/arm64) + checksums # + autogenerated changelog to the GitHub releases page # - multi-arch container images to ghcr.io/vikingowl91/gnoma # # GITHUB_TOKEN is provided automatically by GitHub Actions and already # carries packages:write thanks to the permissions block, so no PAT is # needed for either the release upload or the ghcr.io push. # # Security note: this workflow does not interpolate any untrusted # context (commit messages, PR titles, issue bodies) into shell commands. # All ${{ ... }} references live in with: / env: blocks, which are # safely passed as strings rather than evaluated as shell. name: Release on: push: tags: - "v*" permissions: contents: write packages: write jobs: release: runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 with: fetch-depth: 0 - name: Setup Go uses: actions/setup-go@v5 with: go-version: "1.26" - name: Setup QEMU uses: docker/setup-qemu-action@v3 - name: Setup Docker Buildx uses: docker/setup-buildx-action@v3 - name: Login to GHCR uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Test run: go test ./... - name: GoReleaser uses: goreleaser/goreleaser-action@v6 with: version: latest args: release --clean env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Force GoReleaser to use the triggering tag rather than fall # back to `git describe` — which can resolve to an older tag # (e.g., a vX.Y.Z-rc tag) when multiple tags point at the same # commit. Surfaced as the v0.3.1 release failure on 2026-05-24. GORELEASER_CURRENT_TAG: ${{ github.ref_name }}