diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..81522fc --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,63 @@ +# Release workflow — runs when a vX.Y.Z tag is pushed (including mirror +# pushes from somegit.dev). Drives GoReleaser to publish: +# - static binaries (linux/darwin/windows × amd64/arm64) + checksums +# + autogenerated changelog to the GitHub releases page +# - multi-arch container images to ghcr.io/vikingowl91/gnoma +# +# GITHUB_TOKEN is provided automatically by GitHub Actions and already +# carries packages:write thanks to the permissions block, so no PAT is +# needed for either the release upload or the ghcr.io push. +# +# Security note: this workflow does not interpolate any untrusted +# context (commit messages, PR titles, issue bodies) into shell commands. +# All ${{ ... }} references live in with: / env: blocks, which are +# safely passed as strings rather than evaluated as shell. + +name: Release + +on: + push: + tags: + - "v*" + +permissions: + contents: write + packages: write + +jobs: + release: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Setup Go + uses: actions/setup-go@v5 + with: + go-version: "1.26" + + - name: Setup QEMU + uses: docker/setup-qemu-action@v3 + + - name: Setup Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Login to GHCR + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Test + run: go test ./... + + - name: GoReleaser + uses: goreleaser/goreleaser-action@v6 + with: + version: latest + args: release --clean + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.woodpecker/release.yml b/.woodpecker/release.yml deleted file mode 100644 index 187931f..0000000 --- a/.woodpecker/release.yml +++ /dev/null @@ -1,41 +0,0 @@ -# Release pipeline — runs when a vX.Y.Z tag is pushed. -# -# Builds gnoma via GoReleaser: -# - static binaries for linux/darwin/windows × amd64/arm64 -# - archives + checksums + changelog uploaded to the GitHub mirror's -# releases page (via the GoReleaser github backend in .goreleaser.yml) -# - multi-arch container images pushed to ghcr.io/vikingowl91/gnoma -# -# Secrets required (set in Woodpecker repo settings): -# github_token GitHub PAT with `repo` + `write:packages` scopes. -# Used for both the release upload and the ghcr.io -# image push. -# -# Runner requirements: -# - Docker socket access (mounted via volumes below). -# - QEMU registered on the host for arm64 cross-builds. One-time: -# docker run --privileged --rm tonistiigi/binfmt --install all -# If your Woodpecker host doesn't have it and you can't grant -# privileged, drop arm64 from .goreleaser.yml or run releases -# manually until a runner with QEMU is available. - -when: - - event: tag - ref: refs/tags/v* - -steps: - - name: test - image: golang:1.26 - commands: - - go test ./... - - - name: release - image: goreleaser/goreleaser:latest - environment: - GITHUB_TOKEN: - from_secret: github_token - commands: - - echo "$GITHUB_TOKEN" | docker login ghcr.io -u VikingOwl91 --password-stdin - - goreleaser release --clean - volumes: - - /var/run/docker.sock:/var/run/docker.sock