Skip to content

chore(release): wire goreleaser to a tag-triggered workflow#54

Merged
shreemaan-abhishek merged 1 commit into
masterfrom
chore/release-workflow
May 27, 2026
Merged

chore(release): wire goreleaser to a tag-triggered workflow#54
shreemaan-abhishek merged 1 commit into
masterfrom
chore/release-workflow

Conversation

@shreemaan-abhishek
Copy link
Copy Markdown
Contributor

@shreemaan-abhishek shreemaan-abhishek commented May 27, 2026
edited by coderabbitai Bot
Loading

Summary

  • Adds .github/workflows/release.yml that runs goreleaser on v* tag push, publishing a GitHub Release with cross-platform archives and checksums.
  • Bumps .goreleaser.yml to v2 syntax (version: 2, formatformats) so it works with the pinned goreleaser/goreleaser-action@v6 (~> v2).

No changes to Go code, so internal/update/ plumbing (asset name format a7_{version}_{os}_{arch}.{ext}) stays compatible with what the workflow will publish.

Closes #53

Test plan

  • goreleaser check against the updated config (run via Docker locally)
  • Cut v0.1.0-rc1 after merge and confirm the workflow publishes assets
  • Run a7 update end-to-end against the published rc release

Summary by CodeRabbit

  • Chores
    • Added automated release workflow that triggers when creating version tags
    • Updated release packaging configuration to support modern automation standards

Review Change Stack

@shreemaan-abhishek
chore(release): add goreleaser workflow and bump config to v2
a5ed9cb 
Wires .goreleaser.yml to a tag-triggered GitHub Actions workflow so
`v*` pushes publish a release. Modernizes the existing config to
goreleaser v2 (adds `version: 2`, switches `format` to `formats`)
to match the pinned action.

Closes #53
@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented May 27, 2026
edited
Loading

📝 Walkthrough

Walkthrough

This PR enables automated binary releases for a7 by adding a GitHub Actions release workflow and updating the GoReleaser configuration to v2 format. The workflow triggers on version tag pushes and orchestrates GoReleaser to build and publish releases across Linux, Darwin, and Windows platforms.

Changes

Release Automation

Layer / File(s) Summary
Release workflow and GoReleaser v2 setup
.github/workflows/release.yml, .goreleaser.yml		 New workflow invokes GoReleaser on v* tag pushes with repository write permissions. GoReleaser configuration is updated to v2 format with archive generation switched from singular format keys to formats list syntax for tar.gz and zip archives.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related issues

🚥 Pre-merge checks | ✅ 6
✅ Passed checks (6 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately and specifically describes the main change—wiring goreleaser to a tag-triggered GitHub Actions workflow, which is the core objective of the PR.
Linked Issues check ✅ Passed The PR fully implements the stated coding requirements: adds .github/workflows/release.yml to trigger goreleaser on tag pushes and updates .goreleaser.yml to v2 syntax for compatibility.
Out of Scope Changes check ✅ Passed All changes are directly aligned with issue #53 requirements; no unrelated modifications to source code or other areas are present.
E2e Test Quality Review ✅ Passed This custom E2E test quality check is not applicable; the PR contains only workflow and goreleaser configuration files, no test code to review.
Security Check ✅ Passed Configuration-only PR. No hardcoded secrets, proper GITHUB_TOKEN injection, pinned action versions, no TLS issues, no embedded credentials in .goreleaser.yml.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch chore/release-workflow

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai Bot reviewed May 27, 2026
View reviewed changes
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (2)
.github/workflows/release.yml (2)

16-18: ⚡ Quick win

Add persist-credentials: false to the checkout step.

The static analysis tool flags that credentials may persist through GitHub Actions artifacts when persist-credentials is not explicitly set to false. This is a security hardening best practice to prevent credential leakage.

🔒 Proposed security hardening 
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
+         persist-credentials: false
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yml around lines 16 - 18, The checkout step using
actions/checkout@v4 currently omits the persist-credentials option; update the
checkout configuration (the actions/checkout@v4 step) to include
persist-credentials: false alongside existing keys (e.g., fetch-depth: 0) so
credentials are not persisted to the workspace or artifacts, ensuring the
workflow uses the hardened setting.

16-16: ⚡ Quick win

Consider pinning actions to commit SHAs.

The static analysis tool flags that actions are referenced by tags rather than commit SHAs and notes this is "required by blanket policy." Pinning to SHAs prevents supply chain attacks where tags could be moved to malicious code.

🔐 Example SHA pinning approach

You can find current commit SHAs for each action version and pin them:

-      - uses: actions/checkout@v4
+      - uses: actions/checkout@<sha>  # v4
        with:
          fetch-depth: 0

-      - uses: actions/setup-go@v5
+      - uses: actions/setup-go@<sha>  # v5
        with:
          go-version-file: go.mod

-      - uses: goreleaser/goreleaser-action@v6
+      - uses: goreleaser/goreleaser-action@<sha>  # v6

Note: SHA pinning does increase maintenance burden as you'll need to update SHAs when updating action versions.

Also applies to: 20-20, 24-24

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yml at line 16, The workflow currently references
actions by tags (e.g., "uses: actions/checkout@v4") which should be pinned to
commit SHAs to reduce supply-chain risk; update each "uses:" entry in
.github/workflows/release.yml (including the actions/checkout entry and the
other actions referenced by tags in this file) to the corresponding commit SHA
for the desired release (replace the tag with the SHA value), ensuring you fetch
the canonical SHA from the action's GitHub repo and commit the updated workflow.
🤖 Prompt for all review comments with AI agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/release.yml:
- Around line 16-18: The checkout step using actions/checkout@v4 currently omits
the persist-credentials option; update the checkout configuration (the
actions/checkout@v4 step) to include persist-credentials: false alongside
existing keys (e.g., fetch-depth: 0) so credentials are not persisted to the
workspace or artifacts, ensuring the workflow uses the hardened setting.
- Line 16: The workflow currently references actions by tags (e.g., "uses:
actions/checkout@v4") which should be pinned to commit SHAs to reduce
supply-chain risk; update each "uses:" entry in .github/workflows/release.yml
(including the actions/checkout entry and the other actions referenced by tags
in this file) to the corresponding commit SHA for the desired release (replace
the tag with the SHA value), ensuring you fetch the canonical SHA from the
action's GitHub repo and commit the updated workflow.
ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: f6a18bcb-37bc-471c-96f8-d9d32f6b01a7

📥 Commits

Reviewing files that changed from the base of the PR and between f75246c and a5ed9cb.

📒 Files selected for processing (2)
  • .github/workflows/release.yml
  • .goreleaser.yml

Copilot AI reviewed May 27, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR wires the existing GoReleaser configuration into GitHub Actions so that pushing a v* tag automatically builds and publishes cross-platform release assets to a GitHub Release. It also updates .goreleaser.yml to GoReleaser v2 config syntax to match the pinned goreleaser/goreleaser-action@v6.

Changes:

  • Add a tag-triggered GitHub Actions workflow that runs goreleaser release --clean and publishes a GitHub Release.
  • Update .goreleaser.yml to version: 2 and migrate archive format keys to formats.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
.goreleaser.yml Migrates config to GoReleaser v2 syntax (version: 2, formatformats) for archive generation.
.github/workflows/release.yml Adds a workflow that runs on v* tags to execute GoReleaser and publish GitHub Release assets.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@shreemaan-abhishek shreemaan-abhishek merged commit 699bcc1 into master May 27, 2026
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Wire .goreleaser.yml to a release workflow and cut the first tag

2 participants

@shreemaan-abhishek