When we build a manifest, we need to prefix the annotation key with
`index:`.
This does it automatically :)
Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>
It is a bit confusing.
Resolved by splitting the pipes into two, one that is automatically
skipped in non-snapshot builds, so it doesn't log anything.
Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>
Bumps code.gitea.io/sdk/gitea from 0.21.0 to 0.22.0.
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
---------
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>
This builds up on the work of @faisal-smarthub, adding
[makeself](https://makeself.io) support to goreleaser.
I've greatly simplified the original implementation, removing many
options from it as well.
It's still not quite there, though - but it already works and can be
tested!
refs #5989
refs #5994
---
#### TODO
- [x] initial implementation
- [x] extract the improved artifact filtering into its own PR
- [x] tests
- [x] double check docs
- [x] move goreleaser's setup.sh into some directory
- [x] make sure CI passes
---------
Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>
Co-authored-by: Faisal <faisal@smarthub.ai>
Co-authored-by: faisal-smarthub <155343043+faisal-smarthub@users.noreply.github.com>
Instead of repeating `Or(BySomething(), BySomething())`, added
pluralized versions of some filters that automatically do that.
Refactored some of the usage to use these new functions as well.
---------
Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>
- grab the correct digest
- error if tag templates eval to empty list
- when `--snapshot`, build one image per platform instead of the
manifest
---------
Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>
This is the v2 of the docker feature!
- better DX (less yaml repetition and templates)
- simpler implementation
### So now, what happens:
- if `--snapshot`, it'll build the manifest, but not push it (only
useful to test the actual docker image build, not the image itself)
- otherwise, on publish, it'll run a single `docker buildx build` to
build and publish the manifest + SBOM
- `docker_signs` should still work
- `docker_digests` should still work
Discussion for after the merge:
https://github.com/orgs/goreleaser/discussions/6005
### TODO from the top of my head:
- [x] ~~pro: split/merge wiring~~[^1]
- [x] tests
- [x] signing
- [x] sbom
- [x] attestations https://github.com/goreleaser/goreleaser/pull/6001
---
closes#5733
[^1]: Not really needed, will only run in publish, which runs in the
merging step.
---------
Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>
<!--
Hi, thanks for contributing!
Please make sure you read our CONTRIBUTING guide.
Also, add tests and the respective documentation changes as well.
-->
> [!NOTE]
> It is recommended to review the changes commit by commit.
<!-- If applied, this commit will... -->
This PR improves the sample code of Homebrew Casks in this two way:
- More consistent github api token retrieval behavior between download
url and fetching release assets.
- `GitHub.get_release` uses different token retrieval than
`GitHubHelper.github_token`
- More safe way to run `/usr/bin/xattr` on macOS only
- The current example causes unexpected errors when run on Linux
<!-- Why is this change being made? -->
This change is based on @mltokky 's blog post:
https://zenn.dev/mltokky/articles/96a9017e583592
The blog post mentions some practical issues with the sample code I
created that I believe require correction.
Therefore, after requesting @mltokky 's review, I would like to add them
as a co-author to the relevant commit.
<!-- # Provide links to any relevant tickets, URLs or other resources
-->
...
---------
Co-authored-by: Tokkyer Midlow <mltokky@gmail.com>
Co-authored-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>
- callers need to add the `url.verified` property if they want to pass
audit
- added the name which was missing
- I _think_ the problem with "unversioned url" is that it doesn't have
`#{version}` in it, if so, this should fix it I think
refs https://github.com/orgs/goreleaser/discussions/5963
---------
Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>
- adds avast/retry in favor of our manual retries here and there
- makes retries configurable for docker images and manifests
- use retries in docker manifest create and push
closes#5967fixes#5853
---------
Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>
- [x] docker image (not released yet)
- [x] golangci-lint (not released yet)
---------
Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>
This, in conjunction with #5948, will allow users to read the password
of a given `artifactory` or `upload` configuration from a file, example:
```yaml
artifactories:
- password: '{{ readFile "~/.artifactory.txt" }}'
# ...
uploads:
- password: '{{ readFile "~/.myapi.txt" }}'
# ...
```
closes#5946
- add the concept of experimental and broken targets
- added openbsd/riscv64 as an experimental target (added in go1.23)
- moved windows/arm into the broken target list (marked in go1.25, will
be removed in go1.27)
- added `rva23u64` to `GORISCV64` (added in go1.26)
closes https://github.com/orgs/goreleaser/discussions/5939
it's not too easy to remove/switch this, and if someone runs `goreleaser
check` in their CI, this will make it fail.
eventually we could add a better mechanism for this, but since this is a
one-off thing for now, added a warning for it.
