## What is this?
This daggerizes the lint, test, and build pipelines for Goreleaser.
## Why?
For context, the previous pass at this can be found here
https://github.com/goreleaser/goreleaser/pull/4186 . Since that time,
the DX for using Dagger has been considerably improved.
The benefit this brings to the Goreleaser project is that the test
pipeline can be run locally the same as it is run in CI without
requiring contributors to configure additional tools in their developer
environments. Additionally, by codifying the test and build execution
environments, you no longer need to be concerned with changing or
outdated Github Actions runner environments.
## How?
As a contributor, you can simply clone/fork Goreleaser and run:
`dagger functions` to see which commands are available.
To lint local code:
`dagger call --source . lint`
To run tests against local code:
`dagger call --source . test output`
To run tests against local code and get the coverage report:
`dagger call --source . test coverage-report -o ./coverage.txt`
To run tests on the main branch on Github:
`dagger call --source=https://github.com/goreleaser/goreleaser test
output`
To run tests against a PR branch on Github:
`dagger call
--source=https://github.com/goreleaser/goreleaser#pull/4958/head test
output`
To run tests against a PR branch using the dagger pipeline committed to
the main branch, without checking out goreleaser:
`dagger -m github.com/goreleaser/goreleaser call
--source=https://github.com/goreleaser/goreleaser#pull/4958/head test
output`
And so on 😃
## Also
In addition to the Dagger code, I've updated the build.yml workflow to
use the test pipeline and updated CONTRIBUTING.md with the command to
run tests with Dagger.
Note that I did not update the Taskfile.yml to avoid breaking anything
for contributors comfortable with their existing workflows.
Do you feel that this will benefit the Goreleaser project? Would you
like to see the Dagger functions doing more/less?
---------
Signed-off-by: kpenfound <kyle@dagger.io>
Signed-off-by: Lev Lazinskiy <lev@levlaz.org>
Signed-off-by: Lev Lazinskiy <lev@dagger.io>
Co-authored-by: Lev Lazinskiy <lev@levlaz.org>
Co-authored-by: Lev Lazinskiy <lev@dagger.io>
Bumps [github/codeql-action](https://github.com/github/codeql-action)
from 3.26.6 to 3.26.7.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/github/codeql-action/blob/main/CHANGELOG.md">github/codeql-action's
changelog</a>.</em></p>
<blockquote>
<h1>CodeQL Action Changelog</h1>
<p>See the <a
href="https://github.com/github/codeql-action/releases">releases
page</a> for the relevant changes to the CodeQL CLI and language
packs.</p>
<p>Note that the only difference between <code>v2</code> and
<code>v3</code> of the CodeQL Action is the node version they support,
with <code>v3</code> running on node 20 while we continue to release
<code>v2</code> to support running on node 16. For example
<code>3.22.11</code> was the first <code>v3</code> release and is
functionally identical to <code>2.22.11</code>. This approach ensures an
easy way to track exactly which features are included in different
versions, indicated by the minor and patch version numbers.</p>
<h2>[UNRELEASED]</h2>
<p>No user facing changes.</p>
<h2>3.26.7 - 13 Sep 2024</h2>
<ul>
<li>Update default CodeQL bundle version to 2.18.4. <a
href="https://redirect.github.com/github/codeql-action/pull/2471">#2471</a></li>
</ul>
<h2>3.26.6 - 29 Aug 2024</h2>
<ul>
<li>Update default CodeQL bundle version to 2.18.3. <a
href="https://redirect.github.com/github/codeql-action/pull/2449">#2449</a></li>
</ul>
<h2>3.26.5 - 23 Aug 2024</h2>
<ul>
<li>Fix an issue where the <code>csrutil</code> system call used for
telemetry would fail on MacOS ARM machines with System Integrity
Protection disabled. <a
href="https://redirect.github.com/github/codeql-action/pull/2441">#2441</a></li>
</ul>
<h2>3.26.4 - 21 Aug 2024</h2>
<ul>
<li><em>Deprecation:</em> The <code>add-snippets</code> input on the
<code>analyze</code> Action is deprecated and will be removed in the
first release in August 2025. <a
href="https://redirect.github.com/github/codeql-action/pull/2436">#2436</a></li>
<li>Fix an issue where the disk usage system call used for telemetry
would fail on MacOS ARM machines with System Integrity Protection
disabled, and then surface a warning. The system call is now disabled
for these machines. <a
href="https://redirect.github.com/github/codeql-action/pull/2434">#2434</a></li>
</ul>
<h2>3.26.3 - 19 Aug 2024</h2>
<ul>
<li>Fix an issue where the CodeQL Action could not write diagnostic
messages on Windows. This issue did not impact analysis quality. <a
href="https://redirect.github.com/github/codeql-action/pull/2430">#2430</a></li>
</ul>
<h2>3.26.2 - 14 Aug 2024</h2>
<ul>
<li>Update default CodeQL bundle version to 2.18.2. <a
href="https://redirect.github.com/github/codeql-action/pull/2417">#2417</a></li>
</ul>
<h2>3.26.1 - 13 Aug 2024</h2>
<p>No user facing changes.</p>
<h2>3.26.0 - 06 Aug 2024</h2>
<ul>
<li><em>Deprecation:</em> Swift analysis on Ubuntu runner images is no
longer supported. Please migrate to a macOS runner if this affects you.
<a
href="https://redirect.github.com/github/codeql-action/pull/2403">#2403</a></li>
<li>Bump the minimum CodeQL bundle version to 2.13.5. <a
href="https://redirect.github.com/github/codeql-action/pull/2408">#2408</a></li>
</ul>
<h2>3.25.15 - 26 Jul 2024</h2>
<ul>
<li>Update default CodeQL bundle version to 2.18.1. <a
href="https://redirect.github.com/github/codeql-action/pull/2385">#2385</a></li>
</ul>
<h2>3.25.14 - 25 Jul 2024</h2>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="8214744c54"><code>8214744</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/2478">#2478</a>
from github/update-v3.26.7-4a01ec798</li>
<li><a
href="a3b3e07cec"><code>a3b3e07</code></a>
Update changelog for v3.26.7</li>
<li><a
href="4a01ec7986"><code>4a01ec7</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/2474">#2474</a>
from github/aeisenberg/always-upload-eslint-sarif</li>
<li><a
href="762dbaeeb7"><code>762dbae</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/2471">#2471</a>
from github/update-bundle/codeql-bundle-v2.18.4</li>
<li><a
href="0d0f998f28"><code>0d0f998</code></a>
Always upload eslint.sarif</li>
<li><a
href="e817992b3d"><code>e817992</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/2469">#2469</a>
from github/aeisenberg/upload-eslint-sarif</li>
<li><a
href="49021ad7f5"><code>49021ad</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/2472">#2472</a>
from rvermeulen/rvermeulen/update-release-branch-authz</li>
<li><a
href="56b8418884"><code>56b8418</code></a>
Ignore suppressed alerts</li>
<li><a
href="f824adbf9b"><code>f824adb</code></a>
Merge branch 'main' into rvermeulen/update-release-branch-authz</li>
<li><a
href="8d9ed0b40e"><code>8d9ed0b</code></a>
Add changelog note</li>
<li>Additional commits viewable in <a
href="4dd16135b6...8214744c54">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps
[cachix/install-nix-action](https://github.com/cachix/install-nix-action)
from V27 to 28. This release includes the previously tagged commit.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/cachix/install-nix-action/releases">cachix/install-nix-action's
releases</a>.</em></p>
<blockquote>
<h2>v28</h2>
<p>Nix 2.24.6 - <a
href="https://github.com/NixOS/nix/security/advisories/GHSA-h4vv-h3jq-v493">https://github.com/NixOS/nix/security/advisories/GHSA-h4vv-h3jq-v493</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="3715ab1a11"><code>3715ab1</code></a>
bump channel</li>
<li><a
href="1872f1ff9d"><code>1872f1f</code></a>
Nix: 2.22.1 -> 2.24.6</li>
<li><a
href="e268b7aa05"><code>e268b7a</code></a>
Merge pull request <a
href="https://redirect.github.com/cachix/install-nix-action/issues/213">#213</a>
from phaer/patch-1</li>
<li><a
href="5b8c65d4d7"><code>5b8c65d</code></a>
Update README: hardware accel is available now...</li>
<li><a
href="ba01fffc51"><code>ba01fff</code></a>
Merge pull request <a
href="https://redirect.github.com/cachix/install-nix-action/issues/210">#210</a>
from guoard/patch-1</li>
<li><a
href="474f0a77aa"><code>474f0a7</code></a>
docs(readme): update checkout action version</li>
<li><a
href="725982224c"><code>7259822</code></a>
readme: V27</li>
<li>See full diff in <a
href="https://github.com/cachix/install-nix-action/compare/V27...V28">compare
view</a></li>
</ul>
</details>
<br />
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
## What is this?
Just adding documentation for using cosign with GitHub's OIDC in CI.
## Why?
I spent 4 hours looking through goreleaser and GitHub's docs before I
finally discovered I was missing the `id-token: write` permission in my
workflow file.
This PR serves to just include the `id-token: write` scope in the `CI ->
(GH) actions` section of the docs to hopefully save other devs the
trouble 🤣
### Additional
I also considered adding this to docs for the other CI providers, but I
am not too familiar on the OIDC side of things; might be worth
considering for the team?
Cheers
---
Been using goreleaser for one of my [oss
projects](https://github.com/caffeine-addictt/waku) recently and it's
been great! Just wanted to contribute something back, keep up the great
work! :>
Signed-off-by: AlexNg <contact@ngjx.org>
I like to use the goreleaser for my private project and would like to
have the binary scaled down with the UPX in the GitLab build pipeline.
Therefore, it would be nice if the UPX tool is pre-installed in the
Docker container.
Signed-off-by: Andrej Giesbrecht <giesan@gmx.net>
Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.24.0
to 0.25.0.
<details>
<summary>Commits</summary>
<ul>
<li><a
href="7398f36f57"><code>7398f36</code></a>
all: fix some symbols error in comment</li>
<li><a
href="f111c72426"><code>f111c72</code></a>
go/callgraph/rta: skip test on js platform</li>
<li><a
href="9f9b7e39b5"><code>9f9b7e3</code></a>
gopls/internal/settings: add missing deep cloning in Options.Clone</li>
<li><a
href="ce7eed4960"><code>ce7eed4</code></a>
doc/generate: minor cleanup</li>
<li><a
href="075ae7d276"><code>075ae7d</code></a>
go/callgraph/vta: add basic tests for range-over-func</li>
<li><a
href="2c7aaab748"><code>2c7aaab</code></a>
go/ssa: skip failing test</li>
<li><a
href="1b5663fbc8"><code>1b5663f</code></a>
go/callgraph/vta: perform minor cleanups</li>
<li><a
href="0a498831d1"><code>0a49883</code></a>
gopls/go.mod: update the go directive to 1.23.1</li>
<li><a
href="ad366a81ee"><code>ad366a8</code></a>
go.mod: update golang.org/x dependencies</li>
<li><a
href="4fb36d15cc"><code>4fb36d1</code></a>
go/callgraph/rta: add rta analysis test case for multiple go
packages</li>
<li>Additional commits viewable in <a
href="https://github.com/golang/tools/compare/v0.24.0...v0.25.0">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
This commit fixes the automatic extension when building the wasip1_wasm
target.
Additionally, in future Go versions, support will be added for
generating c-shared WASM binaries.
https://github.com/golang/go/issues/65199
Therefore, this PR corrects the extension in the build process and
removes the .h file from the release when c-shared is enabled and the
target is WASM.
Bumps golang from 1.23.0-alpine to 1.23.1-alpine.
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
this makes ko run on snapshot builds, too.
the image will be `goreleaser.ko.local:[your tags]`, not sure if we can
change this, seems like we can't.
also fixed a small doc error around it, as well as added a new test to
cover this.
closes#4683
---------
Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>
make them more precise, as its currently only taking GOOS/GOARCH into
account, and we can do more.
closes#5112
---------
Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>
Bumps [github/codeql-action](https://github.com/github/codeql-action)
from 3.26.5 to 3.26.6.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/github/codeql-action/blob/main/CHANGELOG.md">github/codeql-action's
changelog</a>.</em></p>
<blockquote>
<h1>CodeQL Action Changelog</h1>
<p>See the <a
href="https://github.com/github/codeql-action/releases">releases
page</a> for the relevant changes to the CodeQL CLI and language
packs.</p>
<p>Note that the only difference between <code>v2</code> and
<code>v3</code> of the CodeQL Action is the node version they support,
with <code>v3</code> running on node 20 while we continue to release
<code>v2</code> to support running on node 16. For example
<code>3.22.11</code> was the first <code>v3</code> release and is
functionally identical to <code>2.22.11</code>. This approach ensures an
easy way to track exactly which features are included in different
versions, indicated by the minor and patch version numbers.</p>
<h2>[UNRELEASED]</h2>
<p>No user facing changes.</p>
<h2>3.26.6 - 29 Aug 2024</h2>
<ul>
<li>Update default CodeQL bundle version to 2.18.3. <a
href="https://redirect.github.com/github/codeql-action/pull/2449">#2449</a></li>
</ul>
<h2>3.26.5 - 23 Aug 2024</h2>
<ul>
<li>Fix an issue where the <code>csrutil</code> system call used for
telemetry would fail on MacOS ARM machines with System Integrity
Protection disabled. <a
href="https://redirect.github.com/github/codeql-action/pull/2441">#2441</a></li>
</ul>
<h2>3.26.4 - 21 Aug 2024</h2>
<ul>
<li><em>Deprecation:</em> The <code>add-snippets</code> input on the
<code>analyze</code> Action is deprecated and will be removed in the
first release in August 2025. <a
href="https://redirect.github.com/github/codeql-action/pull/2436">#2436</a></li>
<li>Fix an issue where the disk usage system call used for telemetry
would fail on MacOS ARM machines with System Integrity Protection
disabled, and then surface a warning. The system call is now disabled
for these machines. <a
href="https://redirect.github.com/github/codeql-action/pull/2434">#2434</a></li>
</ul>
<h2>3.26.3 - 19 Aug 2024</h2>
<ul>
<li>Fix an issue where the CodeQL Action could not write diagnostic
messages on Windows. This issue did not impact analysis quality. <a
href="https://redirect.github.com/github/codeql-action/pull/2430">#2430</a></li>
</ul>
<h2>3.26.2 - 14 Aug 2024</h2>
<ul>
<li>Update default CodeQL bundle version to 2.18.2. <a
href="https://redirect.github.com/github/codeql-action/pull/2417">#2417</a></li>
</ul>
<h2>3.26.1 - 13 Aug 2024</h2>
<p>No user facing changes.</p>
<h2>3.26.0 - 06 Aug 2024</h2>
<ul>
<li><em>Deprecation:</em> Swift analysis on Ubuntu runner images is no
longer supported. Please migrate to a macOS runner if this affects you.
<a
href="https://redirect.github.com/github/codeql-action/pull/2403">#2403</a></li>
<li>Bump the minimum CodeQL bundle version to 2.13.5. <a
href="https://redirect.github.com/github/codeql-action/pull/2408">#2408</a></li>
</ul>
<h2>3.25.15 - 26 Jul 2024</h2>
<ul>
<li>Update default CodeQL bundle version to 2.18.1. <a
href="https://redirect.github.com/github/codeql-action/pull/2385">#2385</a></li>
</ul>
<h2>3.25.14 - 25 Jul 2024</h2>
<ul>
<li>Experimental: add a new <code>start-proxy</code> action which starts
the same HTTP proxy as used by <a
href="https://github.com/github/dependabot-action"><code>github/dependabot-action</code></a>.
Do not use this in production as it is part of an internal experiment
and subject to change at any time. <a
href="https://redirect.github.com/github/codeql-action/pull/2376">#2376</a></li>
</ul>
<h2>3.25.13 - 19 Jul 2024</h2>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="4dd16135b6"><code>4dd1613</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/2452">#2452</a>
from github/update-v3.26.6-7233ec5e6</li>
<li><a
href="dd9dd2d538"><code>dd9dd2d</code></a>
Update changelog for v3.26.6</li>
<li><a
href="7233ec5e6b"><code>7233ec5</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/2449">#2449</a>
from github/update-bundle/codeql-bundle-v2.18.3</li>
<li><a
href="a32c44dba1"><code>a32c44d</code></a>
Add changelog note</li>
<li><a
href="2966897c67"><code>2966897</code></a>
Update default bundle to codeql-bundle-v2.18.3</li>
<li><a
href="b8efe4dc6a"><code>b8efe4d</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/2435">#2435</a>
from github/update-supported-enterprise-server-versions</li>
<li><a
href="ab408a875b"><code>ab408a8</code></a>
Merge branch 'main' into
update-supported-enterprise-server-versions</li>
<li><a
href="864b979bc3"><code>864b979</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/2443">#2443</a>
from github/dbartol/config-file-telemetry</li>
<li><a
href="d36c7aaf6a"><code>d36c7aa</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/2448">#2448</a>
from github/dependabot/npm_and_yarn/npm-09b7c43f6b</li>
<li><a
href="b3bf514df4"><code>b3bf514</code></a>
Update checked-in dependencies</li>
<li>Additional commits viewable in <a
href="2c779ab0d0...4dd16135b6">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
When trying to release an artifact to github and it fails, I observed
the following stacktrace:
```
• publishing
• scm releases
• releasing tag=v1.11.0 repo=my-github-repo
• could not check rate limits, hoping for the best...
• could not check rate limits, hoping for the best...
• took: 1m40s
• took: 1m40s
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0xe28b72]
goroutine 55 [running]:
github.com/goreleaser/goreleaser/v2/internal/client.(*githubClient).createOrUpdateRelease(0xc0001b24c8, 0xc0002c5108, 0xc000b478, {0xc00039ed00, 0x80e})
github.com/goreleaser/goreleaser/v2@v2.2.0/internal/client/github.go:454 +0x3b2
github.com/goreleaser/goreleaser/v2/internal/client.(*githubClient).CreateRelease(0xc0001b24c8, 0xc0002c5108, {0xc00039ed00, 0x80e})
github.com/goreleaser/goreleaser/v2@v2.2.0/internal/client/github.go:402 +0x339
github.com/goreleaser/goreleaser/v2/internal/pipe/release.doPublish(0xc0002c5108, {0x2ce2d40, 0xc0001b24c8})
...
```
I believe this happens because if the
[CreateRelease](c96ef954c3/github/repos_releases.go (L221))
fails, resp might be empty and the resp.Header does not exist, which
causes a segfault.
```
WithField("request-id", resp.Header.Get("X-GitHub-Request-Id")).
```
Signed-off-by: Manuel Rüger <manuel@rueg.eu>
Ignore empty flags after templating is applied for final Go build line.
This caused us some problems since we had an `if` without `else`,
resulting in an empty flag, causing the whole build to fail with a
misleading error message like:
```
malformed import path "-myflag": leading dash
```
Bumps [github/codeql-action](https://github.com/github/codeql-action)
from 3.26.4 to 3.26.5.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/github/codeql-action/blob/main/CHANGELOG.md">github/codeql-action's
changelog</a>.</em></p>
<blockquote>
<h1>CodeQL Action Changelog</h1>
<p>See the <a
href="https://github.com/github/codeql-action/releases">releases
page</a> for the relevant changes to the CodeQL CLI and language
packs.</p>
<p>Note that the only difference between <code>v2</code> and
<code>v3</code> of the CodeQL Action is the node version they support,
with <code>v3</code> running on node 20 while we continue to release
<code>v2</code> to support running on node 16. For example
<code>3.22.11</code> was the first <code>v3</code> release and is
functionally identical to <code>2.22.11</code>. This approach ensures an
easy way to track exactly which features are included in different
versions, indicated by the minor and patch version numbers.</p>
<h2>[UNRELEASED]</h2>
<p>No user facing changes.</p>
<h2>3.26.5 - 23 Aug 2024</h2>
<ul>
<li>Fix an issue where the <code>csrutil</code> system call used for
telemetry would fail on MacOS ARM machines with System Integrity
Protection disabled. <a
href="https://redirect.github.com/github/codeql-action/pull/2441">#2441</a></li>
</ul>
<h2>3.26.4 - 21 Aug 2024</h2>
<ul>
<li><em>Deprecation:</em> The <code>add-snippets</code> input on the
<code>analyze</code> Action is deprecated and will be removed in the
first release in August 2025. <a
href="https://redirect.github.com/github/codeql-action/pull/2436">#2436</a></li>
<li>Fix an issue where the disk usage system call used for telemetry
would fail on MacOS ARM machines with System Integrity Protection
disabled, and then surface a warning. The system call is now disabled
for these machines. <a
href="https://redirect.github.com/github/codeql-action/pull/2434">#2434</a></li>
</ul>
<h2>3.26.3 - 19 Aug 2024</h2>
<ul>
<li>Fix an issue where the CodeQL Action could not write diagnostic
messages on Windows. This issue did not impact analysis quality. <a
href="https://redirect.github.com/github/codeql-action/pull/2430">#2430</a></li>
</ul>
<h2>3.26.2 - 14 Aug 2024</h2>
<ul>
<li>Update default CodeQL bundle version to 2.18.2. <a
href="https://redirect.github.com/github/codeql-action/pull/2417">#2417</a></li>
</ul>
<h2>3.26.1 - 13 Aug 2024</h2>
<p>No user facing changes.</p>
<h2>3.26.0 - 06 Aug 2024</h2>
<ul>
<li><em>Deprecation:</em> Swift analysis on Ubuntu runner images is no
longer supported. Please migrate to a macOS runner if this affects you.
<a
href="https://redirect.github.com/github/codeql-action/pull/2403">#2403</a></li>
<li>Bump the minimum CodeQL bundle version to 2.13.5. <a
href="https://redirect.github.com/github/codeql-action/pull/2408">#2408</a></li>
</ul>
<h2>3.25.15 - 26 Jul 2024</h2>
<ul>
<li>Update default CodeQL bundle version to 2.18.1. <a
href="https://redirect.github.com/github/codeql-action/pull/2385">#2385</a></li>
</ul>
<h2>3.25.14 - 25 Jul 2024</h2>
<ul>
<li>Experimental: add a new <code>start-proxy</code> action which starts
the same HTTP proxy as used by <a
href="https://github.com/github/dependabot-action"><code>github/dependabot-action</code></a>.
Do not use this in production as it is part of an internal experiment
and subject to change at any time. <a
href="https://redirect.github.com/github/codeql-action/pull/2376">#2376</a></li>
</ul>
<h2>3.25.13 - 19 Jul 2024</h2>
<ul>
<li>Add <code>codeql-version</code> to outputs. <a
href="https://redirect.github.com/github/codeql-action/pull/2368">#2368</a></li>
<li>Add a deprecation warning for customers using CodeQL version 2.13.4
and earlier. These versions of CodeQL were discontinued on 9 July 2024
alongside GitHub Enterprise Server 3.9, and will be unsupported by
CodeQL Action versions 3.26.0 and later and versions 2.26.0 and later.
<a
href="https://redirect.github.com/github/codeql-action/pull/2375">#2375</a>
<ul>
<li>If you are using one of these versions, please update to CodeQL CLI
version 2.13.5 or later. For instance, if you have specified a custom
version of the CLI using the 'tools' input to the 'init' Action, you can
remove this input to use the default version.</li>
<li>Alternatively, if you want to continue using a version of the CodeQL
CLI between 2.12.6 and 2.13.4, you can replace
<code>github/codeql-action/*@v3</code> by
<code>github/codeql-action/*@v3.25.13</code> and
<code>github/codeql-action/*@v2</code> by
<code>github/codeql-action/*@v2.25.13</code> in your code scanning
workflow to ensure you continue using this version of the CodeQL
Action.</li>
</ul>
</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="2c779ab0d0"><code>2c779ab</code></a>
Merge main into releases/v3 (<a
href="https://redirect.github.com/github/codeql-action/issues/2444">#2444</a>)</li>
<li><a
href="68cd1f9de3"><code>68cd1f9</code></a>
Update changelog for v3.26.5</li>
<li><a
href="7e27807413"><code>7e27807</code></a>
Only run check SIP enablement once in <code>init</code> step (<a
href="https://redirect.github.com/github/codeql-action/issues/2441">#2441</a>)</li>
<li><a
href="fd5fa130e2"><code>fd5fa13</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/2438">#2438</a>
from github/mergeback/v3.26.4-to-main-f0f3afee</li>
<li><a
href="6f10eb0e36"><code>6f10eb0</code></a>
Update checked-in dependencies</li>
<li><a
href="b15a247a6c"><code>b15a247</code></a>
Update changelog and version after v3.26.4</li>
<li>See full diff in <a
href="f0f3afee80...2c779ab0d0">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [github/codeql-action](https://github.com/github/codeql-action)
from 3.26.3 to 3.26.4.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/github/codeql-action/blob/main/CHANGELOG.md">github/codeql-action's
changelog</a>.</em></p>
<blockquote>
<h1>CodeQL Action Changelog</h1>
<p>See the <a
href="https://github.com/github/codeql-action/releases">releases
page</a> for the relevant changes to the CodeQL CLI and language
packs.</p>
<p>Note that the only difference between <code>v2</code> and
<code>v3</code> of the CodeQL Action is the node version they support,
with <code>v3</code> running on node 20 while we continue to release
<code>v2</code> to support running on node 16. For example
<code>3.22.11</code> was the first <code>v3</code> release and is
functionally identical to <code>2.22.11</code>. This approach ensures an
easy way to track exactly which features are included in different
versions, indicated by the minor and patch version numbers.</p>
<h2>[UNRELEASED]</h2>
<p>No user facing changes.</p>
<h2>3.26.4 - 21 Aug 2024</h2>
<ul>
<li><em>Deprecation:</em> The <code>add-snippets</code> input on the
<code>analyze</code> Action is deprecated and will be removed in the
first release in August 2025. <a
href="https://redirect.github.com/github/codeql-action/pull/2436">#2436</a></li>
<li>Fix an issue where the disk usage system call used for telemetry
would fail on MacOS ARM machines with System Integrity Protection
disabled, and then surface a warning. The system call is now disabled
for these machines. <a
href="https://redirect.github.com/github/codeql-action/pull/2434">#2434</a></li>
</ul>
<h2>3.26.3 - 19 Aug 2024</h2>
<ul>
<li>Fix an issue where the CodeQL Action could not write diagnostic
messages on Windows. This issue did not impact analysis quality. <a
href="https://redirect.github.com/github/codeql-action/pull/2430">#2430</a></li>
</ul>
<h2>3.26.2 - 14 Aug 2024</h2>
<ul>
<li>Update default CodeQL bundle version to 2.18.2. <a
href="https://redirect.github.com/github/codeql-action/pull/2417">#2417</a></li>
</ul>
<h2>3.26.1 - 13 Aug 2024</h2>
<p>No user facing changes.</p>
<h2>3.26.0 - 06 Aug 2024</h2>
<ul>
<li><em>Deprecation:</em> Swift analysis on Ubuntu runner images is no
longer supported. Please migrate to a macOS runner if this affects you.
<a
href="https://redirect.github.com/github/codeql-action/pull/2403">#2403</a></li>
<li>Bump the minimum CodeQL bundle version to 2.13.5. <a
href="https://redirect.github.com/github/codeql-action/pull/2408">#2408</a></li>
</ul>
<h2>3.25.15 - 26 Jul 2024</h2>
<ul>
<li>Update default CodeQL bundle version to 2.18.1. <a
href="https://redirect.github.com/github/codeql-action/pull/2385">#2385</a></li>
</ul>
<h2>3.25.14 - 25 Jul 2024</h2>
<ul>
<li>Experimental: add a new <code>start-proxy</code> action which starts
the same HTTP proxy as used by <a
href="https://github.com/github/dependabot-action"><code>github/dependabot-action</code></a>.
Do not use this in production as it is part of an internal experiment
and subject to change at any time. <a
href="https://redirect.github.com/github/codeql-action/pull/2376">#2376</a></li>
</ul>
<h2>3.25.13 - 19 Jul 2024</h2>
<ul>
<li>Add <code>codeql-version</code> to outputs. <a
href="https://redirect.github.com/github/codeql-action/pull/2368">#2368</a></li>
<li>Add a deprecation warning for customers using CodeQL version 2.13.4
and earlier. These versions of CodeQL were discontinued on 9 July 2024
alongside GitHub Enterprise Server 3.9, and will be unsupported by
CodeQL Action versions 3.26.0 and later and versions 2.26.0 and later.
<a
href="https://redirect.github.com/github/codeql-action/pull/2375">#2375</a>
<ul>
<li>If you are using one of these versions, please update to CodeQL CLI
version 2.13.5 or later. For instance, if you have specified a custom
version of the CLI using the 'tools' input to the 'init' Action, you can
remove this input to use the default version.</li>
<li>Alternatively, if you want to continue using a version of the CodeQL
CLI between 2.12.6 and 2.13.4, you can replace
<code>github/codeql-action/*@v3</code> by
<code>github/codeql-action/*@v3.25.13</code> and
<code>github/codeql-action/*@v2</code> by
<code>github/codeql-action/*@v2.25.13</code> in your code scanning
workflow to ensure you continue using this version of the CodeQL
Action.</li>
</ul>
</li>
</ul>
<h2>3.25.12 - 12 Jul 2024</h2>
<ul>
<li>Improve the reliability and performance of analyzing code when
analyzing a compiled language with the <code>autobuild</code> <a
href="https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#codeql-build-modes">build
mode</a> on GitHub Enterprise Server. This feature is already available
to GitHub.com users. <a
href="https://redirect.github.com/github/codeql-action/pull/2353">#2353</a></li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="f0f3afee80"><code>f0f3afe</code></a>
Merge main into releases/v3 (<a
href="https://redirect.github.com/github/codeql-action/issues/2437">#2437</a>)</li>
<li><a
href="e3543591a5"><code>e354359</code></a>
Update changelog for v3.26.4</li>
<li><a
href="ae01f807ca"><code>ae01f80</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/2436">#2436</a>
from rvermeulen/rvermeulen/deprecate-add-snippets</li>
<li><a
href="72bc3f7f61"><code>72bc3f7</code></a>
Address incorrect changelog location</li>
<li><a
href="7388c476ae"><code>7388c47</code></a>
Merge branch 'main' into rvermeulen/deprecate-add-snippets</li>
<li><a
href="d7c48ef5a8"><code>d7c48ef</code></a>
Add link to PR deprecating <code>add-snippets</code> to
CHANGELOG.md</li>
<li><a
href="ec21b8f8a4"><code>ec21b8f</code></a>
Update changelog with deprecation.</li>
<li><a
href="4067cdab78"><code>4067cda</code></a>
Add deprecation message to <code>add-snippets</code> input.</li>
<li><a
href="202b3b97bf"><code>202b3b9</code></a>
Stop checking disk usage for MacOS ARM with SIP disabled (<a
href="https://redirect.github.com/github/codeql-action/issues/2434">#2434</a>)</li>
<li><a
href="512e3066dd"><code>512e306</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/2404">#2404</a>
from github/marcogario/proxy_64</li>
<li>Additional commits viewable in <a
href="883d8588e5...f0f3afee80">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [anchore/sbom-action](https://github.com/anchore/sbom-action) from
0.17.1 to 0.17.2.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/anchore/sbom-action/releases">anchore/sbom-action's
releases</a>.</em></p>
<blockquote>
<h2>v0.17.2</h2>
<h2>Changes in v0.17.2</h2>
<ul>
<li>Update Syft to v1.11.1 (<a
href="https://redirect.github.com/anchore/sbom-action/issues/485">#485</a>)
[<a
href="https://github.com/anchore-actions-token-generator">anchore-actions-token-generator</a>]</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="61119d458a"><code>61119d4</code></a>
chore(deps): update Syft to v1.11.1 (<a
href="https://redirect.github.com/anchore/sbom-action/issues/485">#485</a>)</li>
<li>See full diff in <a
href="https://github.com/anchore/sbom-action/compare/v0.17.1...v0.17.2">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
goreleaser currently uses `cosign` `v2.1.1`, this change switches it to
`v2.4.0`.
While there may be other useful updates, I'd like this update to
workaround a bug which I'm experiencing:
https://github.com/sigstore/cosign/issues/3614#issuecomment-2012521670,
and which is solved by upgrading the `cosign` version.
