1
0
mirror of https://github.com/goreleaser/goreleaser.git synced 2025-01-26 04:22:05 +02:00
goreleaser/www/docs/customization/verifiable_builds.md
Randy Fay 176336f264
docs: miscellaneous usage and wording improvements (#3152)
* Make sure to do required go mod init before continuing or goreleaser command fails.

* how the release might look like -> what the release might look like

* How does it look like -> What does it look like

* you must therefore -> you must

* Don't use GO111MODULES in example since it's so obsolete

* modules -> verifiable builds

* got you covered -> has you covered
2022-06-10 23:04:16 -03:00

1.3 KiB

Verifiable Builds

GoReleaser has support for creating verifiable builds. A verifiable build is one that records enough information to be precise about exactly how to repeat it. All dependencies are loaded via proxy.golang.org, and verified against the checksum database sum.golang.org. A GoReleaser-created verifiable build will include module information in the resulting binary, which can be printed using go version -m mybinary.

Configuration options available are described below.

# goreleaser.yaml

gomod:
  # Proxy a module from proxy.golang.org, making the builds verifiable.
  # This will only be effective if running against a tag. Snapshots will ignore this setting.
  # Notice: for this to work your `build.main` must be a package, not a `.go` file.
  #
  # Default is false.
  proxy: true

  # If proxy is true, use these environment variables when running `go mod` commands (namely, `go mod tidy`).
  # Defaults to `os.Environ()`.
  env:
    - GOPROXY=https://proxy.golang.org,direct
    - GOSUMDB=sum.golang.org
    - GOPRIVATE=example.com/blah

  # Sets the `-mod` flag value.
  # Defaults to empty.
  mod: mod

  # Which Go binary to use.
  # Defaults to `go`.
  gobinary: go1.17

!!! tip You can use debug.ReadBuildInfo() to get the version/checksum/dependencies of the module.