mirror of https://github.com/goreleaser/goreleaser.git synced 2025-01-24 04:16:27 +02:00

Carlos A Becker 10586bdba7

docs: clarify lack of vcs info when building from proxy

closes #3491

Signed-off-by: Carlos A Becker <caarlos0@users.noreply.github.com>

2022-10-25 22:16:32 -03:00

1.6 KiB

Raw Blame History

Verifiable Builds

GoReleaser has support for creating verifiable builds. A verifiable build is one that records enough information to be precise about exactly how to repeat it. All dependencies are loaded via proxy.golang.org, and verified against the checksum database sum.golang.org. A GoReleaser-created verifiable build will include module information in the resulting binary, which can be printed using go version -m mybinary.

Configuration options available are described below.

# goreleaser.yaml

gomod:
  # Proxy a module from proxy.golang.org, making the builds verifiable.
  # This will only be effective if running against a tag. Snapshots will ignore
  # this setting.
  # Notice: for this to work your `build.main` must be a package, not a `.go` file.
  #
  # Default: false.
  proxy: true

  # If proxy is true, use these environment variables when running `go mod`
  # commands (namely, `go mod tidy`).
  #
  # Default: `os.Environ()` merged with what you set the root `env` section.
  env:
    - GOPROXY=https://proxy.golang.org,direct
    - GOSUMDB=sum.golang.org
    - GOPRIVATE=example.com/blah

  # Sets the `-mod` flag value.
  #
  # Default: empty.
  # Since: v1.7.
  mod: mod

  # Which Go binary to use.
  #
  # Default: `go`.
  gobinary: go1.17

!!! tip You can use debug.ReadBuildInfo() to get the version/checksum/dependencies of the module.

!!! warning VCS Info will not be embedded in the binary, as in practice it is not being built from the source, but from the Go Mod Proxy.

1.6 KiB Raw Blame History

Verifiable Builds

1.6 KiB

Raw Blame History