From a663cc531f6da87d3c9217c38ba120cec5f49879 Mon Sep 17 00:00:00 2001 From: Lukasz Raczylo Date: Mon, 15 Dec 2025 00:15:24 +0000 Subject: [PATCH] fixup! fixup! fixup! feat: use GoReleaser Pro for split/merge CGO builds --- .github/actions/goreleaser/action.yml | 26 -------------------------- .github/workflows/go-release-cgo.yaml | 8 ++++---- .github/workflows/go-release.yaml | 6 ++++-- 3 files changed, 8 insertions(+), 32 deletions(-) diff --git a/.github/actions/goreleaser/action.yml b/.github/actions/goreleaser/action.yml index 6278b0f..a9e3d49 100644 --- a/.github/actions/goreleaser/action.yml +++ b/.github/actions/goreleaser/action.yml @@ -24,14 +24,6 @@ inputs: description: "Homebrew tap token (optional)" required: false default: "" - cosign-key: - description: "Cosign private key (base64 encoded)" - required: false - default: "" - cosign-password: - description: "Cosign private key password" - required: false - default: "" runs: using: "composite" @@ -47,20 +39,8 @@ runs: fi - name: Install cosign - if: inputs.cosign-key != '' uses: sigstore/cosign-installer@v3 - - name: Decode cosign key - if: inputs.cosign-key != '' - shell: bash - env: - COSIGN_KEY_BASE64: ${{ inputs.cosign-key }} - run: | - set +x - printenv COSIGN_KEY_BASE64 | base64 -d > /tmp/cosign.key - chmod 600 /tmp/cosign.key - unset COSIGN_KEY_BASE64 - - name: Run GoReleaser (full) if: inputs.mode == 'full' uses: goreleaser/goreleaser-action@v6 @@ -72,8 +52,6 @@ runs: GITHUB_TOKEN: ${{ inputs.github-token }} HOMEBREW_TAP_TOKEN: ${{ inputs.homebrew-tap-token }} CGO_ENABLED: ${{ inputs.cgo-enabled }} - COSIGN_KEY: ${{ inputs.cosign-key }} - COSIGN_PASSWORD: ${{ inputs.cosign-password }} - name: Run GoReleaser Pro (split) if: inputs.mode == 'split' @@ -86,8 +64,6 @@ runs: GITHUB_TOKEN: ${{ inputs.github-token }} GORELEASER_KEY: ${{ inputs.goreleaser-key }} CGO_ENABLED: ${{ inputs.cgo-enabled }} - COSIGN_KEY: ${{ inputs.cosign-key }} - COSIGN_PASSWORD: ${{ inputs.cosign-password }} - name: Run GoReleaser Pro (merge) if: inputs.mode == 'merge' @@ -99,5 +75,3 @@ runs: env: GITHUB_TOKEN: ${{ inputs.github-token }} GORELEASER_KEY: ${{ inputs.goreleaser-key }} - COSIGN_KEY: ${{ inputs.cosign-key }} - COSIGN_PASSWORD: ${{ inputs.cosign-password }} diff --git a/.github/workflows/go-release-cgo.yaml b/.github/workflows/go-release-cgo.yaml index 400633d..d5488a5 100644 --- a/.github/workflows/go-release-cgo.yaml +++ b/.github/workflows/go-release-cgo.yaml @@ -161,8 +161,6 @@ jobs: cgo-enabled: "1" github-token: ${{ secrets.GITHUB_TOKEN }} goreleaser-key: ${{ secrets.GORELEASER_PRO }} - cosign-key: ${{ secrets.COSIGN_KEY }} - cosign-password: ${{ secrets.COSIGN_PASSWORD }} - name: Upload artifacts uses: actions/upload-artifact@v4 @@ -175,6 +173,10 @@ jobs: name: Release needs: [version, build] runs-on: ubuntu-latest + permissions: + contents: write + packages: write + id-token: write steps: - name: Checkout uses: actions/checkout@v4 @@ -203,8 +205,6 @@ jobs: mode: merge github-token: ${{ secrets.GITHUB_TOKEN }} goreleaser-key: ${{ secrets.GORELEASER_PRO }} - cosign-key: ${{ secrets.COSIGN_KEY }} - cosign-password: ${{ secrets.COSIGN_PASSWORD }} - name: Rolling release if: inputs.rolling-release-tag != '' diff --git a/.github/workflows/go-release.yaml b/.github/workflows/go-release.yaml index d291626..9037408 100644 --- a/.github/workflows/go-release.yaml +++ b/.github/workflows/go-release.yaml @@ -73,6 +73,10 @@ jobs: needs: version if: needs.version.outputs.version_tag != '' runs-on: ubuntu-latest + permissions: + contents: write + packages: write + id-token: write steps: - name: Checkout uses: actions/checkout@v4 @@ -108,8 +112,6 @@ jobs: mode: full github-token: ${{ secrets.GITHUB_TOKEN }} homebrew-tap-token: ${{ secrets.HOMEBREW_TAP_TOKEN }} - cosign-key: ${{ secrets.COSIGN_KEY }} - cosign-password: ${{ secrets.COSIGN_PASSWORD }} - name: Rolling release if: inputs.rolling-release-tag != ''