feat: add GoReleaser release pipeline and version command#137
feat: add GoReleaser release pipeline and version command#137jpower432 wants to merge 4 commits into
Conversation
Picks up semver image tag support from org-infra main. Assisted-by: Claude (Anthropic, Claude Opus 4.6) Signed-off-by: Jennifer Power <barnabei.jennifer@gmail.com>
Replaces the manual release workflow with GoReleaser v2, producing cross-platform binaries, SBOMs, cosign signatures, and a Homebrew cask. Adds `complypack version [--json]` with ldflags-injected build metadata. Assisted-by: Claude (Anthropic, Claude Opus 4.6) Signed-off-by: Jennifer Power <barnabei.jennifer@gmail.com>
Replaces the PAT-based HOMEBREW_TAP_GITHUB_TOKEN secret with a scoped installation token from the complytime-bot GitHub App. Assisted-by: Claude (Anthropic, Claude Opus 4.6) Signed-off-by: Jennifer Power <barnabei.jennifer@gmail.com>
Scope complytime-bot app token with permission-contents: write to satisfy zizmor's github-app audit. Fix MD060 table alignment in README. Assisted-by: Claude (Anthropic, Claude Opus 4.6) Signed-off-by: Jennifer Power <barnabei.jennifer@gmail.com>
hbraswelrh
left a comment
There was a problem hiding this comment.
Solid PR — GoReleaser config, supply chain signing, and version command all look good. One medium finding on the zizmor github-app audit.
This review was generated by /review-pr (AI-assisted).
| with: | ||
| client-id: ${{ secrets.COMPLYTIME_BOT_CLIENT_ID }} | ||
| private-key: ${{ secrets.COMPLYTIME_BOT_PRIVATE_KEY }} | ||
| owner: complytime |
There was a problem hiding this comment.
[MEDIUM] zizmor github-app audit — token scope
The owner: complytime field triggers zizmor's github-app audit (High confidence), causing the lint CI check to fail. The token IS correctly scoped with repositories: homebrew-tap and permission-contents: write, so the actual security risk is low.
Options to resolve:
- Remove
owner: complytime— since this workflow already runs in acomplytimerepo, the app installation should default to the correct owner. - Add a
# zizmor: ignore[github-app]suppression comment above this step with a justification note. - Add a
.zizmor.ymlconfig file to suppress this specific audit forrelease.yml.
There was a problem hiding this comment.
@hbraswelrh I actually think we need megalinter to bump the version of zizmor. cc @marcusburghardt. I ran this locally and there were no issues with version - v1.26.1.
| call_reusable_ci: | ||
| name: Standardized CI | ||
| uses: complytime/org-infra/.github/workflows/reusable_ci.yml@638b2037394ca0f0b860a135c7c27dce75fd3c03 # v0.5.0 | ||
| uses: complytime/org-infra/.github/workflows/reusable_ci.yml@bc06a92af71291fb9fabbf758c3388b510926ede # main (post-v0.5.0: adds semver image tags) |
There was a problem hiding this comment.
@jpower432 , would it help if we cut another release of org-infra? I am not sure how dependabot PRs would manage a pinned version to main.
There was a problem hiding this comment.
Yes, that would help alot. Thanks @marcusburghardt .
|
Putting back in draft until prereqs are done. |
Summary
complypack version [--json]subcommand with ldflags-injected build metadataTest plan
go test -race ./...passesgoreleaser checkvalidates configgoreleaser release --snapshot --cleanbuilds binaries successfullycomplypack version --jsoncomplytime/homebrew-taprepo and setHOMEBREW_TAP_GITHUB_TOKENsecret before first release