Skip to content

feat: add GoReleaser release pipeline and version command#137

Draft
jpower432 wants to merge 4 commits into
complytime:mainfrom
jpower432:feat/goreleaser-release-pipeline
Draft

feat: add GoReleaser release pipeline and version command#137
jpower432 wants to merge 4 commits into
complytime:mainfrom
jpower432:feat/goreleaser-release-pipeline

Conversation

@jpower432

@jpower432 jpower432 commented Jul 11, 2026

Copy link
Copy Markdown
Member

Summary

  • Replaces the manual release workflow with GoReleaser v2, producing cross-platform binaries (linux/darwin, amd64/arm64), SBOMs, cosign signatures, and a Homebrew cask
  • Adds complypack version [--json] subcommand with ldflags-injected build metadata
  • Bumps org-infra reusable workflows to bc06a92a (post-v0.5.0, semver image tags)
  • Updates README with Homebrew/binary install methods and version command docs

Test plan

  • go test -race ./... passes
  • goreleaser check validates config
  • goreleaser release --snapshot --clean builds binaries successfully
  • Built binary reports correct version info via complypack version --json
  • CI passes on this PR
  • Create complytime/homebrew-tap repo and set HOMEBREW_TAP_GITHUB_TOKEN secret before first release

Picks up semver image tag support from org-infra main.

Assisted-by: Claude (Anthropic, Claude Opus 4.6)
Signed-off-by: Jennifer Power <barnabei.jennifer@gmail.com>
Replaces the manual release workflow with GoReleaser v2, producing
cross-platform binaries, SBOMs, cosign signatures, and a Homebrew
cask. Adds `complypack version [--json]` with ldflags-injected build
metadata.

Assisted-by: Claude (Anthropic, Claude Opus 4.6)
Signed-off-by: Jennifer Power <barnabei.jennifer@gmail.com>
@jpower432 jpower432 requested a review from a team as a code owner July 11, 2026 00:09
@jpower432 jpower432 requested review from gvauter and hbraswelrh and removed request for a team July 11, 2026 00:09
@jpower432 jpower432 marked this pull request as draft July 11, 2026 00:17
Replaces the PAT-based HOMEBREW_TAP_GITHUB_TOKEN secret with a
scoped installation token from the complytime-bot GitHub App.

Assisted-by: Claude (Anthropic, Claude Opus 4.6)
Signed-off-by: Jennifer Power <barnabei.jennifer@gmail.com>
Scope complytime-bot app token with permission-contents: write to
satisfy zizmor's github-app audit. Fix MD060 table alignment in README.

Assisted-by: Claude (Anthropic, Claude Opus 4.6)
Signed-off-by: Jennifer Power <barnabei.jennifer@gmail.com>
@jpower432 jpower432 marked this pull request as ready for review July 11, 2026 19:23

@hbraswelrh hbraswelrh left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Solid PR — GoReleaser config, supply chain signing, and version command all look good. One medium finding on the zizmor github-app audit.

This review was generated by /review-pr (AI-assisted).

with:
client-id: ${{ secrets.COMPLYTIME_BOT_CLIENT_ID }}
private-key: ${{ secrets.COMPLYTIME_BOT_PRIVATE_KEY }}
owner: complytime

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[MEDIUM] zizmor github-app audit — token scope

The owner: complytime field triggers zizmor's github-app audit (High confidence), causing the lint CI check to fail. The token IS correctly scoped with repositories: homebrew-tap and permission-contents: write, so the actual security risk is low.

Options to resolve:

  1. Remove owner: complytime — since this workflow already runs in a complytime repo, the app installation should default to the correct owner.
  2. Add a # zizmor: ignore[github-app] suppression comment above this step with a justification note.
  3. Add a .zizmor.yml config file to suppress this specific audit for release.yml.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@hbraswelrh I actually think we need megalinter to bump the version of zizmor. cc @marcusburghardt. I ran this locally and there were no issues with version - v1.26.1.

call_reusable_ci:
name: Standardized CI
uses: complytime/org-infra/.github/workflows/reusable_ci.yml@638b2037394ca0f0b860a135c7c27dce75fd3c03 # v0.5.0
uses: complytime/org-infra/.github/workflows/reusable_ci.yml@bc06a92af71291fb9fabbf758c3388b510926ede # main (post-v0.5.0: adds semver image tags)

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jpower432 , would it help if we cut another release of org-infra? I am not sure how dependabot PRs would manage a pinned version to main.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, that would help alot. Thanks @marcusburghardt .

@jpower432

Copy link
Copy Markdown
Member Author

Putting back in draft until prereqs are done.

@jpower432 jpower432 marked this pull request as draft July 13, 2026 13:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants