-
Notifications
You must be signed in to change notification settings - Fork 7
Expand file tree
/
Copy path.goreleaser.release-footer.md.tmpl
More file actions
26 lines (21 loc) · 1.5 KB
/
.goreleaser.release-footer.md.tmpl
File metadata and controls
26 lines (21 loc) · 1.5 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
### Verification posture
This GitHub Release is produced by the release workflow after the release PR and production release gates complete:
- Repository gate: `make verify` covers codegen drift, Bun lint/typecheck/test/build, Go fmt/lint/test/build, and import boundaries.
- Release PR dry-run: `pr-release dry-run`, `make test-e2e-nightly`, and `make test-integration` run before the release commit is merged.
- Production release: generated release assets are validated before `goreleaser release --clean` publishes the release.
- Artifact provenance: GoReleaser signs `checksums.txt` with cosign, publishes the Sigstore bundle `checksums.txt.sigstore.json`, and generates Syft SBOMs for archives, packages, and source.
- Installer verification: the curl installer uses local cosign when present or a pinned temporary cosign v2.2.4 verifier before checking AGH release provenance.
Known limitation: this release text does not claim a manual post-release install smoke or live-provider QA run unless the notes above name that evidence.
#### Checksums
```bash
cosign verify-blob \
--bundle checksums.txt.sigstore.json \
--certificate-identity-regexp '^https://github\.com/compozy/agh/\.github/workflows/release\.yml@refs/heads/main$' \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
checksums.txt
```
{{- if .PreviousTag }}
**Full Changelog**: https://github.com/compozy/agh/compare/{{ .PreviousTag }}...{{ .Tag }}
{{- else }}
**Source**: https://github.com/compozy/agh/tree/{{ .Tag }}
{{- end }}