ci: Configure GoReleaser to sign the releases #3909
Conversation
Signed-off-by: Suresh Krishnan V <[email protected]>
✅ Deploy Preview for go-feature-flag-doc-preview canceled.
|
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #3909 +/- ##
==========================================
- Coverage 83.97% 83.92% -0.06%
==========================================
Files 136 137 +1
Lines 6797 6813 +16
==========================================
+ Hits 5708 5718 +10
- Misses 878 884 +6
Partials 211 211 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
sureshkrishnan-v
changed the title
Signed-off-by: Suresh Krishnan V <[email protected]>
|
@thomaspoignant Could you please review this PR and let me know if there’s anything wrong ? |
|
@sureshkrishnan-v Thanks for your pull request, I will review it in the next few days as soon as I have some bandwidth. |
There was a problem hiding this comment.
Hey @sureshkrishnan-v thanks a lot for your pull request, this looks really great.
I've added a some comments, mainly about naming and also to use a github action in order to load the GPG key.
Also if you could have a look at the gemini review, it seems very valuable to add the --armor option.
If you have any question, don't hesitate to ask.
|
/gemini review |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request correctly configures GoReleaser to sign release checksums using GPG, which is a great step towards improving the trust and integrity of the releases. The configuration uses environment variables for sensitive data and appropriate GPG flags for a CI environment. I have one suggestion to further improve the configuration by creating an ASCII-armored signature for better portability.
@sureshkrishnan-v I have reviewed the PR. Let me know if you need any help. |
@thomaspoignant sure I will check with the comments and update the pr |
|
@sureshkrishnan-v do you need help on this PR ? |
Co-authored-by: Thomas Poignant <[email protected]>
|
|
@thomaspoignant i have updated the required changes can you please check with my pr |
Description
This PR configures GoReleaser to sign release artifacts (checksums) using GPG.
signssection to.goreleaser.yamlto sign checksums with GPG..github/workflows/release.ymlto import GPG key from GitHub Secrets and set required env variables (GPG_PRIVATE_KEY,GPG_PASSPHRASE,GPG_KEY_ID).goreleaser release --snapshot --clean --skip=publishusing a test GPG key.gpg --verify dist/checksums.txt.sig dist/checksums.txt.Closes issue(s)
Resolve #3879
Checklist
README.mdand/website/docs) if necessary