Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package goreleaser for openSUSE:Factory checked in at 2025-09-25 18:46:09 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/goreleaser (Old) and /work/SRC/openSUSE:Factory/.goreleaser.new.11973 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "goreleaser" Thu Sep 25 18:46:09 2025 rev:13 rq:1307151 version:2.12.3 Changes: -------- --- /work/SRC/openSUSE:Factory/goreleaser/goreleaser.changes 2025-09-18 21:10:58.776207691 +0200 +++ /work/SRC/openSUSE:Factory/.goreleaser.new.11973/goreleaser.changes 2025-09-25 18:48:33.558367917 +0200 @@ -1,0 +2,52 @@ +Thu Sep 25 13:31:49 UTC 2025 - Felix Niederwanger <[email protected]> + +- Update to version 2.12.3: + * fix(makeself): keep full binary name + * fix(makeself): keep script name + * ci: fix generate job + * chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.88.1 to 1.88.2 (#6113) + * chore(deps): bump actions/checkout from 4.2.2 to 5.0.0 (#6111) + * ci: scorecard.yml pin fix + * ci: better pinning + * ci: fix nightly.yml + * ci: fix nightly.yml + * chore(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.2 (#6112) + * fix: lint + * test: improve fuzz tests + * test: fuzz + * test: fuzz tests for tmpl, artifact + * ci: fix build.yml + * ci: fix docs.yml and generate.yml + * chore(deps): bump actions/upload-artifact from 4.6.1 to 4.6.2 (#6110) + * ci: fix nightly.yml + * ci: fix gitleaks.yml + * ci: fix gitleaks.yml + * ci: fix grype.yml + * ci: build.yml perms + * docs: pin mkdocs-material image, add it to dependabot + * ci(sec): improve workflows perms + * ci(sec): improve workflows + * ci: scorecard job + * ci: cleanup openssf action + * ci: add openssf action + * ci: add openssf action + * chore: schema update + * docs: fix title + * chore(deps): bump gitlab.com/gitlab-org/api/client-go from 0.147.0 to 0.148.0 (#6109) + * docs: icons on smaller screens + * chore(deps): bump gitlab.com/gitlab-org/api/client-go from 0.146.0 to 0.147.0 (#6108) + * chore(deps): bump github.com/mark3labs/mcp-go from 0.39.1 to 0.40.0 (#6107) + * chore(deps): bump cachix/install-nix-action from 31.6.1 to 31.6.2 (#6106) + * docs(sec): threat model + * chore: auto-update generated files + * ci: moderator cleanup + * docs: fedora move exclude to repo config (#6103) + * chore(deps): bump gitlab.com/gitlab-org/api/client-go from 0.145.0 to 0.146.0 (#6100) + * chore(deps): bump github.com/charmbracelet/fang from 0.4.1 to 0.4.2 (#6101) + * chore(deps): bump cargo-bins/cargo-binstall from cf49c6dbd5eb6865966cf4fae3ab1ecfb82ed87e to 6c16d05d76228d6ebb51c9db4595e86015d8df9d (#6099) + * docs: fix inconsistency about symlink in nfpm.md (#6094) + * fix(sbom): --enrich=all should be the default (#6095) + * chore(deps): bump cargo-bins/cargo-binstall from d020f1115f5ef21c966a766b15e98f8aad36a049 to cf49c6dbd5eb6865966cf4fae3ab1ecfb82ed87e (#6097) + * chore: auto-update generated files + +------------------------------------------------------------------- Old: ---- goreleaser-2.12.2.obscpio New: ---- goreleaser-2.12.3.obscpio ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ goreleaser.spec ++++++ --- /var/tmp/diff_new_pack.Mi0Q21/_old 2025-09-25 18:48:34.410403579 +0200 +++ /var/tmp/diff_new_pack.Mi0Q21/_new 2025-09-25 18:48:34.410403579 +0200 @@ -17,7 +17,7 @@ Name: goreleaser -Version: 2.12.2 +Version: 2.12.3 Release: 0 Summary: CLI tool for release engineering in Go, Rust, Zig and TypeScript License: MIT ++++++ _service ++++++ --- /var/tmp/diff_new_pack.Mi0Q21/_old 2025-09-25 18:48:34.482406592 +0200 +++ /var/tmp/diff_new_pack.Mi0Q21/_new 2025-09-25 18:48:34.486406760 +0200 @@ -2,7 +2,7 @@ <service name="obs_scm" mode="manual"> <param name="url">https://github.com/goreleaser/goreleaser.git</param> <param name="scm">git</param> - <param name="revision">v2.12.2</param> + <param name="revision">v2.12.3</param> <param name="match-tag">v*</param> <param name="versionformat">@PARENT_TAG@</param> <param name="versionrewrite-pattern">v(.*)</param> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.Mi0Q21/_old 2025-09-25 18:48:34.518408099 +0200 +++ /var/tmp/diff_new_pack.Mi0Q21/_new 2025-09-25 18:48:34.522408267 +0200 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/goreleaser/goreleaser.git</param> - <param name="changesrevision">d3d28a6aa7c7fbd070013870670dba88b13e8eb8</param></service></servicedata> + <param name="changesrevision">a1d945da6150425f5e7188dea819992d8a600b8e</param></service></servicedata> (No newline at EOF) ++++++ build.specials.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/.gitignore new/.gitignore --- old/.gitignore 1970-01-01 01:00:00.000000000 +0100 +++ new/.gitignore 2025-02-18 21:02:12.000000000 +0100 @@ -0,0 +1,3 @@ +/goreleaser +/_build* +/goreleaser-*.*.*.tar.gz ++++++ goreleaser-2.12.2.obscpio -> goreleaser-2.12.3.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/goreleaser-2.12.2/.github/dependabot.yml new/goreleaser-2.12.3/.github/dependabot.yml --- old/goreleaser-2.12.2/.github/dependabot.yml 2025-09-18 04:07:53.000000000 +0200 +++ new/goreleaser-2.12.3/.github/dependabot.yml 2025-09-24 22:36:00.000000000 +0200 @@ -34,6 +34,18 @@ commit-message: prefix: "chore" include: "scope" + + # Docs: + - package-ecosystem: "docker" + directory: "/www" + schedule: + interval: "daily" + time: "08:00" + labels: + - "dependencies" + commit-message: + prefix: "chore" + include: "scope" - package-ecosystem: "pip" directory: "/www" schedule: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/goreleaser-2.12.2/.github/workflows/build.yml new/goreleaser-2.12.3/.github/workflows/build.yml --- old/goreleaser-2.12.2/.github/workflows/build.yml 2025-09-18 04:07:53.000000000 +0200 +++ new/goreleaser-2.12.3/.github/workflows/build.yml 2025-09-24 22:36:00.000000000 +0200 @@ -20,21 +20,19 @@ license-check: runs-on: ubuntu-latest steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 - - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 with: go-version: stable - - uses: arduino/setup-task@b91d5d2c96a56797b48ac1e0e89220bf64044611 + - uses: go-task/setup-task@0ab1b2a65bc55236a3bc64cde78f80e20e8885c2 # v1.0.0 with: version: 3.x repo-token: ${{ secrets.GITHUB_TOKEN }} - run: task licenses:check - govulncheck: - uses: caarlos0/meta/.github/workflows/govulncheck.yml@395f87b2cc4fbb0a99db4decb1b3bbd16bc07cfc semgrep: - uses: caarlos0/meta/.github/workflows/semgrep.yml@395f87b2cc4fbb0a99db4decb1b3bbd16bc07cfc + uses: caarlos0/meta/.github/workflows/semgrep.yml@c7f17af352dac91fa6c785d06ebac8547f1abdd3 # v0.1.0 ruleguard: - uses: caarlos0/meta/.github/workflows/ruleguard.yml@395f87b2cc4fbb0a99db4decb1b3bbd16bc07cfc + uses: caarlos0/meta/.github/workflows/ruleguard.yml@c7f17af352dac91fa6c785d06ebac8547f1abdd3 # v0.1.0 with: args: "-disable largeloopcopy" test: @@ -46,53 +44,53 @@ env: DOCKER_CLI_EXPERIMENTAL: "enabled" steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: fetch-depth: 0 - - uses: arduino/setup-task@b91d5d2c96a56797b48ac1e0e89220bf64044611 + - uses: go-task/setup-task@0ab1b2a65bc55236a3bc64cde78f80e20e8885c2 # v1.0.0 with: version: 3.x repo-token: ${{ secrets.GITHUB_TOKEN }} - - uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 + - uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 if: matrix.os == 'ubuntu-latest' - - uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 + - uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 if: matrix.os == 'ubuntu-latest' with: driver-opts: network=host - name: setup-snapcraft if: matrix.os == 'ubuntu-latest' run: sudo snap install snapcraft --classic - - uses: crazy-max/ghaction-upx@db8cc9515a4a7ea1b312cb82fbeae6d716daf777 + - uses: crazy-max/ghaction-upx@db8cc9515a4a7ea1b312cb82fbeae6d716daf777 # v3.2.0 with: install-only: true - name: setup-makeself if: matrix.os == 'ubuntu-latest' run: sudo apt install -yq makeself - - uses: cachix/install-nix-action@7be5dee1421f63d07e71ce6e0a9f8a4b07c2a487 + - uses: cachix/install-nix-action@a809471b5c7c913aa67bec8f459a11a0decc3fce # v31.6.2 if: matrix.os == 'ubuntu-latest' with: github_access_token: ${{ secrets.GITHUB_TOKEN }} - - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 + - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 with: go-version-file: go.mod - - uses: mlugg/setup-zig@8d6198c65fb0feaa111df26e6b467fea8345e46f - - uses: oven-sh/setup-bun@735343b667d3e6f658f44d0eca948eb6282f2b76 - - uses: denoland/setup-deno@e95548e56dfa95d4e1a28d6f422fafe75c4c26fb - - uses: cargo-bins/cargo-binstall@d020f1115f5ef21c966a766b15e98f8aad36a049 + - uses: mlugg/setup-zig@8d6198c65fb0feaa111df26e6b467fea8345e46f # v2.0.5 + - uses: oven-sh/setup-bun@735343b667d3e6f658f44d0eca948eb6282f2b76 # v2.0.2 + - uses: denoland/setup-deno@e95548e56dfa95d4e1a28d6f422fafe75c4c26fb # v2.0.3 + - uses: cargo-bins/cargo-binstall@20aa316bab4942180bbbabe93237858e8d77f1ed # v1.15.5 - name: setup-cargo run: | rustup default stable cargo binstall cargo-zigbuild - - uses: snok/install-poetry@76e04a911780d5b312d89783f7b1cd627778900a + - uses: snok/install-poetry@76e04a911780d5b312d89783f7b1cd627778900a # v1.4.1 - if: matrix.os == 'windows-latest' run: 'echo "C:\Users\runneradmin\.local\bin" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append' - - uses: astral-sh/setup-uv@b75a909f75acd358c2196fb9a5f1299a9a8868a4 - - uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 - - uses: anchore/sbom-action/download-syft@f8bdd1d8ac5e901a77a92f111440fdb1b593736b + - uses: astral-sh/setup-uv@b75a909f75acd358c2196fb9a5f1299a9a8868a4 # v6.7.0 + - uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3.10.0 + - uses: anchore/sbom-action/download-syft@f8bdd1d8ac5e901a77a92f111440fdb1b593736b # v0.20.6 - run: task setup - run: task build - run: task test - - uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 + - uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1 if: matrix.os == 'ubuntu-latest' with: file: ./coverage.txt @@ -102,7 +100,7 @@ check: runs-on: ubuntu-latest steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: fetch-depth: 0 - run: go run . check @@ -115,7 +113,7 @@ if: ${{ github.actor == 'dependabot[bot]' && github.event_name == 'pull_request'}} steps: - id: metadata - uses: dependabot/fetch-metadata@08eff52bf64351f401fb50d4972fa95b9f2c2d1b + uses: dependabot/fetch-metadata@08eff52bf64351f401fb50d4972fa95b9f2c2d1b # v2.4.0 with: github-token: "${{ secrets.GITHUB_TOKEN }}" - run: | diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/goreleaser-2.12.2/.github/workflows/codeql.yml new/goreleaser-2.12.3/.github/workflows/codeql.yml --- old/goreleaser-2.12.2/.github/workflows/codeql.yml 2025-09-18 04:07:53.000000000 +0200 +++ new/goreleaser-2.12.3/.github/workflows/codeql.yml 2025-09-24 22:36:00.000000000 +0200 @@ -28,11 +28,11 @@ pull-requests: read security-events: write steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false - - uses: github/codeql-action/init@192325c86100d080feab897ff886c34abd4c83a3 # v3 + - uses: github/codeql-action/init@192325c86100d080feab897ff886c34abd4c83a3 # v3.30.3 with: languages: ${{ matrix.language }} - - uses: github/codeql-action/autobuild@192325c86100d080feab897ff886c34abd4c83a3 # v3 - - uses: github/codeql-action/analyze@192325c86100d080feab897ff886c34abd4c83a3 # v3 + - uses: github/codeql-action/autobuild@192325c86100d080feab897ff886c34abd4c83a3 # v3.30.3 + - uses: github/codeql-action/analyze@192325c86100d080feab897ff886c34abd4c83a3 # v3.30.3 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/goreleaser-2.12.2/.github/workflows/depsreview.yaml new/goreleaser-2.12.3/.github/workflows/depsreview.yaml --- old/goreleaser-2.12.2/.github/workflows/depsreview.yaml 2025-09-18 04:07:53.000000000 +0200 +++ new/goreleaser-2.12.3/.github/workflows/depsreview.yaml 2025-09-24 22:36:00.000000000 +0200 @@ -8,7 +8,7 @@ dependency-review: runs-on: ubuntu-latest steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4 - - uses: actions/dependency-review-action@v4 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + - uses: actions/dependency-review-action@595b5aeba73380359d98a5e087f648dbb0edce1b # v4.7.3 with: config-file: ./.github/dependency-review.yml diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/goreleaser-2.12.2/.github/workflows/docs.yml new/goreleaser-2.12.3/.github/workflows/docs.yml --- old/goreleaser-2.12.2/.github/workflows/docs.yml 2025-09-18 04:07:53.000000000 +0200 +++ new/goreleaser-2.12.3/.github/workflows/docs.yml 2025-09-24 22:36:00.000000000 +0200 @@ -23,6 +23,9 @@ htmltest: runs-on: ubuntu-latest steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4 - - run: npm install -g @go-task/cli + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + - uses: go-task/setup-task@0ab1b2a65bc55236a3bc64cde78f80e20e8885c2 # v1.0.0 + with: + version: 3.x + repo-token: ${{ secrets.GITHUB_TOKEN }} - run: task docs:test diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/goreleaser-2.12.2/.github/workflows/generate.yml new/goreleaser-2.12.3/.github/workflows/generate.yml --- old/goreleaser-2.12.2/.github/workflows/generate.yml 2025-09-18 04:07:53.000000000 +0200 +++ new/goreleaser-2.12.3/.github/workflows/generate.yml 2025-09-24 22:36:00.000000000 +0200 @@ -11,19 +11,27 @@ contents: write runs-on: ubuntu-latest steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: token: ${{ secrets.GH_PAT }} - - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v4 + - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 with: go-version-file: go.mod cache: true - - uses: arduino/setup-task@b91d5d2c96a56797b48ac1e0e89220bf64044611 # v1 + - uses: go-task/setup-task@0ab1b2a65bc55236a3bc64cde78f80e20e8885c2 # v1.0.0 with: version: 3.x repo-token: ${{ secrets.GITHUB_TOKEN }} - - run: "go install mvdan.cc/gofumpt@latest" - - run: "go install github.com/santhosh-tekuri/jsonschema/cmd/jv@latest" + - name: "install tools" + run: | + mkdir -p ~/bin + wget -O ~/bin/gofumpt https://github.com/mvdan/gofumpt/releases/download/v0.9.1/gofumpt_v0.9.1_linux_amd64 + chmod +x ~/bin/gofumpt + wget -O jv.tar.gz https://github.com/santhosh-tekuri/jsonschema/releases/download/v6.0.2/jv-v6.0.2-linux-amd64.tar.gz + tar xzvf jv.tar.gz -C ~/bin jv + chmod +x ~/bin/jv + rm jv.tar.gz + echo "$HOME/bin" >> $GITHUB_PATH - run: task docs:releases env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -32,7 +40,7 @@ - run: task schema:validate - run: task nix:licenses:generate - run: "git pull" - - uses: stefanzweifel/git-auto-commit-action@778341af668090896ca464160c2def5d1d1a3eb0 # v5 + - uses: stefanzweifel/git-auto-commit-action@778341af668090896ca464160c2def5d1d1a3eb0 # v6.0.1 with: commit_message: "chore: auto-update generated files" branch: main @@ -46,7 +54,7 @@ if: ${{ failure() }} steps: - name: Notify - uses: nobrayner/discord-webhook@1766a33bf571acdcc0678f00da4fb83aad01ebc7 + uses: nobrayner/discord-webhook@1766a33bf571acdcc0678f00da4fb83aad01ebc7 # v1 with: github-token: ${{ secrets.github_token }} title: "generate job failed" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/goreleaser-2.12.2/.github/workflows/gitleaks.yml new/goreleaser-2.12.3/.github/workflows/gitleaks.yml --- old/goreleaser-2.12.2/.github/workflows/gitleaks.yml 2025-09-18 04:07:53.000000000 +0200 +++ new/goreleaser-2.12.3/.github/workflows/gitleaks.yml 2025-09-24 22:36:00.000000000 +0200 @@ -1,20 +1,27 @@ name: gitleaks on: push: - branches: ['main'] - tags: ['v*'] + branches: ["main"] + tags: ["v*"] pull_request: permissions: contents: read jobs: gitleaks: runs-on: ubuntu-latest + permissions: + security-events: write + actions: read + contents: read steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: fetch-depth: 0 - - uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 + - uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2.3.9 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE}} if: ${{ env.GITLEAKS_LICENSE != '' }} + - uses: github/codeql-action/upload-sarif@192325c86100d080feab897ff886c34abd4c83a3 # v3.30.3 + with: + sarif_file: results.sarif diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/goreleaser-2.12.2/.github/workflows/govulncheck.yml new/goreleaser-2.12.3/.github/workflows/govulncheck.yml --- old/goreleaser-2.12.2/.github/workflows/govulncheck.yml 1970-01-01 01:00:00.000000000 +0100 +++ new/goreleaser-2.12.3/.github/workflows/govulncheck.yml 2025-09-24 22:36:00.000000000 +0200 @@ -0,0 +1,26 @@ +name: govulncheck +on: + pull_request: + push: + branches: [main] + schedule: + - cron: "0 2 * * *" +permissions: + contents: read +concurrency: + group: govulncheck-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true +jobs: + govulncheck: + runs-on: ubuntu-latest + permissions: + security-events: write + contents: read + steps: + - uses: golang/govulncheck-action@b625fbe08f3bccbe446d94fbf87fcc875a4f50ee # v1.0.4 + with: + output-format: sarif + output-file: results.sarif + - uses: github/codeql-action/upload-sarif@192325c86100d080feab897ff886c34abd4c83a3 # v3.30.3 + with: + sarif_file: results.sarif diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/goreleaser-2.12.2/.github/workflows/grype.yml new/goreleaser-2.12.3/.github/workflows/grype.yml --- old/goreleaser-2.12.2/.github/workflows/grype.yml 2025-09-18 04:07:53.000000000 +0200 +++ new/goreleaser-2.12.3/.github/workflows/grype.yml 2025-09-24 22:36:00.000000000 +0200 @@ -1,9 +1,11 @@ name: "grype" on: push: - branches: ['main'] - tags: ['v*'] + branches: ["main"] + tags: ["v*"] pull_request: +permissions: + contents: read jobs: scan-source: name: scan-source @@ -13,8 +15,13 @@ actions: read contents: read steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4 - - uses: anchore/scan-action@f6601287cdb1efc985d6b765bbf99cb4c0ac29d8 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + - uses: anchore/scan-action@f6601287cdb1efc985d6b765bbf99cb4c0ac29d8 # v7.0.0 + id: scan with: path: "." fail-build: true + severity-cutoff: critical + - uses: github/codeql-action/upload-sarif@192325c86100d080feab897ff886c34abd4c83a3 # v3.30.3 + with: + sarif_file: ${{ steps.scan.outputs.sarif }} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/goreleaser-2.12.2/.github/workflows/lint.yml new/goreleaser-2.12.3/.github/workflows/lint.yml --- old/goreleaser-2.12.2/.github/workflows/lint.yml 2025-09-18 04:07:53.000000000 +0200 +++ new/goreleaser-2.12.3/.github/workflows/lint.yml 2025-09-24 22:36:00.000000000 +0200 @@ -17,8 +17,8 @@ name: lint runs-on: ubuntu-latest steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4 - - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v4 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 with: go-version-file: go.mod - name: golangci-lint diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/goreleaser-2.12.2/.github/workflows/milestone.yml new/goreleaser-2.12.3/.github/workflows/milestone.yml --- old/goreleaser-2.12.2/.github/workflows/milestone.yml 2025-09-18 04:07:53.000000000 +0200 +++ new/goreleaser-2.12.3/.github/workflows/milestone.yml 2025-09-24 22:36:00.000000000 +0200 @@ -8,24 +8,18 @@ branches: - main +permissions: + contents: read + jobs: milestone: runs-on: ubuntu-latest - permissions: - actions: none - checks: none contents: read - deployments: none issues: write - packages: none pull-requests: write - repository-projects: none - security-events: none - statuses: none - steps: - - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v6 + - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | if (!context.payload.pull_request.merged) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/goreleaser-2.12.2/.github/workflows/moderator.yml new/goreleaser-2.12.3/.github/workflows/moderator.yml --- old/goreleaser-2.12.2/.github/workflows/moderator.yml 2025-09-18 04:07:53.000000000 +0200 +++ new/goreleaser-2.12.3/.github/workflows/moderator.yml 2025-09-24 22:36:00.000000000 +0200 @@ -1,4 +1,4 @@ -name: Moderator +name: moderator on: issues: types: [opened] @@ -6,6 +6,8 @@ types: [created] pull_request_review_comment: types: [created] +permissions: + contents: read jobs: spam-detection: runs-on: ubuntu-latest @@ -15,13 +17,7 @@ models: read contents: read steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 - - uses: github/ai-moderator@6bcdb2a79c2e564db8d76d7d4439d91a044c4eb6 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + - uses: github/ai-moderator@6bcdb2a79c2e564db8d76d7d4439d91a044c4eb6 # v1.1.2 with: token: ${{ secrets.GITHUB_TOKEN }} - spam-label: "spam" - ai-label: "ai-generated" - minimize-detected-comments: true - enable-spam-detection: true - enable-link-spam-detection: true - enable-ai-detection: true diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/goreleaser-2.12.2/.github/workflows/nightly-oss.yml new/goreleaser-2.12.3/.github/workflows/nightly-oss.yml --- old/goreleaser-2.12.2/.github/workflows/nightly-oss.yml 2025-09-18 04:07:53.000000000 +0200 +++ new/goreleaser-2.12.3/.github/workflows/nightly-oss.yml 2025-09-24 22:36:00.000000000 +0200 @@ -14,7 +14,7 @@ outputs: should_run: ${{ steps.check.outputs.should_run }} steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: fetch-depth: 1 - id: check @@ -39,39 +39,39 @@ sudo docker image prune --all --force sudo docker builder prune -a - run: df -h - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: fetch-depth: 0 fetch-tags: true - - uses: arduino/setup-task@b91d5d2c96a56797b48ac1e0e89220bf64044611 # v1 + - uses: go-task/setup-task@0ab1b2a65bc55236a3bc64cde78f80e20e8885c2 # v1.0.0 with: version: 3.x repo-token: ${{ secrets.GITHUB_TOKEN }} - - uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v2 - - uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3 - - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v4 + - uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 + - uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 + - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 with: go-version-file: go.mod - - uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 - - uses: anchore/sbom-action/download-syft@f8bdd1d8ac5e901a77a92f111440fdb1b593736b - - uses: crazy-max/ghaction-upx@db8cc9515a4a7ea1b312cb82fbeae6d716daf777 + - uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3.10.0 + - uses: anchore/sbom-action/download-syft@f8bdd1d8ac5e901a77a92f111440fdb1b593736b # v0.20.6 + - uses: crazy-max/ghaction-upx@db8cc9515a4a7ea1b312cb82fbeae6d716daf777 # v3.2.0 with: install-only: true - - uses: cachix/install-nix-action@7be5dee1421f63d07e71ce6e0a9f8a4b07c2a487 + - uses: cachix/install-nix-action@a809471b5c7c913aa67bec8f459a11a0decc3fce # v31.6.2 with: github_access_token: ${{ secrets.GITHUB_TOKEN }} - name: dockerhub-login - uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3 + uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} - name: ghcr-login - uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3 + uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - - uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a + - uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0 with: distribution: goreleaser-pro version: "nightly" @@ -84,10 +84,10 @@ MACOS_NOTARY_ISSUER_ID: ${{ secrets.MACOS_NOTARY_ISSUER_ID }} MACOS_NOTARY_KEY_ID: ${{ secrets.MACOS_NOTARY_KEY_ID }} MACOS_NOTARY_KEY: ${{ secrets.MACOS_NOTARY_KEY }} - - uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a + - uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0 with: subject-checksums: ./dist/checksums.txt - - uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a + - uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0 with: subject-checksums: ./dist/digests.txt - run: df -h @@ -99,7 +99,7 @@ if: ${{ always() }} steps: - name: Notify - uses: nobrayner/discord-webhook@1766a33bf571acdcc0678f00da4fb83aad01ebc7 + uses: nobrayner/discord-webhook@1766a33bf571acdcc0678f00da4fb83aad01ebc7 # v1 with: github-token: ${{ secrets.github_token }} title: "nightly" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/goreleaser-2.12.2/.github/workflows/release.yml new/goreleaser-2.12.3/.github/workflows/release.yml --- old/goreleaser-2.12.2/.github/workflows/release.yml 2025-09-18 04:07:53.000000000 +0200 +++ new/goreleaser-2.12.3/.github/workflows/release.yml 2025-09-24 22:36:00.000000000 +0200 @@ -15,7 +15,7 @@ runs-on: ubuntu-latest needs: [goreleaser] steps: - - uses: benc-uk/workflow-dispatch@e2e5e9a103e331dad343f381a29e654aea3cf8fc + - uses: benc-uk/workflow-dispatch@e2e5e9a103e331dad343f381a29e654aea3cf8fc # v1.2.4 if: startsWith(github.ref, 'refs/tags/v') with: repo: goreleaser/goreleaser @@ -31,7 +31,7 @@ run: echo "RELEASE_TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV - name: notify goreleaser-cross with new release if: startsWith(github.ref, 'refs/tags/v') - uses: benc-uk/workflow-dispatch@e2e5e9a103e331dad343f381a29e654aea3cf8fc + uses: benc-uk/workflow-dispatch@e2e5e9a103e331dad343f381a29e654aea3cf8fc # v1.2.4 with: token: ${{ secrets.GH_PAT }} repo: goreleaser/goreleaser-cross @@ -40,7 +40,7 @@ inputs: '{ "tag" : "${{ env.RELEASE_TAG }}" }' - name: notify goreleaser-rust-cross with new release if: startsWith(github.ref, 'refs/tags/v') - uses: benc-uk/workflow-dispatch@e2e5e9a103e331dad343f381a29e654aea3cf8fc + uses: benc-uk/workflow-dispatch@e2e5e9a103e331dad343f381a29e654aea3cf8fc # v1.2.4 with: token: ${{ secrets.GH_PAT }} repo: vedantmgoyal9/goreleaser-rust-cross @@ -57,14 +57,14 @@ matrix: format: [deb, rpm, apk] steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: fetch-depth: 0 - - uses: arduino/setup-task@b91d5d2c96a56797b48ac1e0e89220bf64044611 # v1 + - uses: go-task/setup-task@0ab1b2a65bc55236a3bc64cde78f80e20e8885c2 # v1.0.0 with: version: 3.x repo-token: ${{ secrets.GITHUB_TOKEN }} - - uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v2 + - uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 - uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4 with: path: | @@ -86,44 +86,44 @@ sudo docker image prune --all --force sudo docker builder prune -a - run: df -h - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: fetch-depth: 0 - - uses: arduino/setup-task@b91d5d2c96a56797b48ac1e0e89220bf64044611 # v1 + - uses: go-task/setup-task@0ab1b2a65bc55236a3bc64cde78f80e20e8885c2 # v1.0.0 with: version: 3.x repo-token: ${{ secrets.GITHUB_TOKEN }} - - uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v2 - - uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3 + - uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 + - uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 - name: setup-snapcraft run: sudo snap install snapcraft --classic - - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v4 + - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 with: go-version-file: go.mod - - uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4 + - uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4 with: path: | ./dist/*.deb ./dist/*.rpm ./dist/*.apk key: ${{ github.ref }} - - uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 - - uses: anchore/sbom-action/download-syft@f8bdd1d8ac5e901a77a92f111440fdb1b593736b - - uses: crazy-max/ghaction-upx@db8cc9515a4a7ea1b312cb82fbeae6d716daf777 + - uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3.10.0 + - uses: anchore/sbom-action/download-syft@f8bdd1d8ac5e901a77a92f111440fdb1b593736b # v0.20.6 + - uses: crazy-max/ghaction-upx@db8cc9515a4a7ea1b312cb82fbeae6d716daf777 # v3.2.0 with: install-only: true - - uses: cachix/install-nix-action@7be5dee1421f63d07e71ce6e0a9f8a4b07c2a487 + - uses: cachix/install-nix-action@a809471b5c7c913aa67bec8f459a11a0decc3fce # v31.6.2 with: github_access_token: ${{ secrets.GITHUB_TOKEN }} - name: dockerhub-login if: startsWith(github.ref, 'refs/tags/v') - uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3 + uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} - name: ghcr-login if: startsWith(github.ref, 'refs/tags/v') - uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3 + uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 with: registry: ghcr.io username: ${{ github.repository_owner }} @@ -132,7 +132,7 @@ if: startsWith(github.ref, 'refs/tags/v') run: | npm config set '//registry.npmjs.org/:_authToken'=${{ secrets.NPM_TOKEN }} - - uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a + - uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0 if: ${{ startsWith(github.ref, 'refs/tags/v') }} # only on tags with: distribution: goreleaser-pro @@ -161,10 +161,10 @@ ./goreleaser release --clean --timeout 60m --snapshot env: GITHUB_TOKEN: ${{ secrets.GH_PAT }} - - uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a + - uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0 with: subject-checksums: ./dist/checksums.txt - - uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a + - uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0 if: startsWith(github.ref, 'refs/tags/v') # snapshots won't push docker images with: subject-checksums: ./dist/digests.txt diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/goreleaser-2.12.2/.github/workflows/scorecard.yml new/goreleaser-2.12.3/.github/workflows/scorecard.yml --- old/goreleaser-2.12.2/.github/workflows/scorecard.yml 1970-01-01 01:00:00.000000000 +0100 +++ new/goreleaser-2.12.3/.github/workflows/scorecard.yml 2025-09-24 22:36:00.000000000 +0200 @@ -0,0 +1,35 @@ +name: Scorecard supply-chain security +on: + branch_protection_rule: + schedule: + - cron: "20 21 * * 5" + push: + branches: ["main"] + +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + if: github.event.repository.default_branch == github.ref_name || github.event_name == 'pull_request' + permissions: + security-events: write + id-token: write + steps: + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false + - uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2 + with: + results_file: results.sarif + results_format: sarif + publish_results: true + - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + - uses: github/codeql-action/upload-sarif@192325c86100d080feab897ff886c34abd4c83a3 # v3.30.3 + with: + sarif_file: results.sarif diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/goreleaser-2.12.2/.goreleaser.yaml new/goreleaser-2.12.3/.goreleaser.yaml --- old/goreleaser-2.12.2/.goreleaser.yaml 2025-09-18 04:07:53.000000000 +0200 +++ new/goreleaser-2.12.3/.goreleaser.yaml 2025-09-24 22:36:00.000000000 +0200 @@ -330,12 +330,6 @@ sboms: - artifacts: archive - args: - - scan - - "--enrich=all" - - "$artifact" - - "--output" - - "cyclonedx-json=$document" signs: - cmd: cosign diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/goreleaser-2.12.2/README.md new/goreleaser-2.12.3/README.md --- old/goreleaser-2.12.2/README.md 2025-09-18 04:07:53.000000000 +0200 +++ new/goreleaser-2.12.3/README.md 2025-09-24 22:36:00.000000000 +0200 @@ -3,18 +3,18 @@ <h3 align="center">GoReleaser</h3> <p align="center">Release engineering, simplified.</p> <p align="center"> - <img alt="Go" src="./www/docs/static/go-light.svg#gh-light-mode-only" height="60" width="60" /> - <img alt="Go" src="./www/docs/static/go-dark.svg#gh-dark-mode-only" height="60" width="60" /> - <img alt="Rust" src="./www/docs/static/rust-light.svg#gh-light-mode-only" height="60" width="60" /> - <img alt="Rust" src="./www/docs/static/rust-dark.svg#gh-dark-mode-only" height="60" width="60" /> - <img alt="Zig" src="./www/docs/static/zig-light.svg#gh-light-mode-only" height="60" width="60" /> - <img alt="Zig" src="./www/docs/static/zig-dark.svg#gh-dark-mode-only" height="60" width="60" /> - <img alt="Bun" src="./www/docs/static/bun-light.svg#gh-light-mode-only" height="60" width="60" /> - <img alt="Bun" src="./www/docs/static/bun-dark.svg#gh-dark-mode-only" height="60" width="60" /> - <img alt="Deno" src="./www/docs/static/deno-light.svg#gh-light-mode-only" height="60" width="60" /> - <img alt="Deno" src="./www/docs/static/deno-dark.svg#gh-dark-mode-only" height="60" width="60" /> - <img alt="Python" src="./www/docs/static/python-light.svg#gh-light-mode-only" height="60" width="60" /> - <img alt="Python" src="./www/docs/static/python-dark.svg#gh-dark-mode-only" height="60" width="60" /> + <img alt="Go" src="./www/docs/static/go-light.svg#gh-light-mode-only" height="30" width="30" /> + <img alt="Go" src="./www/docs/static/go-dark.svg#gh-dark-mode-only" height="30" width="30" /> + <img alt="Rust" src="./www/docs/static/rust-light.svg#gh-light-mode-only" height="30" width="30" /> + <img alt="Rust" src="./www/docs/static/rust-dark.svg#gh-dark-mode-only" height="30" width="30" /> + <img alt="Zig" src="./www/docs/static/zig-light.svg#gh-light-mode-only" height="30" width="30" /> + <img alt="Zig" src="./www/docs/static/zig-dark.svg#gh-dark-mode-only" height="30" width="30" /> + <img alt="Bun" src="./www/docs/static/bun-light.svg#gh-light-mode-only" height="30" width="30" /> + <img alt="Bun" src="./www/docs/static/bun-dark.svg#gh-dark-mode-only" height="30" width="30" /> + <img alt="Deno" src="./www/docs/static/deno-light.svg#gh-light-mode-only" height="30" width="30" /> + <img alt="Deno" src="./www/docs/static/deno-dark.svg#gh-dark-mode-only" height="30" width="30" /> + <img alt="Python" src="./www/docs/static/python-light.svg#gh-light-mode-only" height="30" width="30" /> + <img alt="Python" src="./www/docs/static/python-dark.svg#gh-dark-mode-only" height="30" width="30" /> </p> </p> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/goreleaser-2.12.2/THREAT_MODEL.md new/goreleaser-2.12.3/THREAT_MODEL.md --- old/goreleaser-2.12.2/THREAT_MODEL.md 1970-01-01 01:00:00.000000000 +0100 +++ new/goreleaser-2.12.3/THREAT_MODEL.md 2025-09-24 22:36:00.000000000 +0200 @@ -0,0 +1,146 @@ +# Threat Modeling Document + +## Introduction + +GoReleaser is an open-source release automation tool designed to build, package, +and publish releases for multiple programming languages. + +This document identifies security threats, assets, and mitigations. + +## Asset Inventory + +### Critical Assets + +- **Source Code:** Project code, build scripts, and configuration files (e.g., `.goreleaser.yml`) +- **Build Artifacts:** Packages, binaries, containers, and other distributable outputs +- **Secrets:** API tokens, signing keys, repository credentials +- **Release Metadata:** Version numbers, changelogs +- **CI/CD Pipelines & Runners:** Automation resources executing releases +- **Third-party Dependencies:** Libraries, plugins, and integrations +- **User Data:** Data handled by project integrations + +### Asset Locations + +- Local developer machines +- GitHub Actions runners +- Artifact repositories +- Public package registries +- Source control platforms + +## Threat Model + +### Actors + +- **Maintainers & Contributors:** Trusted users with varying permissions +- **External Attackers:** Untrusted users seeking to compromise releases or assets +- **Supply Chain Threats:** Malicious dependencies or compromised third-party services +- **CI/CD Systems:** Automated agents that may be exploited if misconfigured + +### Entry Points + +- Source code contributions (pull requests, issues) +- Configuration files and scripts +- CI/CD integration and environment variables +- Third-party plugins and dependencies +- Release pipelines and artifact repositories + +### Trust Boundaries + +- Between project repository and CI/CD environment +- Between GoReleaser and external plugins/dependencies +- Between artifact generation and distribution channels + +### Threats + +#### Supply Chain Attacks + +- Compromised dependencies or plugins +- Unauthorized changes to source/configuration +- Exploitation of third-party CI/CD or repository services + +#### Secrets Leakage + +- Exposure of tokens, credentials, or signing keys in logs, error messages, or artifacts +- Hardcoded secrets in code or configuration +- Improper secret management in CI/CD environments + +#### Code Execution/Injection + +- Malicious code execution via PRs, plugins, or configuration +- Remote code execution vulnerabilities in GoReleaser or dependencies + +#### Unauthorized Access + +- Unauthorized users triggering releases or accessing sensitive artifacts +- Insecure permissions on runners, repositories, or artifact stores + +#### Data Integrity & Tampering + +- Tampering with build artifacts, changelogs, or metadata +- Compromise of signing keys, leading to malicious releases + +#### Denial of Service + +- Abuse of CI/CD resources, bandwidth, or artifact storage +- Overloading automated processes or API endpoints + +## Mitigations + +### Supply Chain Security + +- Pin dependencies and use trusted sources +- Mandatory code review and CI checks on all incoming PRs +- Signed commits and release tags +- Enable immutable releases +- Run security scans on every commit + +### Secrets Management + +- Secure storage using environment variables and secret managers (e.g. GitHub Secrets) +- Never log or expose secrets in build or release outputs +- Regularly rotate secrets and monitor for suspicious activity + +### Secure Code Execution + +- Validate and sanitize configuration files and user inputs +- Limit shell command and script execution scope +- Audit dependencies and plugins for vulnerabilities + +### Access Control + +- Enforce least privilege for CI/CD runners, repositories, and artifact stores +- Require multi-factor authentication for maintainers +- Restrict release triggers to authorized users/systems +- Lower permissions of less active maintainers + +### Artifact Integrity + +- Sign release artifacts with GPG or similar tools +- Verify signatures before distribution +- Use trusted, access-controlled artifact repositories + +### Availability Protection + +- Implement rate limiting and resource quotas on CI/CD jobs +- Monitor for abnormal activity and automate alerts + +## Residual Risks + +- Zero-day vulnerabilities in dependencies, CI/CD systems, or GoReleaser itself +- Social engineering attacks targeting maintainers +- Unnoticed supply chain compromises +- Human error in configuration or secret management + +## Security Best Practices + +- Regularly update GoReleaser and dependencies +- Monitor security advisories and patch vulnerabilities promptly +- Educate contributors on secure coding and secrets hygiene +- Document security policies and incident response procedures + +## References + +- [GoReleaser Documentation](https://goreleaser.com/) +- [OWASP Top 10](https://owasp.org/www-project-top-ten/) +- [Supply Chain Security](https://slsa.dev/) +- [GitHub Security Best Practices](https://docs.github.com/en/code-security) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/goreleaser-2.12.2/Taskfile.yml new/goreleaser-2.12.3/Taskfile.yml --- old/goreleaser-2.12.2/Taskfile.yml 2025-09-18 04:07:53.000000000 +0200 +++ new/goreleaser-2.12.3/Taskfile.yml 2025-09-24 22:36:00.000000000 +0200 @@ -43,6 +43,20 @@ cmds: - go test {{.TEST_OPTIONS}} -failfast -race -coverpkg=./... -covermode=atomic -coverprofile=coverage.txt {{.SOURCE_FILES}} -run {{.TEST_PATTERN}} -timeout=15m + fuzz:tmpl: + cmds: + - scripts/fuzz.sh ./internal/tmpl 30s + + fuzz:artifact: + cmds: + - scripts/fuzz.sh ./internal/artifact 30s + + fuzz: + desc: Run fuzz tests + cmds: + - task: fuzz:tmpl + - task: fuzz:artifact + test:golden:update: desc: Run all tests that write goldne files, updating the files. sources: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/goreleaser-2.12.2/go.mod new/goreleaser-2.12.3/go.mod --- old/goreleaser-2.12.2/go.mod 2025-09-18 04:07:53.000000000 +0200 +++ new/goreleaser-2.12.3/go.mod 2025-09-24 22:36:00.000000000 +0200 @@ -17,9 +17,9 @@ github.com/caarlos0/go-shellwords v1.0.12 github.com/caarlos0/go-version v0.2.2 github.com/caarlos0/log v0.5.1 - github.com/charmbracelet/fang v0.4.1 + github.com/charmbracelet/fang v0.4.2 github.com/charmbracelet/keygen v0.5.3 - github.com/charmbracelet/lipgloss/v2 v2.0.0-beta.3 + github.com/charmbracelet/lipgloss/v2 v2.0.0-beta.3.0.20250917201909-41ff0bf215ea github.com/chrismellard/docker-credential-acr-env v0.0.0-20230304212654-82a0ddb27589 github.com/dghubble/go-twitter v0.0.0-20211115160449-93a8679adecb github.com/dghubble/oauth1 v0.7.3 @@ -35,7 +35,7 @@ github.com/invopop/jsonschema v0.13.0 github.com/jarcoal/httpmock v1.4.1 github.com/klauspost/pgzip v1.2.6 - github.com/mark3labs/mcp-go v0.39.1 + github.com/mark3labs/mcp-go v0.40.0 github.com/mattn/go-mastodon v0.0.10 github.com/mitchellh/go-homedir v1.1.0 github.com/muesli/mango-cobra v1.3.0 @@ -45,7 +45,7 @@ github.com/spf13/cobra v1.10.1 github.com/stretchr/testify v1.11.1 github.com/ulikunitz/xz v0.5.15 - gitlab.com/gitlab-org/api/client-go v0.145.0 + gitlab.com/gitlab-org/api/client-go v0.148.0 gocloud.dev v0.42.0 golang.org/x/crypto v0.42.0 golang.org/x/oauth2 v0.31.0 @@ -66,11 +66,14 @@ github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.51.0 // indirect github.com/anchore/bubbly v0.0.0-20241107060245-f2a5536f366a // indirect github.com/charmbracelet/bubbletea v1.3.0 // indirect - github.com/charmbracelet/colorprofile v0.3.1 // indirect + github.com/charmbracelet/colorprofile v0.3.2 // indirect github.com/charmbracelet/lipgloss v1.1.0 // indirect + github.com/charmbracelet/ultraviolet v0.0.0-20250915111650-81d4262876ef // indirect github.com/charmbracelet/x/cellbuf v0.0.13 // indirect github.com/charmbracelet/x/exp/charmtone v0.0.0-20250603201427-c31516f43444 // indirect github.com/charmbracelet/x/term v0.2.1 // indirect + github.com/charmbracelet/x/termios v0.1.1 // indirect + github.com/charmbracelet/x/windows v0.2.2 // indirect github.com/cncf/xds/go v0.0.0-20250501225837-2ac532fd4443 // indirect github.com/containerd/errdefs v1.0.0 // indirect github.com/containerd/errdefs/pkg v0.3.0 // indirect @@ -151,24 +154,24 @@ github.com/anchore/go-macholibre v0.0.0-20220308212642-53e6d0aaf6fb // indirect github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect github.com/aws/aws-sdk-go v1.55.7 // indirect - github.com/aws/aws-sdk-go-v2 v1.39.0 // indirect + github.com/aws/aws-sdk-go-v2 v1.39.1 // indirect github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.1 // indirect github.com/aws/aws-sdk-go-v2/config v1.30.3 // indirect github.com/aws/aws-sdk-go-v2/credentials v1.18.3 // indirect github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.2 // indirect github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.17.69 // indirect - github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.7 // indirect - github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.7 // indirect + github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.8 // indirect + github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.8 // indirect github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 // indirect - github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.7 // indirect + github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.8 // indirect github.com/aws/aws-sdk-go-v2/service/ecr v1.45.1 // indirect github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.33.2 // indirect github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.1 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.8.7 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.7 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.7 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.8.8 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.8 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.8 // indirect github.com/aws/aws-sdk-go-v2/service/kms v1.43.0 // indirect - github.com/aws/aws-sdk-go-v2/service/s3 v1.88.1 + github.com/aws/aws-sdk-go-v2/service/s3 v1.88.2 github.com/aws/aws-sdk-go-v2/service/sso v1.27.0 // indirect github.com/aws/aws-sdk-go-v2/service/ssooidc v1.32.0 // indirect github.com/aws/aws-sdk-go-v2/service/sts v1.36.0 // indirect @@ -185,7 +188,7 @@ github.com/cavaliergopher/cpio v1.0.1 // indirect github.com/cenkalti/backoff/v4 v4.3.0 // indirect github.com/cespare/xxhash/v2 v2.3.0 // indirect - github.com/charmbracelet/x/ansi v0.8.0 // indirect + github.com/charmbracelet/x/ansi v0.10.1 // indirect github.com/cloudflare/circl v1.6.1 // indirect github.com/containerd/continuity v0.4.5 // indirect github.com/containerd/stargz-snapshotter/estargz v0.16.3 // indirect @@ -276,7 +279,7 @@ github.com/klauspost/cpuid/v2 v2.2.7 // indirect github.com/kylelemons/godebug v1.1.0 // indirect github.com/letsencrypt/boulder v0.0.0-20250411005613-d800055fe666 // indirect - github.com/lucasb-eyer/go-colorful v1.2.0 // indirect + github.com/lucasb-eyer/go-colorful v1.3.0 // indirect github.com/mailru/easyjson v0.9.0 // indirect github.com/mattn/go-isatty v0.0.20 // indirect github.com/mattn/go-runewidth v0.0.16 // indirect diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/goreleaser-2.12.2/go.sum new/goreleaser-2.12.3/go.sum --- old/goreleaser-2.12.2/go.sum 2025-09-18 04:07:53.000000000 +0200 +++ new/goreleaser-2.12.3/go.sum 2025-09-24 22:36:00.000000000 +0200 @@ -152,8 +152,8 @@ github.com/avast/retry-go/v4 v4.6.1/go.mod h1:V6oF8njAwxJ5gRo1Q7Cxab24xs5NCWZBeaHHBklR8mA= github.com/aws/aws-sdk-go v1.55.7 h1:UJrkFq7es5CShfBwlWAC8DA077vp8PyVbQd3lqLiztE= github.com/aws/aws-sdk-go v1.55.7/go.mod h1:eRwEWoyTWFMVYVQzKMNHWP5/RV4xIUGMQfXQHfHkpNU= -github.com/aws/aws-sdk-go-v2 v1.39.0 h1:xm5WV/2L4emMRmMjHFykqiA4M/ra0DJVSWUkDyBjbg4= -github.com/aws/aws-sdk-go-v2 v1.39.0/go.mod h1:sDioUELIUO9Znk23YVmIk86/9DOpkbyyVb1i/gUNFXY= +github.com/aws/aws-sdk-go-v2 v1.39.1 h1:fWZhGAwVRK/fAN2tmt7ilH4PPAE11rDj7HytrmbZ2FE= +github.com/aws/aws-sdk-go-v2 v1.39.1/go.mod h1:sDioUELIUO9Znk23YVmIk86/9DOpkbyyVb1i/gUNFXY= github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.1 h1:i8p8P4diljCr60PpJp6qZXNlgX4m2yQFpYk+9ZT+J4E= github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.1/go.mod h1:ddqbooRZYNoJ2dsTwOty16rM+/Aqmk/GOXrK8cg7V00= github.com/aws/aws-sdk-go-v2/config v1.30.3 h1:utupeVnE3bmB221W08P0Moz1lDI3OwYa2fBtUhl7TCc= @@ -164,30 +164,30 @@ github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.2/go.mod h1:eJDFKAMHHUvv4a0Zfa7bQb//wFNUXGrbFpYRCHe2kD0= github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.17.69 h1:6VFPH/Zi9xYFMJKPQOX5URYkQoXRWeJ7V/7Y6ZDYoms= github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.17.69/go.mod h1:GJj8mmO6YT6EqgduWocwhMoxTLFitkhIrK+owzrYL2I= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.7 h1:UCxq0X9O3xrlENdKf1r9eRJoKz/b0AfGkpp3a7FPlhg= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.7/go.mod h1:rHRoJUNUASj5Z/0eqI4w32vKvC7atoWR0jC+IkmVH8k= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.7 h1:Y6DTZUn7ZUC4th9FMBbo8LVE+1fyq3ofw+tRwkUd3PY= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.7/go.mod h1:x3XE6vMnU9QvHN/Wrx2s44kwzV2o2g5x/siw4ZUJ9g8= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.8 h1:6bgAZgRyT4RoFWhxS+aoGMFyE0cD1bSzFnEEi4bFPGI= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.8/go.mod h1:KcGkXFVU8U28qS4KvLEcPxytPZPBcRawaH2Pf/0jptE= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.8 h1:HhJYoES3zOz34yWEpGENqJvRVPqpmJyR3+AFg9ybhdY= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.8/go.mod h1:JnA+hPWeYAVbDssp83tv+ysAG8lTfLVXvSsyKg/7xNA= github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 h1:bIqFDwgGXXN1Kpp99pDOdKMTTb5d2KyU5X/BZxjOkRo= github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3/go.mod h1:H5O/EsxDWyU+LP/V8i5sm8cxoZgc2fdNR9bxlOFrQTo= -github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.7 h1:BszAktdUo2xlzmYHjWMq70DqJ7cROM8iBd3f6hrpuMQ= -github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.7/go.mod h1:XJ1yHki/P7ZPuG4fd3f0Pg/dSGA2cTQBCLw82MH2H48= +github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.8 h1:1/bT9kDdLQzfZ1e6J6hpW+SfNDd6xrV8F3M2CuGyUz8= +github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.8/go.mod h1:RbdwTONAIi59ej/+1H+QzZORt5bcyAtbrS7FQb2pvz0= github.com/aws/aws-sdk-go-v2/service/ecr v1.45.1 h1:Bwzh202Aq7/MYnAjXA9VawCf6u+hjwMdoYmZ4HYsdf8= github.com/aws/aws-sdk-go-v2/service/ecr v1.45.1/go.mod h1:xZzWl9AXYa6zsLLH41HBFW8KRKJRIzlGmvSM0mVMIX4= github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.33.2 h1:XJ/AEFYj9VFPJdF+VFi4SUPEDfz1akHwxxm07JfZJcs= github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.33.2/go.mod h1:JUBHdhvKbbKmhaHjLsKJAWnQL80T6nURmhB/LEprV+4= github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.1 h1:oegbebPEMA/1Jny7kvwejowCaHz1FWZAQ94WXFNCyTM= github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.1/go.mod h1:kemo5Myr9ac0U9JfSjMo9yHLtw+pECEHsFtJ9tqCEI8= -github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.8.7 h1:zmZ8qvtE9chfhBPuKB2aQFxW5F/rpwXUgmcVCgQzqRw= -github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.8.7/go.mod h1:vVYfbpd2l+pKqlSIDIOgouxNsGu5il9uDp0ooWb0jys= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.7 h1:mLgc5QIgOy26qyh5bvW+nDoAppxgn3J2WV3m9ewq7+8= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.7/go.mod h1:wXb/eQnqt8mDQIQTTmcw58B5mYGxzLGZGK8PWNFZ0BA= -github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.7 h1:u3VbDKUCWarWiU+aIUK4gjTr/wQFXV17y3hgNno9fcA= -github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.7/go.mod h1:/OuMQwhSyRapYxq6ZNpPer8juGNrB4P5Oz8bZ2cgjQE= +github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.8.8 h1:tIN8MFT1z5STK5kTdOT1TCfMN/bn5fSEnlKsTL8qBOU= +github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.8.8/go.mod h1:VKS56txtNWjKI8FqD/hliL0BcshyF4ZaLBa1rm2Y+5s= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.8 h1:M6JI2aGFEzYxsF6CXIuRBnkge9Wf9a2xU39rNeXgu10= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.8/go.mod h1:Fw+MyTwlwjFsSTE31mH211Np+CUslml8mzc0AFEG09s= +github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.8 h1:AgYCo1Rb8XChJXA871BXHDNxNWOTAr6V5YdsRIBbgv0= +github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.8/go.mod h1:Au9dvIGm1Hbqnt29d3VakOCQuN9l0WrkDDTRq8biWS4= github.com/aws/aws-sdk-go-v2/service/kms v1.43.0 h1:mdbWU38ipmDapPcsD6F7ObjjxMLrWUK0jI2NcC7zAcI= github.com/aws/aws-sdk-go-v2/service/kms v1.43.0/go.mod h1:6FWXdzVbnG8ExnBQLHGIo/ilb1K7Ek1u6dcllumBe1s= -github.com/aws/aws-sdk-go-v2/service/s3 v1.88.1 h1:+RpGuaQ72qnU83qBKVwxkznewEdAGhIWo/PQCmkhhog= -github.com/aws/aws-sdk-go-v2/service/s3 v1.88.1/go.mod h1:xajPTguLoeQMAOE44AAP2RQoUhF8ey1g5IFHARv71po= +github.com/aws/aws-sdk-go-v2/service/s3 v1.88.2 h1:T7b3qniouutV5Wwa9B1q7gW+Y8s1B3g9RE9qa7zLBIM= +github.com/aws/aws-sdk-go-v2/service/s3 v1.88.2/go.mod h1:tW9TsLb6t1eaTdBE6LITyJW1m/+DjQPU78Q/jT2FJu8= github.com/aws/aws-sdk-go-v2/service/sso v1.27.0 h1:j7/jTOjWeJDolPwZ/J4yZ7dUsxsWZEsxNwH5O7F8eEA= github.com/aws/aws-sdk-go-v2/service/sso v1.27.0/go.mod h1:M0xdEPQtgpNT7kdAX4/vOAPkFj60hSQRb7TvW9B0iug= github.com/aws/aws-sdk-go-v2/service/ssooidc v1.32.0 h1:ywQF2N4VjqX+Psw+jLjMmUL2g1RDHlvri3NxHA08MGI= @@ -246,18 +246,20 @@ github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/charmbracelet/bubbletea v1.3.0 h1:fPMyirm0u3Fou+flch7hlJN9krlnVURrkUVDwqXjoAc= github.com/charmbracelet/bubbletea v1.3.0/go.mod h1:eTaHfqbIwvBhFQM/nlT1NsGc4kp8jhF8LfUK67XiTDM= -github.com/charmbracelet/colorprofile v0.3.1 h1:k8dTHMd7fgw4bnFd7jXTLZrSU/CQrKnL3m+AxCzDz40= -github.com/charmbracelet/colorprofile v0.3.1/go.mod h1:/GkGusxNs8VB/RSOh3fu0TJmQ4ICMMPApIIVn0KszZ0= -github.com/charmbracelet/fang v0.4.1 h1:NC0Y4oqg7YuZcBg/KKsHy8DSow0ZDjF4UJL7LwtA0dE= -github.com/charmbracelet/fang v0.4.1/go.mod h1:9gCUAHmVx5BwSafeyNr3GI0GgvlB1WYjL21SkPp1jyU= +github.com/charmbracelet/colorprofile v0.3.2 h1:9J27WdztfJQVAQKX2WOlSSRB+5gaKqqITmrvb1uTIiI= +github.com/charmbracelet/colorprofile v0.3.2/go.mod h1:mTD5XzNeWHj8oqHb+S1bssQb7vIHbepiebQ2kPKVKbI= +github.com/charmbracelet/fang v0.4.2 h1:nWr7Tb82/TTNNGMGG35aTZ1X68loAOQmpb0qxkKXjas= +github.com/charmbracelet/fang v0.4.2/go.mod h1:wHJKQYO5ReYsxx+yZl+skDtrlKO/4LLEQ6EXsdHhRhg= github.com/charmbracelet/keygen v0.5.3 h1:2MSDC62OUbDy6VmjIE2jM24LuXUvKywLCmaJDmr/Z/4= github.com/charmbracelet/keygen v0.5.3/go.mod h1:TcpNoMAO5GSmhx3SgcEMqCrtn8BahKhB8AlwnLjRUpk= github.com/charmbracelet/lipgloss v1.1.0 h1:vYXsiLHVkK7fp74RkV7b2kq9+zDLoEU4MZoFqR/noCY= github.com/charmbracelet/lipgloss v1.1.0/go.mod h1:/6Q8FR2o+kj8rz4Dq0zQc3vYf7X+B0binUUBwA0aL30= -github.com/charmbracelet/lipgloss/v2 v2.0.0-beta.3 h1:W6DpZX6zSkZr0iFq6JVh1vItLoxfYtNlaxOJtWp8Kis= -github.com/charmbracelet/lipgloss/v2 v2.0.0-beta.3/go.mod h1:65HTtKURcv/ict9ZQhr6zT84JqIjMcJbyrZYHHKNfKA= -github.com/charmbracelet/x/ansi v0.8.0 h1:9GTq3xq9caJW8ZrBTe0LIe2fvfLR/bYXKTx2llXn7xE= -github.com/charmbracelet/x/ansi v0.8.0/go.mod h1:wdYl/ONOLHLIVmQaxbIYEC/cRKOQyjTkowiI4blgS9Q= +github.com/charmbracelet/lipgloss/v2 v2.0.0-beta.3.0.20250917201909-41ff0bf215ea h1:g1HfUgSMvye8mgecMD1mPscpt+pzJoDEiSA+p2QXzdQ= +github.com/charmbracelet/lipgloss/v2 v2.0.0-beta.3.0.20250917201909-41ff0bf215ea/go.mod h1:ngHerf1JLJXBrDXdphn5gFrBPriCL437uwukd5c93pM= +github.com/charmbracelet/ultraviolet v0.0.0-20250915111650-81d4262876ef h1:VrWaUi2LXYLjfjCHowdSOEc6dQ9Ro14KY7Bw4IWd19M= +github.com/charmbracelet/ultraviolet v0.0.0-20250915111650-81d4262876ef/go.mod h1:AThRsQH1t+dfyOKIwXRoJBniYFQUkUpQq4paheHMc2o= +github.com/charmbracelet/x/ansi v0.10.1 h1:rL3Koar5XvX0pHGfovN03f5cxLbCF2YvLeyz7D2jVDQ= +github.com/charmbracelet/x/ansi v0.10.1/go.mod h1:3RQDQ6lDnROptfpWuUVIUG64bD2g2BgntdxH0Ya5TeE= github.com/charmbracelet/x/cellbuf v0.0.13 h1:/KBBKHuVRbq1lYx5BzEHBAFBP8VcQzJejZ/IA3iR28k= github.com/charmbracelet/x/cellbuf v0.0.13/go.mod h1:xe0nKWGd3eJgtqZRaN9RjMtK7xUYchjzPr7q6kcvCCs= github.com/charmbracelet/x/exp/charmtone v0.0.0-20250603201427-c31516f43444 h1:IJDiTgVE56gkAGfq0lBEloWgkXMk4hl/bmuPoicI4R0= @@ -266,6 +268,10 @@ github.com/charmbracelet/x/exp/golden v0.0.0-20240806155701-69247e0abc2a/go.mod h1:wDlXFlCrmJ8J+swcL/MnGUuYnqgQdW9rhSD61oNMb6U= github.com/charmbracelet/x/term v0.2.1 h1:AQeHeLZ1OqSXhrAWpYUtZyX1T3zVxfpZuEQMIQaGIAQ= github.com/charmbracelet/x/term v0.2.1/go.mod h1:oQ4enTYFV7QN4m0i9mzHrViD7TQKvNEEkHUMCmsxdUg= +github.com/charmbracelet/x/termios v0.1.1 h1:o3Q2bT8eqzGnGPOYheoYS8eEleT5ZVNYNy8JawjaNZY= +github.com/charmbracelet/x/termios v0.1.1/go.mod h1:rB7fnv1TgOPOyyKRJ9o+AsTU/vK5WHJ2ivHeut/Pcwo= +github.com/charmbracelet/x/windows v0.2.2 h1:IofanmuvaxnKHuV04sC0eBy/smG6kIKrWG2/jYn2GuM= +github.com/charmbracelet/x/windows v0.2.2/go.mod h1:/8XtdKZzedat74NQFn0NGlGL4soHB0YQZrETF96h75k= github.com/chrismellard/docker-credential-acr-env v0.0.0-20230304212654-82a0ddb27589 h1:krfRl01rzPzxSxyLyrChD+U+MzsBXbm0OwYYB67uF+4= github.com/chrismellard/docker-credential-acr-env v0.0.0-20230304212654-82a0ddb27589/go.mod h1:OuDyvmLnMCwa2ep4Jkm6nyA0ocJuZlGyk2gGseVzERM= github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= @@ -662,12 +668,12 @@ github.com/letsencrypt/boulder v0.0.0-20250411005613-d800055fe666/go.mod h1:WGXwLq/jKt0kng727wv6a0h0q7TVC+MwS2S75rcqL+4= github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw= github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= -github.com/lucasb-eyer/go-colorful v1.2.0 h1:1nnpGOrhyZZuNyfu1QjKiUICQ74+3FNCN69Aj6K7nkY= -github.com/lucasb-eyer/go-colorful v1.2.0/go.mod h1:R4dSotOR9KMtayYi1e77YzuveK+i7ruzyGqttikkLy0= +github.com/lucasb-eyer/go-colorful v1.3.0 h1:2/yBRLdWBZKrf7gB40FoiKfAWYQ0lqNcbuQwVHXptag= +github.com/lucasb-eyer/go-colorful v1.3.0/go.mod h1:R4dSotOR9KMtayYi1e77YzuveK+i7ruzyGqttikkLy0= github.com/mailru/easyjson v0.9.0 h1:PrnmzHw7262yW8sTBwxi1PdJA3Iw/EKBa8psRf7d9a4= github.com/mailru/easyjson v0.9.0/go.mod h1:1+xMtQp2MRNVL/V1bOzuP3aP8VNwRW55fQUto+XFtTU= -github.com/mark3labs/mcp-go v0.39.1 h1:2oPxk7aDbQhouakkYyKl2T4hKFU1c6FDaubWyGyVE1k= -github.com/mark3labs/mcp-go v0.39.1/go.mod h1:T7tUa2jO6MavG+3P25Oy/jR7iCeJPHImCZHRymCn39g= +github.com/mark3labs/mcp-go v0.40.0 h1:M0oqK412OHBKut9JwXSsj4KanSmEKpzoW8TcxoPOkAU= +github.com/mark3labs/mcp-go v0.40.0/go.mod h1:T7tUa2jO6MavG+3P25Oy/jR7iCeJPHImCZHRymCn39g= github.com/matryer/is v1.4.0 h1:sosSmIWwkYITGrxZ25ULNDeKiMNzFSr4V/eqBQP0PeE= github.com/matryer/is v1.4.0/go.mod h1:8I/i5uYgLzgsgEloJE1U6xx5HkBQpAZvepWuujKwMRU= github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA= @@ -954,8 +960,8 @@ github.com/zeebo/errs v1.4.0/go.mod h1:sgbWHsvVuTPHcqJJGQ1WhI5KbWlHYz+2+2C/LSEtCw4= gitlab.com/digitalxero/go-conventional-commit v1.0.7 h1:8/dO6WWG+98PMhlZowt/YjuiKhqhGlOCwlIV8SqqGh8= gitlab.com/digitalxero/go-conventional-commit v1.0.7/go.mod h1:05Xc2BFsSyC5tKhK0y+P3bs0AwUtNuTp+mTpbCU/DZ0= -gitlab.com/gitlab-org/api/client-go v0.145.0 h1:gvi4bwoF6fyQq6kJix4WicApy/jBRpGlqzI0PDRD9kU= -gitlab.com/gitlab-org/api/client-go v0.145.0/go.mod h1:eABRp++g3IbUP10ZeBIys+9g59dgJnlQLEk8XgKNB54= +gitlab.com/gitlab-org/api/client-go v0.148.0 h1:64dZ08MfUXOUJQLCkj9gfgdYaG8TEl/Of2cED+3S+pI= +gitlab.com/gitlab-org/api/client-go v0.148.0/go.mod h1:9Y5ivg3xj5KJ+TAyRmNSiQtpkoqKsHLRRlLKpgXNJ+Q= go.mongodb.org/mongo-driver v1.17.3 h1:TQyXhnsWfWtgAhMtOgtYHMTkZIfBTpMTsMnd9ZBeHxQ= go.mongodb.org/mongo-driver v1.17.3/go.mod h1:Hy04i7O2kC4RS06ZrhPRqj/u4DTYkFDAAccj+rVKqgQ= go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0= diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/goreleaser-2.12.2/internal/artifact/artifact_fuzz_test.go new/goreleaser-2.12.3/internal/artifact/artifact_fuzz_test.go --- old/goreleaser-2.12.2/internal/artifact/artifact_fuzz_test.go 1970-01-01 01:00:00.000000000 +0100 +++ new/goreleaser-2.12.3/internal/artifact/artifact_fuzz_test.go 2025-09-24 22:36:00.000000000 +0200 @@ -0,0 +1,81 @@ +package artifact + +import ( + "crypto/rand" + "os" + "path/filepath" + "testing" + + "github.com/stretchr/testify/require" +) + +func FuzzChecksum(f *testing.F) { + f.Add("sha256", []byte("hello world")) + f.Add("md5", []byte("test data")) + f.Add("sha1", []byte("fuzz testing")) + f.Add("crc32", []byte("random bytes")) + f.Add("sha512", []byte("more data")) + f.Add("blake2b", []byte("blake2b test")) + f.Add("blake2s", []byte("blake2s test")) + f.Add("sha224", []byte("sha224 data")) + f.Add("sha384", []byte("sha384 content")) + f.Add("sha3-256", []byte("sha3 example")) + f.Add("sha3-512", []byte("sha3 large")) + f.Add("sha3-224", []byte("sha3 small")) + f.Add("sha3-384", []byte("sha3 medium")) + + f.Fuzz(func(t *testing.T, algorithm string, data []byte) { + if !validAlgorithms[algorithm] { + t.Skip() + } + + filePath := filepath.Join(t.TempDir(), "fuzzfile") + require.NoError(t, os.WriteFile(filePath, data, 0o644)) + artifact := Artifact{ + Path: filePath, + } + _, err := artifact.Checksum(algorithm) + require.NoError(t, err) + }) +} + +func FuzzChecksumLargeData(f *testing.F) { + f.Add("sha256", 10000) + f.Add("md5", 50000) + f.Add("sha1", 100000) + + f.Fuzz(func(t *testing.T, algorithm string, size int) { + if !validAlgorithms[algorithm] { + t.Skip() + } + data := make([]byte, size) + _, err := rand.Read(data) + require.NoError(t, err) + + filePath := filepath.Join(t.TempDir(), "largefuzzfile") + require.NoError(t, os.WriteFile(filePath, data, 0o644)) + artifact := Artifact{ + Path: filePath, + } + + // Calculate checksum + _, err = artifact.Checksum(algorithm) + require.NoError(t, err) + }) +} + +var validAlgorithms = map[string]bool{ + "sha256": true, + "md5": true, + "sha1": true, + "crc32": true, + "sha512": true, + "blake2b": true, + "blake2s": true, + "sha224": true, + "sha384": true, + "sha3-224": true, + "sha3-256": true, + "sha3-384": true, + "sha3-512": true, +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/goreleaser-2.12.2/internal/artifact/testdata/fuzz/FuzzChecksumLargeData/9f2a0bc58229b2e8 new/goreleaser-2.12.3/internal/artifact/testdata/fuzz/FuzzChecksumLargeData/9f2a0bc58229b2e8 --- old/goreleaser-2.12.2/internal/artifact/testdata/fuzz/FuzzChecksumLargeData/9f2a0bc58229b2e8 1970-01-01 01:00:00.000000000 +0100 +++ new/goreleaser-2.12.3/internal/artifact/testdata/fuzz/FuzzChecksumLargeData/9f2a0bc58229b2e8 2025-09-24 22:36:00.000000000 +0200 @@ -0,0 +1,3 @@ +go test fuzz v1 +string("0") +int(50000) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/goreleaser-2.12.2/internal/pipe/makeself/makeself.go new/goreleaser-2.12.3/internal/pipe/makeself/makeself.go --- old/goreleaser-2.12.2/internal/pipe/makeself/makeself.go 2025-09-18 04:07:53.000000000 +0200 +++ new/goreleaser-2.12.3/internal/pipe/makeself/makeself.go 2025-09-24 22:36:00.000000000 +0200 @@ -192,7 +192,7 @@ log := log.WithField("package", filename).WithField("dir", dir) log.Info("creating makeself package") - arg := makeArg(name, filename, compression, extraArgs) + arg := makeArg(name, filename, compression, filepath.Base(script), extraArgs) cmd := exec.CommandContext(ctx, "makeself", arg...) cmd.Dir = dir cmd.Env = append(ctx.Env.Strings(), cmd.Environ()...) @@ -228,7 +228,7 @@ } for _, binary := range binaries { - dst := filepath.Join(dir, filepath.Base(binary.Name)) + dst := filepath.Join(dir, binary.Name) if err := os.MkdirAll(filepath.Dir(dst), 0o755); err != nil { return "", fmt.Errorf("failed to create directory for %s: %w", binary.Name, err) } @@ -250,7 +250,7 @@ return "", fmt.Errorf("failed to copy file %s: %w", f.Source, err) } } - if err := gio.Copy(script, filepath.Join(dir, "script.sh")); err != nil { + if err := gio.Copy(script, filepath.Join(dir, filepath.Base(script))); err != nil { return "", fmt.Errorf("failed to copy binary %s: %w", script, err) } if err := os.WriteFile(filepath.Join(dir, "package.lsm"), []byte(lsm), 0o644); err != nil { @@ -259,7 +259,7 @@ return dir, nil } -func makeArg(name, filename, compression string, extraArgs []string) []string { +func makeArg(name, filename, compression, script string, extraArgs []string) []string { arg := []string{"--quiet"} // Always run quietly switch compression { case "gzip", "bzip2", "xz", "lzo", "compress": @@ -272,7 +272,7 @@ arg = append(arg, "--lsm", "package.lsm") arg = append(arg, extraArgs...) - return append(arg, ".", filename, name, "./script.sh") + return append(arg, ".", filename, name, script) } func makeArtifact(cfg config.Makeself, binary *artifact.Artifact, filename, path string) *artifact.Artifact { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/goreleaser-2.12.2/internal/pipe/makeself/makeself_test.go new/goreleaser-2.12.3/internal/pipe/makeself/makeself_test.go --- old/goreleaser-2.12.2/internal/pipe/makeself/makeself_test.go 2025-09-18 04:07:53.000000000 +0200 +++ new/goreleaser-2.12.3/internal/pipe/makeself/makeself_test.go 2025-09-24 22:36:00.000000000 +0200 @@ -85,7 +85,7 @@ for _, goos := range []string{"linux", "darwin"} { for _, goarch := range []string{"amd64", "arm64"} { ctx.Artifacts.Add(&artifact.Artifact{ - Name: "mybin", + Name: "dir/mybin", Path: filepath.Join(tmp, "mybin"), Type: artifact.Binary, Goos: goos, @@ -125,7 +125,7 @@ return strings.Compare(a.Path, b.Path) }) - requireContainsFiles(t, result[0].Path, "mybin", "package.lsm", "script.sh") + requireContainsFiles(t, result[0].Path, "dir/mybin", "package.lsm", "setup.sh") requireEqualLSM(t, result[0].Path) }) t.Run("complete", func(t *testing.T) { @@ -163,7 +163,7 @@ require.Equal(t, "makeself", artifact.ExtraOr(*m, artifact.ExtraFormat, "")) require.Equal(t, ".run", artifact.ExtraOr(*m, artifact.ExtraExt, "")) - requireContainsFiles(t, result[0].Path, "mybin", "package.lsm", "script.sh", "docs/foo.txt") + requireContainsFiles(t, result[0].Path, "dir/mybin", "package.lsm", "setup.sh", "docs/foo.txt") requireEqualLSM(t, result[0].Path) }) } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/goreleaser-2.12.2/internal/pipe/nix/licenses.go new/goreleaser-2.12.3/internal/pipe/nix/licenses.go --- old/goreleaser-2.12.2/internal/pipe/nix/licenses.go 2025-09-18 04:07:53.000000000 +0200 +++ new/goreleaser-2.12.3/internal/pipe/nix/licenses.go 2025-09-24 22:36:00.000000000 +0200 @@ -222,6 +222,7 @@ "sfl", "sgi-b-20", "sgmlug", + "sissl11", "sleepycat", "smail", "smlnj", diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/goreleaser-2.12.2/internal/pipe/sbom/sbom.go new/goreleaser-2.12.3/internal/pipe/sbom/sbom.go --- old/goreleaser-2.12.2/internal/pipe/sbom/sbom.go 2025-09-18 04:07:53.000000000 +0200 +++ new/goreleaser-2.12.3/internal/pipe/sbom/sbom.go 2025-09-24 22:36:00.000000000 +0200 @@ -75,7 +75,7 @@ } if cfg.Cmd == "syft" { if len(cfg.Args) == 0 { - cfg.Args = []string{"$artifact", "--output", "spdx-json=$document"} + cfg.Args = []string{"$artifact", "--output", "spdx-json=$document", "--enrich", "all"} } if len(cfg.Env) == 0 && (cfg.Artifacts == "source" || cfg.Artifacts == "archive") { cfg.Env = []string{ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/goreleaser-2.12.2/internal/pipe/sbom/sbom_test.go new/goreleaser-2.12.3/internal/pipe/sbom/sbom_test.go --- old/goreleaser-2.12.2/internal/pipe/sbom/sbom_test.go 2025-09-18 04:07:53.000000000 +0200 +++ new/goreleaser-2.12.3/internal/pipe/sbom/sbom_test.go 2025-09-24 22:36:00.000000000 +0200 @@ -24,7 +24,7 @@ } func TestSBOMCatalogDefault(t *testing.T) { - defaultArgs := []string{"$artifact", "--output", "spdx-json=$document"} + defaultArgs := []string{"$artifact", "--output", "spdx-json=$document", "--enrich", "all"} defaultSboms := []string{ "{{ .ArtifactName }}.sbom.json", } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/goreleaser-2.12.2/internal/tmpl/fuzz_test.go new/goreleaser-2.12.3/internal/tmpl/fuzz_test.go --- old/goreleaser-2.12.2/internal/tmpl/fuzz_test.go 1970-01-01 01:00:00.000000000 +0100 +++ new/goreleaser-2.12.3/internal/tmpl/fuzz_test.go 2025-09-24 22:36:00.000000000 +0200 @@ -0,0 +1,104 @@ +package tmpl + +import ( + "testing" + + "github.com/goreleaser/goreleaser/v2/internal/artifact" + "github.com/goreleaser/goreleaser/v2/internal/testctx" + "github.com/goreleaser/goreleaser/v2/pkg/build" + "github.com/goreleaser/goreleaser/v2/pkg/config" + "github.com/stretchr/testify/require" +) + +func FuzzTemplateApplier(f *testing.F) { + f.Fuzz(func(t *testing.T, data string) { + ctx := testctx.NewWithCfg(config.Project{ProjectName: "test"}) + tpl := New(ctx) + _, err := tpl.Apply(data) + if err == nil { + return + } + require.ErrorAs(t, err, &Error{}) + }) +} + +func FuzzTemplateWithArtifact(f *testing.F) { + f.Fuzz(func(t *testing.T, data string) { + ctx := testctx.NewWithCfg(config.Project{ProjectName: "test"}) + tpl := New(ctx).WithArtifact(&artifact.Artifact{ + Name: "test", + Path: "fake-filename.bin", + Goarch: "amd64", + Goos: "linux", + Target: "linux_amd64", + }) + + _, err := tpl.Apply(data) + if err == nil { + return + } + require.ErrorAs(t, err, &Error{}) + }) +} + +func FuzzTemplateBool(f *testing.F) { + f.Fuzz(func(t *testing.T, data string) { + ctx := testctx.New() + tpl := New(ctx) + _, err := tpl.Apply(data) + if err == nil { + return + } + require.ErrorAs(t, err, &Error{}) + }) +} + +func FuzzTemplateSlice(f *testing.F) { + f.Fuzz(func(t *testing.T, data string) { + ctx := testctx.New() + tpl := New(ctx) + _, err := tpl.Slice([]string{data}) + if err == nil { + return + } + require.ErrorAs(t, err, &Error{}) + }) +} + +func FuzzTemplateWithBuildOptions(f *testing.F) { + f.Fuzz(func(t *testing.T, data string) { + ctx := testctx.New() + target := &buildTarget{ + Target: "linux_amd64", + Goos: "linux", + Goarch: "amd64", + } + + tpl := New(ctx).WithBuildOptions(build.Options{ + Name: "test", + Target: target, + }) + + _, err := tpl.Apply(data) + if err == nil { + return + } + require.ErrorAs(t, err, &Error{}) + }) +} + +type buildTarget struct { + Target string + Goos string + Goarch string +} + +func (t *buildTarget) String() string { return t.Target } + +func (t *buildTarget) Fields() map[string]string { + return map[string]string{ + "target": t.Target, + "os": t.Goos, + "arch": t.Goarch, + } +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/goreleaser-2.12.2/internal/tmpl/testdata/fuzz/FuzzTemplateApplier/040de92d22e4f552 new/goreleaser-2.12.3/internal/tmpl/testdata/fuzz/FuzzTemplateApplier/040de92d22e4f552 --- old/goreleaser-2.12.2/internal/tmpl/testdata/fuzz/FuzzTemplateApplier/040de92d22e4f552 1970-01-01 01:00:00.000000000 +0100 +++ new/goreleaser-2.12.3/internal/tmpl/testdata/fuzz/FuzzTemplateApplier/040de92d22e4f552 2025-09-24 22:36:00.000000000 +0200 @@ -0,0 +1,2 @@ +go test fuzz v1 +string("{{") diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/goreleaser-2.12.2/pkg/config/load.go new/goreleaser-2.12.3/pkg/config/load.go --- old/goreleaser-2.12.2/pkg/config/load.go 2025-09-18 04:07:53.000000000 +0200 +++ new/goreleaser-2.12.3/pkg/config/load.go 2025-09-24 22:36:00.000000000 +0200 @@ -30,10 +30,10 @@ } // Load config file. -func Load(file string) (config Project, err error) { +func Load(file string) (Project, error) { f, err := os.Open(file) // #nosec if err != nil { - return + return Project{}, err } defer f.Close() return LoadReader(f) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/goreleaser-2.12.2/scripts/fuzz.sh new/goreleaser-2.12.3/scripts/fuzz.sh --- old/goreleaser-2.12.2/scripts/fuzz.sh 1970-01-01 01:00:00.000000000 +0100 +++ new/goreleaser-2.12.3/scripts/fuzz.sh 2025-09-24 22:36:00.000000000 +0200 @@ -0,0 +1,11 @@ +#!/bin/bash +pkg="$1" +timeout="$2" + +grep "func Fuzz" "$pkg"/*.go | + cut -f2 -d' ' | + cut -f1 -d'(' | + while read -r f; do + go test -fuzztime="$timeout" -fuzz="$f" "$pkg"/... + done +go test "$pkg"/... diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/goreleaser-2.12.2/www/Dockerfile new/goreleaser-2.12.3/www/Dockerfile --- old/goreleaser-2.12.2/www/Dockerfile 2025-09-18 04:07:53.000000000 +0200 +++ new/goreleaser-2.12.3/www/Dockerfile 2025-09-24 22:36:00.000000000 +0200 @@ -1,3 +1,3 @@ -FROM squidfunk/mkdocs-material +FROM squidfunk/mkdocs-material:9@sha256:86d21da4f45f16e30774bf911e5b4795da13ce0cd197dbf8d3d059f256b2cc37 COPY requirements.txt . RUN pip install -r requirements.txt diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/goreleaser-2.12.2/www/docs/customization/nfpm.md new/goreleaser-2.12.3/www/docs/customization/nfpm.md --- old/goreleaser-2.12.2/www/docs/customization/nfpm.md 2025-09-18 04:07:53.000000000 +0200 +++ new/goreleaser-2.12.3/www/docs/customization/nfpm.md 2025-09-24 22:36:00.000000000 +0200 @@ -215,7 +215,7 @@ type: config # Simple symlink. - # Corresponds to `ln -s /sbin/foo /usr/local/bin/foo` + # Corresponds to `ln -s /sbin/foo /usr/bin/foo` - src: /sbin/foo dst: /usr/bin/foo type: "symlink" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/goreleaser-2.12.2/www/docs/customization/sbom.md new/goreleaser-2.12.3/www/docs/customization/sbom.md --- old/goreleaser-2.12.2/www/docs/customization/sbom.md 2025-09-18 04:07:53.000000000 +0200 +++ new/goreleaser-2.12.3/www/docs/customization/sbom.md 2025-09-24 22:36:00.000000000 +0200 @@ -53,7 +53,7 @@ # Command line arguments for the command # - # Default: ["$artifact", "--output", "spdx-json=$document"]. + # Default: ["$artifact", "--output", "spdx-json=$document", "--enrich", "all"]. # Templates: allowed. args: ["$artifact", "--output", "cyclonedx-json=$document"] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/goreleaser-2.12.2/www/docs/install.md new/goreleaser-2.12.3/www/docs/install.md --- old/goreleaser-2.12.2/www/docs/install.md 2025-09-18 04:07:53.000000000 +0200 +++ new/goreleaser-2.12.3/www/docs/install.md 2025-09-24 22:36:00.000000000 +0200 @@ -129,8 +129,9 @@ name=GoReleaser baseurl=https://repo.goreleaser.com/yum/ enabled=1 - gpgcheck=0' | sudo tee /etc/yum.repos.d/goreleaser.repo - sudo yum --exclude=goreleaser-pro install goreleaser + gpgcheck=0 + exclude=goreleaser-pro' | sudo tee /etc/yum.repos.d/goreleaser.repo + sudo yum install goreleaser ``` === "Pro" @@ -140,8 +141,9 @@ name=GoReleaser baseurl=https://repo.goreleaser.com/yum/ enabled=1 - gpgcheck=0' | sudo tee /etc/yum.repos.d/goreleaser.repo - sudo yum --exclude=goreleaser install goreleaser-pro + gpgcheck=0 + exclude=goreleaser' | sudo tee /etc/yum.repos.d/goreleaser.repo + sudo yum install goreleaser-pro ``` ## AUR diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/goreleaser-2.12.2/www/docs/static/latest new/goreleaser-2.12.3/www/docs/static/latest --- old/goreleaser-2.12.2/www/docs/static/latest 2025-09-18 04:07:53.000000000 +0200 +++ new/goreleaser-2.12.3/www/docs/static/latest 2025-09-24 22:36:00.000000000 +0200 @@ -1 +1 @@ -v2.12.1 +v2.12.2 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/goreleaser-2.12.2/www/docs/static/releases.json new/goreleaser-2.12.3/www/docs/static/releases.json --- old/goreleaser-2.12.2/www/docs/static/releases.json 2025-09-18 04:07:53.000000000 +0200 +++ new/goreleaser-2.12.3/www/docs/static/releases.json 2025-09-24 22:36:00.000000000 +0200 @@ -1,5 +1,8 @@ [ { + "tag_name": "v2.12.2" + }, + { "tag_name": "v2.12.1" }, { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/goreleaser-2.12.2/www/docs/static/schema-pro.json new/goreleaser-2.12.3/www/docs/static/schema-pro.json --- old/goreleaser-2.12.2/www/docs/static/schema-pro.json 2025-09-18 04:07:53.000000000 +0200 +++ new/goreleaser-2.12.3/www/docs/static/schema-pro.json 2025-09-24 22:36:00.000000000 +0200 @@ -766,6 +766,8 @@ "zig", "bun", "deno", + "uv", + "poetry", "prebuilt" ] }, ++++++ goreleaser.obsinfo ++++++ --- /var/tmp/diff_new_pack.Mi0Q21/_old 2025-09-25 18:48:35.890465527 +0200 +++ /var/tmp/diff_new_pack.Mi0Q21/_new 2025-09-25 18:48:35.898465861 +0200 @@ -1,5 +1,5 @@ name: goreleaser -version: 2.12.2 -mtime: 1758161273 -commit: d3d28a6aa7c7fbd070013870670dba88b13e8eb8 +version: 2.12.3 +mtime: 1758746160 +commit: a1d945da6150425f5e7188dea819992d8a600b8e ++++++ vendor.tar.gz ++++++ /work/SRC/openSUSE:Factory/goreleaser/vendor.tar.gz /work/SRC/openSUSE:Factory/.goreleaser.new.11973/vendor.tar.gz differ: char 38, line 1
