Remove binary archives configuration from .goreleaser.yaml

Signed-off-by: Marc Schäfer <git@marcschaeferger.de>
Refactor CI/CD pipeline: remove version update step in main.go, add git status check for GoReleaser, and update GoReleaser version to 2.14.0
2026-03-12 09:53:57 -05:00 · 2026-02-22 23:34:24 +01:00 · 2026-02-22 23:28:26 +01:00 · 2026-02-22 23:05:17 +01:00 · 2026-02-22 23:05:06 +01:00
8 changed files with 122 additions and 486 deletions
--- a/.github/workflows/cicd.yml
+++ b/.github/workflows/cicd.yml
@@ -20,16 +20,6 @@ on:
        description: "SemVer version to release (e.g., 1.2.3, no leading 'v')"
        required: true
        type: string
-      publish_latest:
-        description: "Also publish the 'latest' image tag"
-        required: true
-        type: boolean
-        default: false
-      publish_minor:
-        description: "Also publish the 'major.minor' image tag (e.g., 1.2)"
-        required: true
-        type: boolean
-        default: false
      target_branch:
        description: "Branch to tag"
        required: false
@@ -86,9 +76,6 @@ jobs:
    name: Build and Release
    runs-on: ubuntu-24.04
    timeout-minutes: 120
-    env:
-      DOCKERHUB_IMAGE: docker.io/fosrl/${{ github.event.repository.name }}
-      GHCR_IMAGE: ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}

    steps:
      - name: Checkout code
@@ -96,37 +83,6 @@ jobs:
        with:
          fetch-depth: 0

-      - name: Capture created timestamp
-        run: echo "IMAGE_CREATED=$(date -u +%Y-%m-%dT%H:%M:%SZ)" >> $GITHUB_ENV
-        shell: bash
-
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
-
-      - name: Log in to Docker Hub
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
-        with:
-          registry: docker.io
-          username: ${{ secrets.DOCKER_HUB_USERNAME }}
-          password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
-
-      - name: Log in to GHCR
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Normalize image names to lowercase
-        run: |
-          set -euo pipefail
-          echo "GHCR_IMAGE=${GHCR_IMAGE,,}" >> "$GITHUB_ENV"
-          echo "DOCKERHUB_IMAGE=${DOCKERHUB_IMAGE,,}" >> "$GITHUB_ENV"
-        shell: bash
-
      - name: Extract tag name
        env:
          EVENT_NAME: ${{ github.event_name }}
@@ -166,16 +122,6 @@ jobs:
          echo "Tag ${TAG} not visible after waiting"; exit 1
        shell: bash

-      - name: Update version in main.go
-        run: |
-            TAG=${{ env.TAG }}
-            if [ -f main.go ]; then
-            sed -i 's/version_replaceme/'"$TAG"'/' main.go
-            echo "Updated main.go with version $TAG"
-            else
-            echo "main.go not found"
-            fi
-
      - name: Ensure repository is at the tagged commit (dispatch only)
        if: ${{ github.event_name == 'workflow_dispatch' }}
        run: |
@@ -200,38 +146,6 @@ jobs:
        with:
          go-version-file: go.mod

-      - name: Resolve publish-latest flag
-        env:
-          EVENT_NAME: ${{ github.event_name }}
-          PL_INPUT: ${{ inputs.publish_latest }}
-          PL_VAR: ${{ vars.PUBLISH_LATEST }}
-        run: |
-          set -euo pipefail
-          val="false"
-          if [ "$EVENT_NAME" = "workflow_dispatch" ]; then
-            if [ "${PL_INPUT}" = "true" ]; then val="true"; fi
-          else
-            if [ "${PL_VAR}" = "true" ]; then val="true"; fi
-          fi
-          echo "PUBLISH_LATEST=$val" >> $GITHUB_ENV
-        shell: bash
-
-      - name: Resolve publish-minor flag
-        env:
-          EVENT_NAME: ${{ github.event_name }}
-          PM_INPUT: ${{ inputs.publish_minor }}
-          PM_VAR: ${{ vars.PUBLISH_MINOR }}
-        run: |
-          set -euo pipefail
-          val="false"
-          if [ "$EVENT_NAME" = "workflow_dispatch" ]; then
-            if [ "${PM_INPUT}" = "true" ]; then val="true"; fi
-          else
-            if [ "${PM_VAR}" = "true" ]; then val="true"; fi
-          fi
-          echo "PUBLISH_MINOR=$val" >> $GITHUB_ENV
-        shell: bash
-
      - name: Cache Go modules
        if: ${{ hashFiles('**/go.sum') != '' }}
        uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
@@ -250,326 +164,6 @@ jobs:
          go test ./... -race -covermode=atomic
        shell: bash

-      - name: Resolve license fallback
-        run: echo "IMAGE_LICENSE=${{ github.event.repository.license.spdx_id || 'NOASSERTION' }}" >> $GITHUB_ENV
-        shell: bash
-
-      - name: Resolve registries list (GHCR always, Docker Hub only if creds)
-        shell: bash
-        run: |
-          set -euo pipefail
-          images="${GHCR_IMAGE}"
-          if [ -n "${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}" ] && [ -n "${{ secrets.DOCKER_HUB_USERNAME }}" ]; then
-            images="${images}\n${DOCKERHUB_IMAGE}"
-          fi
-          {
-            echo 'IMAGE_LIST<<EOF'
-            echo -e "$images"
-            echo 'EOF'
-          } >> "$GITHUB_ENV"
-      - name: Docker meta
-        id: meta
-        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
-        with:
-          images: ${{ env.IMAGE_LIST }}
-          tags: |
-            type=semver,pattern={{version}},value=${{ env.TAG }}
-            type=semver,pattern={{major}}.{{minor}},value=${{ env.TAG }},enable=${{ env.PUBLISH_MINOR == 'true' && env.IS_RC != 'true' }}
-            type=raw,value=latest,enable=${{ env.IS_RC != 'true' }}
-          flavor: |
-            latest=false
-          labels: |
-            org.opencontainers.image.title=${{ github.event.repository.name }}
-            org.opencontainers.image.version=${{ env.TAG }}
-            org.opencontainers.image.revision=${{ github.sha }}
-            org.opencontainers.image.source=${{ github.event.repository.html_url }}
-            org.opencontainers.image.url=${{ github.event.repository.html_url }}
-            org.opencontainers.image.documentation=${{ github.event.repository.html_url }}
-            org.opencontainers.image.description=${{ github.event.repository.description }}
-            org.opencontainers.image.licenses=${{ env.IMAGE_LICENSE }}
-            org.opencontainers.image.created=${{ env.IMAGE_CREATED }}
-            org.opencontainers.image.ref.name=${{ env.TAG }}
-            org.opencontainers.image.authors=${{ github.repository_owner }}
-      - name: Echo build config (non-secret)
-        shell: bash
-        env:
-          IMAGE_TITLE:        ${{ github.event.repository.name }}
-          IMAGE_VERSION:      ${{ env.TAG }}
-          IMAGE_REVISION:     ${{ github.sha }}
-          IMAGE_SOURCE_URL:   ${{ github.event.repository.html_url }}
-          IMAGE_URL:          ${{ github.event.repository.html_url }}
-          IMAGE_DESCRIPTION:  ${{ github.event.repository.description }}
-          IMAGE_LICENSE:      ${{ env.IMAGE_LICENSE }}
-          DOCKERHUB_IMAGE:    ${{ env.DOCKERHUB_IMAGE }}
-          GHCR_IMAGE:         ${{ env.GHCR_IMAGE }}
-          DOCKER_HUB_USER:    ${{ secrets.DOCKER_HUB_USERNAME }}
-          REPO:               ${{ github.repository }}
-          OWNER:              ${{ github.repository_owner }}
-          WORKFLOW_REF:       ${{ github.workflow_ref }}
-          REF:                ${{ github.ref }}
-          REF_NAME:           ${{ github.ref_name }}
-          RUN_URL:            https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}
-        run: |
-          set -euo pipefail
-          echo "=== OCI Label Values ==="
-          echo "org.opencontainers.image.title=${IMAGE_TITLE}"
-          echo "org.opencontainers.image.version=${IMAGE_VERSION}"
-          echo "org.opencontainers.image.revision=${IMAGE_REVISION}"
-          echo "org.opencontainers.image.source=${IMAGE_SOURCE_URL}"
-          echo "org.opencontainers.image.url=${IMAGE_URL}"
-          echo "org.opencontainers.image.description=${IMAGE_DESCRIPTION}"
-          echo "org.opencontainers.image.licenses=${IMAGE_LICENSE}"
-          echo
-          echo "=== Images ==="
-          echo "DOCKERHUB_IMAGE=${DOCKERHUB_IMAGE}"
-          echo "GHCR_IMAGE=${GHCR_IMAGE}"
-          echo "DOCKER_HUB_USERNAME=${DOCKER_HUB_USER}"
-          echo
-          echo "=== GitHub Kontext ==="
-          echo "repository=${REPO}"
-          echo "owner=${OWNER}"
-          echo "workflow_ref=${WORKFLOW_REF}"
-          echo "ref=${REF}"
-          echo "ref_name=${REF_NAME}"
-          echo "run_url=${RUN_URL}"
-          echo
-          echo "=== docker/metadata-action outputs (Tags/Labels), raw ==="
-          echo "::group::tags"
-          echo "${{ steps.meta.outputs.tags }}"
-          echo "::endgroup::"
-          echo "::group::labels"
-          echo "${{ steps.meta.outputs.labels }}"
-          echo "::endgroup::"
-      - name: Build and push (Docker Hub + GHCR)
-        id: build
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
-        with:
-          context: .
-          push: true
-          platforms: linux/amd64,linux/arm64,linux/arm/v7
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-          cache-from: type=gha,scope=${{ github.repository }}
-          cache-to: type=gha,mode=max,scope=${{ github.repository }}
-          provenance: mode=max
-          sbom: true
-
-      - name: Compute image digest refs
-        run: |
-          echo "DIGEST=${{ steps.build.outputs.digest }}" >> $GITHUB_ENV
-          echo "GHCR_REF=$GHCR_IMAGE@${{ steps.build.outputs.digest }}" >> $GITHUB_ENV
-          echo "DH_REF=$DOCKERHUB_IMAGE@${{ steps.build.outputs.digest }}" >> $GITHUB_ENV
-          echo "Built digest: ${{ steps.build.outputs.digest }}"
-        shell: bash
-
-      - name: Attest build provenance (GHCR)
-        id: attest-ghcr
-        uses: actions/attest-build-provenance@00014ed6ed5efc5b1ab7f7f34a39eb55d41aa4f8 # v3.1.0
-        with:
-          subject-name: ${{ env.GHCR_IMAGE }}
-          subject-digest: ${{ steps.build.outputs.digest }}
-          push-to-registry: true
-          show-summary: true
-
-      - name: Attest build provenance (Docker Hub)
-        continue-on-error: true
-        id: attest-dh
-        uses: actions/attest-build-provenance@00014ed6ed5efc5b1ab7f7f34a39eb55d41aa4f8 # v3.1.0
-        with:
-          subject-name: index.docker.io/fosrl/${{ github.event.repository.name }}
-          subject-digest: ${{ steps.build.outputs.digest }}
-          push-to-registry: true
-          show-summary: true
-
-      - name: Install cosign
-        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
-        with:
-          cosign-release: 'v3.0.2'
-
-      - name: Sanity check cosign private key
-        env:
-          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
-          COSIGN_PASSWORD:    ${{ secrets.COSIGN_PASSWORD }}
-        run: |
-          set -euo pipefail
-          cosign public-key --key env://COSIGN_PRIVATE_KEY >/dev/null
-        shell: bash
-
-      - name: Sign GHCR image (digest) with key (recursive)
-        env:
-          COSIGN_YES: "true"
-          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
-          COSIGN_PASSWORD:    ${{ secrets.COSIGN_PASSWORD }}
-        run: |
-          set -euo pipefail
-          echo "Signing ${GHCR_REF} (digest) recursively with provided key"
-          cosign sign --key env://COSIGN_PRIVATE_KEY --recursive "${GHCR_REF}"
-          echo "Waiting 30 seconds for signatures to propagate..."
-          sleep 30
-        shell: bash
-
-      - name: Generate SBOM (SPDX JSON)
-        uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1
-        with:
-          image-ref: ${{ env.GHCR_IMAGE }}@${{ steps.build.outputs.digest }}
-          format: spdx-json
-          output: sbom.spdx.json
-
-      - name: Validate SBOM JSON
-        run: jq -e . sbom.spdx.json >/dev/null
-        shell: bash
-
-      - name: Minify SBOM JSON (optional hardening)
-        run: jq -c . sbom.spdx.json > sbom.min.json && mv sbom.min.json sbom.spdx.json
-        shell: bash
-
-      - name: Create SBOM attestation (GHCR, private key)
-        env:
-          COSIGN_YES: "true"
-          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
-          COSIGN_PASSWORD:    ${{ secrets.COSIGN_PASSWORD }}
-        run: |
-          set -euo pipefail
-          cosign attest \
-            --key env://COSIGN_PRIVATE_KEY \
-            --type spdxjson \
-            --predicate sbom.spdx.json \
-            "${GHCR_REF}"
-        shell: bash
-
-      - name: Create SBOM attestation (Docker Hub, private key)
-        continue-on-error: true
-        env:
-          COSIGN_YES: "true"
-          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
-          COSIGN_PASSWORD:    ${{ secrets.COSIGN_PASSWORD }}
-          COSIGN_DOCKER_MEDIA_TYPES: "1"
-        run: |
-          set -euo pipefail
-          cosign attest \
-            --key env://COSIGN_PRIVATE_KEY \
-            --type spdxjson \
-            --predicate sbom.spdx.json \
-            "${DH_REF}"
-        shell: bash
-
-      - name: Keyless sign & verify GHCR digest (OIDC)
-        env:
-          COSIGN_YES: "true"
-          WORKFLOW_REF: ${{ github.workflow_ref }}  # owner/repo/.github/workflows/<file>@refs/tags/<tag>
-          ISSUER: https://token.actions.githubusercontent.com
-        run: |
-          set -euo pipefail
-          echo "Keyless signing ${GHCR_REF}"
-          cosign sign --rekor-url https://rekor.sigstore.dev --recursive "${GHCR_REF}"
-          echo "Verify keyless (OIDC) signature policy on ${GHCR_REF}"
-          cosign verify \
-            --certificate-oidc-issuer "${ISSUER}" \
-            --certificate-identity "https://github.com/${WORKFLOW_REF}" \
-            "${GHCR_REF}" -o text
-        shell: bash
-
-      - name: Sign Docker Hub image (digest) with key (recursive)
-        continue-on-error: true
-        env:
-          COSIGN_YES: "true"
-          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
-          COSIGN_PASSWORD:    ${{ secrets.COSIGN_PASSWORD }}
-          COSIGN_DOCKER_MEDIA_TYPES: "1"
-        run: |
-          set -euo pipefail
-          echo "Signing ${DH_REF} (digest) recursively with provided key (Docker media types fallback)"
-          cosign sign --key env://COSIGN_PRIVATE_KEY --recursive "${DH_REF}"
-        shell: bash
-
-      - name: Keyless sign & verify Docker Hub digest (OIDC)
-        continue-on-error: true
-        env:
-          COSIGN_YES: "true"
-          ISSUER: https://token.actions.githubusercontent.com
-          COSIGN_DOCKER_MEDIA_TYPES: "1"
-        run: |
-          set -euo pipefail
-          echo "Keyless signing ${DH_REF} (force public-good Rekor)"
-          cosign sign --rekor-url https://rekor.sigstore.dev --recursive "${DH_REF}"
-          echo "Keyless verify via Rekor (strict identity)"
-          if ! cosign verify \
-            --rekor-url https://rekor.sigstore.dev \
-            --certificate-oidc-issuer "${ISSUER}" \
-            --certificate-identity "https://github.com/${{ github.workflow_ref }}" \
-            "${DH_REF}" -o text; then
-            echo "Rekor verify failed — retry offline bundle verify (no Rekor)"
-            if ! cosign verify \
-              --offline \
-              --certificate-oidc-issuer "${ISSUER}" \
-              --certificate-identity "https://github.com/${{ github.workflow_ref }}" \
-              "${DH_REF}" -o text; then
-              echo "Offline bundle verify failed — ignore tlog (TEMP for debugging)"
-              cosign verify \
-                --insecure-ignore-tlog=true \
-                --certificate-oidc-issuer "${ISSUER}" \
-                --certificate-identity "https://github.com/${{ github.workflow_ref }}" \
-                "${DH_REF}" -o text || true
-            fi
-          fi
-      - name: Verify signature (public key) GHCR digest + tag
-        env:
-          COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }}
-        run: |
-          set -euo pipefail
-          TAG_VAR="${TAG}"
-          echo "Verifying (digest) ${GHCR_REF}"
-          cosign verify --key env://COSIGN_PUBLIC_KEY "$GHCR_REF" -o text
-          echo "Verifying (tag) $GHCR_IMAGE:$TAG_VAR"
-          cosign verify --key env://COSIGN_PUBLIC_KEY "$GHCR_IMAGE:$TAG_VAR" -o text
-        shell: bash
-
-      - name: Verify SBOM attestation (GHCR)
-        env:
-          COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }}
-        run: cosign verify-attestation --key env://COSIGN_PUBLIC_KEY --type spdxjson "$GHCR_REF" -o text
-        shell: bash
-
-      - name: Verify SLSA provenance (GHCR)
-        env:
-          ISSUER: https://token.actions.githubusercontent.com
-          WFREF: ${{ github.workflow_ref }}
-        run: |
-          set -euo pipefail
-          # (optional) show which predicate types are present to aid debugging
-          cosign download attestation "$GHCR_REF" \
-            | jq -r '.payload | @base64d | fromjson | .predicateType' | sort -u || true
-          # Verify the SLSA v1 provenance attestation (predicate URL)
-          cosign verify-attestation \
-            --type 'https://slsa.dev/provenance/v1' \
-            --certificate-oidc-issuer "$ISSUER" \
-            --certificate-identity "https://github.com/${WFREF}" \
-            --rekor-url https://rekor.sigstore.dev \
-            "$GHCR_REF" -o text
-        shell: bash
-
-      - name: Verify signature (public key) Docker Hub digest
-        continue-on-error: true
-        env:
-          COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }}
-          COSIGN_DOCKER_MEDIA_TYPES: "1"
-        run: |
-          set -euo pipefail
-          echo "Verifying (digest) ${DH_REF} with Docker media types"
-          cosign verify --key env://COSIGN_PUBLIC_KEY "${DH_REF}" -o text
-        shell: bash
-
-      - name: Verify signature (public key) Docker Hub tag
-        continue-on-error: true
-        env:
-          COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }}
-          COSIGN_DOCKER_MEDIA_TYPES: "1"
-        run: |
-          set -euo pipefail
-          echo "Verifying (tag) $DOCKERHUB_IMAGE:$TAG with Docker media types"
-          cosign verify --key env://COSIGN_PUBLIC_KEY "$DOCKERHUB_IMAGE:$TAG" -o text
-        shell: bash
-
      # - name: Trivy scan (GHCR image)
      #   id: trivy
      #   uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1
@@ -599,26 +193,36 @@ jobs:
      #    make -j 10 go-build-release tag=$TAG_VAR
      #  shell: bash

-      - name: Run GoReleaser (binaries + deb/rpm/apk)
+      - name: Ensure clean git state for GoReleaser
+        shell: bash
+        run: |
+          set -euo pipefail
+          echo "Checking git status before GoReleaser..."
+          git status --porcelain || true
+          if [ -n "$(git status --porcelain)" ]; then
+            echo "Repository contains local changes. Listing files and diff:"
+            git status --porcelain
+            git --no-pager diff --name-status || true
+            echo "Resetting tracked files to HEAD to ensure a clean release state"
+            git restore --source=HEAD --worktree --staged -- .
+            echo "After reset git status:"
+            git status --porcelain || true
+          else
+            echo "Repository clean."
+          fi
+
+      - name: Run GoReleaser config check
        uses: goreleaser/goreleaser-action@v6
        with:
-          version: latest
-          args: release --clean
+          version: 2.14.0
+          args: check
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

-      - name: Create GitHub Release
-        uses: softprops/action-gh-release@5be0e66d93ac7ed76da52eca8bb058f665c3a5fe # v2.4.2
+      - name: Run GoReleaser (binaries + deb/rpm/apk)
+        uses: goreleaser/goreleaser-action@v6
        with:
-          tag_name: ${{ env.TAG }}
-          generate_release_notes: true
-          prerelease: ${{ env.IS_RC == 'true' }}
-          files: |
-            bin/*
-          fail_on_unmatched_files: true
-          draft: true
-          body: |
-            ## Container Images
-            - GHCR: `${{ env.GHCR_REF }}`
-            - Docker Hub: `${{ env.DH_REF || 'N/A' }}`
-            **Digest:** `${{ steps.build.outputs.digest }}`
+          version: 2.14.0
+          args: release --clean
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/mirror.yaml
+++ b/.github/workflows/mirror.yaml
@@ -1,20 +1,28 @@
 name: Mirror & Sign (Docker Hub to GHCR)

 on:
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs:
+      source_image:
+        description: "Source image (e.g., docker.io/owner/newt)"
+        required: true
+        type: string
+      dest_image:
+        description: "Destination image (e.g., ghcr.io/owner/newt)"
+        required: true
+        type: string

 permissions:
  contents: read
  packages: write
  id-token: write   # for keyless OIDC

-env:
-  SOURCE_IMAGE: docker.io/fosrl/newt
-  DEST_IMAGE: ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}
-
 jobs:
  mirror-and-dual-sign:
-    runs-on: amd64-runner
+    runs-on: ubuntu-24.04
+    env:
+      SOURCE_IMAGE: ${{ inputs.source_image }}
+      DEST_IMAGE: ${{ inputs.dest_image }}
    steps:
      - name: Install skopeo + jq
        run: |
--- a/.github/workflows/publish-apt.yml
+++ b/.github/workflows/publish-apt.yml
@@ -3,10 +3,14 @@ name: Publish APT repo to S3/CloudFront
 on:
  release:
    types: [published]
+  push:
+    tags:
+      - "[0-9]+.[0-9]+.[0-9]+"
+      - "[0-9]+.[0-9]+.[0-9]+-rc.[0-9]+"
  workflow_dispatch:
    inputs:
      tag:
-        description: "Tag to publish (e.g. v1.9.0). Leave empty to use latest release."
+        description: "Tag to publish (e.g. 1.9.0). Leave empty to use latest release."
        required: false
        type: string
      backfill_all:
@@ -21,7 +25,7 @@ permissions:

 jobs:
  publish:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
    env:
      PKG_NAME: newt
      SUITE: stable
@@ -36,6 +40,7 @@ jobs:
      INPUT_TAG: ${{ inputs.tag }}
      BACKFILL_ALL: ${{ inputs.backfill_all }}
      EVENT_TAG: ${{ github.event.release.tag_name }}
+      PUSH_TAG: ${{ github.ref_name }}
      GH_REPO: ${{ github.repository }}

    steps:
@@ -51,12 +56,9 @@ jobs:
      - name: Install dependencies
        run: sudo apt-get update && sudo apt-get install -y dpkg-dev apt-utils gnupg curl jq gh

-      - name: Install nfpm
-        run: curl -fsSL https://github.com/goreleaser/nfpm/releases/latest/download/nfpm_Linux_x86_64.tar.gz | sudo tar -xz -C /usr/local/bin nfpm
-
      - name: Publish APT repo
        env:
-          GH_TOKEN: ${{ github.token }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          APT_GPG_PRIVATE_KEY: ${{ secrets.APT_GPG_PRIVATE_KEY }}
          APT_GPG_PASSPHRASE: ${{ secrets.APT_GPG_PASSPHRASE }}
        run: ./scripts/publish-apt.sh
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -16,7 +16,7 @@ jobs:
      matrix:
        target:
          - local
-          - docker-build
+          #- docker-build
          - go-build-release-darwin-amd64
          - go-build-release-darwin-arm64
          - go-build-release-freebsd-amd64
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -1,42 +1,26 @@
+version: 2
 project_name: newt

 release:
-  # du nutzt Tags wie 1.2.3 und 1.2.3-rc.1 (ohne v)
  draft: true
-  prerelease: auto
+  prerelease: "{{ contains .Tag \"-rc.\" }}"
  name_template: "{{ .Tag }}"
-  mode: replace

 builds:
  - id: newt
-    main: ./main.go   # <- falls du cmd/newt hast: ./cmd/newt
+    main: ./main.go
    binary: newt
    env:
      - CGO_ENABLED=0
    goos:
      - linux
-      - darwin
-      - windows
-      - freebsd
    goarch:
      - amd64
      - arm64
-    goarm:
-      - "6"
-      - "7"
    flags:
      - -trimpath
    ldflags:
-      - -s -w -X main.version={{ .Tag }}
-
-archives:
-  # Wichtig: format "binary" -> keine tar.gz, sondern raw binary wie bei dir aktuell
-  - id: raw
-    builds:
-      - newt
-    format: binary
-    name_template: >-
-      {{ .ProjectName }}_{{ .Os }}_{{ if eq .Arch "amd64" }}amd64{{ else if eq .Arch "arm64" }}arm64{{ else if eq .Arch "386" }}386{{ else }}{{ .Arch }}{{ end }}{{ if .Arm }}v{{ .Arm }}{{ end }}{{ if .Mips }}_{{ .Mips }}{{ end }}{{ if .Amd64 }}_{{ .Amd64 }}{{ end }}{{ if .Riscv64 }}_{{ .Riscv64 }}{{ end }}{{ if .Os | eq "windows" }}.exe{{ end }}
+      - -s -w -X main.newtVersion={{ .Tag }}

 checksum:
  name_template: "checksums.txt"
@@ -44,19 +28,16 @@ checksum:
 nfpms:
  - id: packages
    package_name: newt
-    builds:
-      - newt
    vendor: fosrl
    maintainer: fosrl <repo@fosrl.io>
    description: Newt - userspace tunnel client and TCP/UDP proxy
-    license: AGPL-3.0
+    license: AGPL-3.0-or-later
    formats:
      - deb
      - rpm
      - apk
    bindir: /usr/bin
-    # sorgt dafür, dass die Paketnamen gut pattern-matchbar sind
-    file_name_template: "{{ .PackageName }}_{{ .Version }}_{{ .Arch }}"
+    file_name_template: "newt_{{ .Version }}_{{ .Arch }}"
    contents:
      - src: LICENSE
        dst: /usr/share/doc/newt/LICENSE
--- a/README.md
+++ b/README.md
@@ -1,15 +1,24 @@
 # Newt
+
 [![PkgGoDev](https://pkg.go.dev/badge/github.com/fosrl/newt)](https://pkg.go.dev/github.com/fosrl/newt)
 [![GitHub License](https://img.shields.io/github/license/fosrl/newt)](https://github.com/fosrl/newt/blob/main/LICENSE)
 [![Go Report Card](https://goreportcard.com/badge/github.com/fosrl/newt)](https://goreportcard.com/report/github.com/fosrl/newt)

 Newt is a fully user space [WireGuard](https://www.wireguard.com/) tunnel client and TCP/UDP proxy, designed to securely expose private resources controlled by Pangolin. By using Newt, you don't need to manage complex WireGuard tunnels and NATing.

-### Installation and Documentation
+## Installation and Documentation

 Newt is used with Pangolin and Gerbil as part of the larger system. See documentation below:

-   [Full Documentation](https://docs.pangolin.net/manage/sites/understanding-sites)
+- [Full Documentation](https://docs.pangolin.net/manage/sites/understanding-sites)
+
+### Install via APT (Debian/Ubuntu)
+
+```bash
+curl -fsSL https://repo.dev.fosrl.io/apt/public.key | sudo gpg --dearmor -o /usr/share/keyrings/newt-archive-keyring.gpg
+echo "deb [signed-by=/usr/share/keyrings/newt-archive-keyring.gpg] https://repo.dev.fosrl.io/apt stable main" | sudo tee /etc/apt/sources.list.d/newt.list
+sudo apt update && sudo apt install newt
+```

 ## Key Functions

--- a/scripts/append-release-notes.sh
+++ b/scripts/append-release-notes.sh
@@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+: "${TAG:?}"
+: "${GHCR_REF:?}"
+: "${DIGEST:?}"
+
+NOTES_FILE="$(mktemp)"
+
+existing_body="$(gh release view "${TAG}" --json body --jq '.body')"
+cat > "${NOTES_FILE}" <<EOF
+${existing_body}
+
+## Container Images
+- GHCR: \`${GHCR_REF}\`
+- Docker Hub: \`${DH_REF:-N/A}\`
+**Digest:** \`${DIGEST}\`
+EOF
+
+gh release edit "${TAG}" --draft --notes-file "${NOTES_FILE}"
+
+rm -f "${NOTES_FILE}"
--- a/scripts/publish-apt.sh
+++ b/scripts/publish-apt.sh
@@ -19,6 +19,23 @@ fi
 WORKDIR="$(pwd)"
 mkdir -p repo/apt assets build

+download_asset() {
+  local tag="$1"
+  local pattern="$2"
+  local attempts=12
+
+  for attempt in $(seq 1 "${attempts}"); do
+    if gh release download "${tag}" -R "${GH_REPO}" -p "${pattern}" -D assets; then
+      return 0
+    fi
+    echo "Asset ${pattern} not available yet (attempt ${attempt}/${attempts}); retrying..."
+    sleep 5
+  done
+
+  echo "ERROR: Failed to download asset ${pattern} for ${tag} after ${attempts} attempts"
+  return 1
+}
+
 echo "${APT_GPG_PRIVATE_KEY}" | gpg --batch --import >/dev/null 2>&1 || true

 KEYID="$(gpg --list-secret-keys --with-colons | awk -F: '$1=="sec"{print $5; exit}')"
@@ -37,6 +54,8 @@ else
    TAGS="${INPUT_TAG}"
  elif [[ -n "${EVENT_TAG:-}" ]]; then
    TAGS="${EVENT_TAG}"
+  elif [[ -n "${PUSH_TAG:-}" ]]; then
+    TAGS="${PUSH_TAG}"
  else
    echo "No tag provided; using latest release tag..."
    TAGS="$(gh release view -R "${GH_REPO}" --json tagName --jq '.tagName')"
@@ -58,32 +77,23 @@ while IFS= read -r TAG; do
  rm -rf assets build
  mkdir -p assets build

-  gh release download "${TAG}" -R "${GH_REPO}" -p "newt_linux_amd64" -D assets
-  gh release download "${TAG}" -R "${GH_REPO}" -p "newt_linux_arm64" -D assets
+  deb_amd64="${PKG_NAME}_${TAG}_amd64.deb"
+  deb_arm64="${PKG_NAME}_${TAG}_arm64.deb"

-  VERSION="${TAG#v}"
+  download_asset "${TAG}" "${deb_amd64}"
+  download_asset "${TAG}" "${deb_arm64}"

-  for arch in amd64 arm64; do
-    bin="assets/newt_linux_${arch}"
-    if [[ ! -f "${bin}" ]]; then
-      echo "ERROR: Missing release asset: ${bin}"
-      exit 1
-    fi
-
-    install -Dm755 "${bin}" "build/newt"
-
-    # Create nfpm config from template file (no heredoc here)
-    sed \
-      -e "s/__PKG_NAME__/${PKG_NAME}/g" \
-      -e "s/__ARCH__/${arch}/g" \
-      -e "s/__VERSION__/${VERSION}/g" \
-      scripts/nfpm.yaml.tmpl > nfpm.yaml
-
-    nfpm package -p deb -f nfpm.yaml -t "build/${PKG_NAME}_${VERSION}_${arch}.deb"
-  done
+  if [[ ! -f "assets/${deb_amd64}" ]]; then
+    echo "ERROR: Missing release asset: ${deb_amd64}"
+    exit 1
+  fi
+  if [[ ! -f "assets/${deb_arm64}" ]]; then
+    echo "ERROR: Missing release asset: ${deb_arm64}"
+    exit 1
+  fi

  mkdir -p "repo/apt/pool/${COMPONENT}/${PKG_NAME:0:1}/${PKG_NAME}/"
-  cp -v build/*.deb "repo/apt/pool/${COMPONENT}/${PKG_NAME:0:1}/${PKG_NAME}/"
+  cp -v assets/*.deb "repo/apt/pool/${COMPONENT}/${PKG_NAME:0:1}/${PKG_NAME}/"

 done <<< "${TAGS}"

@@ -124,7 +134,7 @@ gpg --batch --yes --pinentry-mode loopback \

 # Export public key into apt repo root
 cd ../../..
-gpg --batch --yes --armor --export "${KEYID}" > public.key
+gpg --batch --yes --armor --export "${KEYID}" > "${WORKDIR}/repo/apt/public.key"

 # Upload to S3
 echo "Uploading to S3..."
Author	SHA1	Message	Date
Marc Schäfer	6618bb4483	Remove binary archives configuration from .goreleaser.yaml Signed-off-by: Marc Schäfer <git@marcschaeferger.de>	2026-02-22 23:34:24 +01:00
Marc Schäfer	08952c20c5	Refactor CI/CD pipeline: remove version update step in main.go, add git status check for GoReleaser, and update GoReleaser version to 2.14.0 Signed-off-by: Marc Schäfer <git@marcschaeferger.de>	2026-02-22 23:28:26 +01:00
Marc Schäfer	5e60da37d1	Refactor CI/CD workflows: streamline inputs in mirror.yaml, update publish-apt.yml for tag descriptions, and adjust test.yml to comment out docker-build target Signed-off-by: Marc Schäfer <git@marcschaeferger.de>	2026-02-22 23:05:17 +01:00
Marc Schäfer	53d79aea5a	Refactor .goreleaser.yaml for improved release management and update README with installation instructions Add script to append release notes and enhance publish-apt.sh for asset downloading Signed-off-by: Marc Schäfer <git@marcschaeferger.de>	2026-02-22 23:05:06 +01:00