ci(release): drop goreleaser (Pro-only prebuilt) — inline cosign + gh release#50
Merged
ci(release): drop goreleaser (Pro-only prebuilt) — inline cosign + gh release#50
Conversation
…elease
The release workflow was failing with:
yaml: unmarshal errors:
line 19: field prebuilt not found in type config.Build
Root cause: the `builder: prebuilt` + `prebuilt.path` config used in
.goreleaser.yaml is a GoReleaser Pro-only feature, not supported by
OSS goreleaser (which is what the goreleaser-action pins).
Rather than buying Pro, inline the release steps directly — the
matrix build job already produces native binaries (linux-amd64 on
ubuntu, darwin-arm64 on macos); the release job now:
1. Downloads the pre-built binaries
2. Renames them to docsiq-<tag>-<os>-<arch>
3. Computes SHA256SUMS
4. Signs each binary + SHA256SUMS with cosign keyless (Sigstore)
5. Creates a draft GitHub release with auto-generated notes
6. Appends a cosign verify footer to the notes, publishes
7. Generates SLSA build provenance attestation
8. Uploads the provenance bundle to the release
What we keep:
- Signed binaries (cosign keyless + Rekor transparency log)
- Signed SHA256SUMS
- SLSA build provenance
- Auto-generated GitHub release notes (grouped via .github/release.yml)
What we lose:
- Scorecard "Packaging" signal (goreleaser detection) — acceptable
trade; everything Scorecard actually checks for signed releases
(Signed-Releases) still works.
.goreleaser.yaml is removed as unused.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Manual release runs (v0.0.3) have been failing with:
```
yaml: unmarshal errors:
line 19: field prebuilt not found in type config.Build
```
Root cause
`.goreleaser.yaml` used `builder: prebuilt` + `prebuilt.path:` which is a GoReleaser Pro feature. The OSS goreleaser pinned by `goreleaser-action` doesn't parse those fields.
From upstream docs: "GoReleaser Pro also supports continuously releasing nightly builds and importing pre-built binaries using the prebuilt builder."
Fix
Drop goreleaser entirely. The matrix build job already produces native binaries (linux-amd64 on ubuntu, darwin-arm64 on macos) because CGO + sqlite-vec doesn't cross-compile cleanly. The release job now inlines the packaging steps:
What's preserved
What's lost
Nothing material. Trade-off is simpler, predictable release pipeline.
Files
Test plan
🤖 Generated with Claude Code