From faa8da52bcf38eb6953e7fc00824cc8e3ec88b23 Mon Sep 17 00:00:00 2001 From: Johnny Miller <163300+millerjp@users.noreply.github.com> Date: Tue, 21 Apr 2026 08:06:54 +0200 Subject: [PATCH] ci: emit source archive from GoReleaser for attestation coverage MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The previous config declared an `archives:` block without a build context, which produced no actual archive — GoReleaser only wrote metadata files to dist/. The `actions/attest-build-provenance` step added in #33 globs `dist/*.tar.gz`, so the first real release (v0.9.0) failed at the attest step with "Could not find subject at path dist/*.tar.gz". Replace the empty `archives:` block with a `source:` block that emits a `{project}-{version}-source.tar.gz` using GoReleaser's built-in source archiver. No build context required; one tar.gz is emitted into dist/ for every release and dry run, which the attestation step then signs under keyless Sigstore. Verified locally: `goreleaser release --snapshot --clean --skip=publish` now produces `dist/syncmap-*-source.tar.gz`. --- .goreleaser.yml | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/.goreleaser.yml b/.goreleaser.yml index 6c37c98..5cba7d3 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -5,16 +5,19 @@ project_name: syncmap builds: - skip: true -archives: - - id: source - formats: - - tar.gz - files: - - LICENSE - - README.md +# No Go binaries are built (pure library), so the only release artefact +# is the source tarball emitted by the `source` stanza below. The +# `archives:` block is intentionally empty — it needs a build context, +# which we don't have, so it would produce nothing and break the +# `actions/attest-build-provenance` step that globs dist/*.tar.gz. +source: + enabled: true + name_template: "{{ .ProjectName }}-{{ .Version }}-source" + format: tar.gz checksum: name_template: "checksums.txt" + algorithm: sha256 snapshot: version_template: "{{ .Tag }}-SNAPSHOT-{{ .ShortCommit }}"