name: Release (GoReleaser) on: push: tags: - 'v*' concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: false env: GO_VERSION: '1.25.6' NODE_VERSION: '24.12.0' permissions: contents: write packages: write jobs: goreleaser: runs-on: ubuntu-latest env: # Use the built-in GITHUB_TOKEN by default for GitHub API operations. # If you need to provide a PAT with elevated permissions, add a GITHUB_TOKEN secret # at the repo or organization level and update the env here accordingly. GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - name: Checkout uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 with: fetch-depth: 0 - name: Set up Go uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6 with: go-version: ${{ env.GO_VERSION }} - name: Set up Node.js uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6 with: node-version: ${{ env.NODE_VERSION }} - name: Build Frontend working-directory: frontend run: | # Inject version into frontend build from tag (if present) VERSION=${GITHUB_REF#refs/tags/} echo "VITE_APP_VERSION=${VERSION}" >> $GITHUB_ENV npm ci npm run build - name: Install Cross-Compilation Tools (Zig) # Security: Pinned to full SHA for supply chain security uses: goto-bus-stop/setup-zig@abea47f85e598557f500fa1fd2ab7464fcb39406 # v2 with: version: 0.13.0 # GITHUB_TOKEN is set from GITHUB_TOKEN or CHARON_TOKEN (fallback), defaulting to GITHUB_TOKEN - name: Run GoReleaser uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6 with: distribution: goreleaser version: '~> v2.5' args: release --clean env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # CGO settings are handled in .goreleaser.yaml via Zig