Skip to content

Commit ef0f45d

Browse files
aksOpsclaude
andauthored
fix(ci): install syft in release.yml + add workflow_dispatch recovery (#121)
The v0.3.1 release run failed: goreleaser's `sboms:` step shells out to syft, but release.yml installed only cosign — `exec: "syft": not found`. Builds, archives, and checksums all succeeded; SBOM cataloging aborted the release before artifacts/signature attached. - Install syft via anchore/sbom-action/download-syft (pin reused from security.yml) before the goreleaser step. - Add workflow_dispatch(tag) + checkout ref=${{ inputs.tag || github.ref }} so the fixed workflow can re-run against an already-pushed (immutable) tag; goreleaser `release: mode: append` attaches artifacts to the existing release without re-cutting the tag. actionlint clean. After merge, dispatch with tag=v0.3.1 to recover its signed artifacts. Claude-Session: https://claude.ai/code/session_01LDQVJrixs2nJoea67a8pEG Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
1 parent 90b42e4 commit ef0f45d

1 file changed

Lines changed: 20 additions & 1 deletion

File tree

.github/workflows/release.yml

Lines changed: 20 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -21,6 +21,15 @@ on:
2121
push:
2222
tags:
2323
- 'v*'
24+
# Manual re-release: run the CURRENT (default-branch) workflow against an
25+
# already-pushed tag. GoReleaser's `release: mode: append` adds artifacts to
26+
# the existing release WITHOUT mutating the immutable tag — used to recover a
27+
# release whose original tag-push run failed.
28+
workflow_dispatch:
29+
inputs:
30+
tag:
31+
description: 'Existing tag to (re)build + sign (e.g. v0.3.1)'
32+
required: true
2433

2534
# Workflow-level default: minimum needed for actions/checkout. The release job
2635
# escalates to contents: write (create/append the GitHub release + upload
@@ -46,7 +55,10 @@ jobs:
4655
# actions/checkout v4.2.2
4756
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
4857
with:
49-
# Full history so goreleaser's changelog/version detection works.
58+
# On workflow_dispatch, build the supplied existing tag; on a tag
59+
# push, the pushed ref. Full history so goreleaser version detection
60+
# works.
61+
ref: ${{ inputs.tag || github.ref }}
5062
fetch-depth: 0
5163
persist-credentials: false
5264

@@ -77,6 +89,13 @@ jobs:
7789
# signing step in .goreleaser.yaml (signs: cmd: cosign).
7890
uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159
7991

92+
- name: Install syft
93+
# anchore/sbom-action v0.24.0 (download-syft sub-action) — puts `syft`
94+
# on PATH for the goreleaser `sboms:` step, which shells out to syft per
95+
# archive. Without this goreleaser fails: `exec: "syft": not found`.
96+
# Pin reused from security.yml.
97+
uses: anchore/sbom-action/download-syft@e22c389904149dbc22b58101806040fa8d37a610
98+
8099
- name: Run GoReleaser
81100
# goreleaser/goreleaser-action v6.2.1
82101
uses: goreleaser/goreleaser-action@90a3faa9d0182683851fbfa97ca1a2cb983bfca3

0 commit comments

Comments
 (0)