Skip to content

fix(ci): install syft in release.yml (v0.3.1 release recovery)#121

Merged
aksOps merged 1 commit into
mainfrom
fix/release-syft
Jun 18, 2026
Merged

fix(ci): install syft in release.yml (v0.3.1 release recovery)#121
aksOps merged 1 commit into
mainfrom
fix/release-syft

Conversation

@aksOps

@aksOps aksOps commented Jun 18, 2026

Copy link
Copy Markdown
Contributor

Problem

The v0.3.1 release pipeline (first live run of #116's goreleaser+cosign workflow) failed: exec: "syft": executable file not found in $PATH. GoReleaser built all 4 binaries + archives + checksums, then the sboms: step (which shells out to syft) aborted — release.yml installs cosign but never installed syft. The tag, GH release notes, and go install @v0.3.1 are intact; only the signed binaries didn't attach.

Fix

  • Install syft via anchore/sbom-action/download-syft before the goreleaser step (pin reused from security.yml).
  • Add workflow_dispatch(tag) + checkout ref=${{ inputs.tag || github.ref }} so this fixed workflow can be re-run against the already-pushed, immutable v0.3.1 tag — goreleaser release: mode: append attaches artifacts to the existing release without re-cutting the tag (the proxy treats tags as immutable, so re-pushing is off the table).

Recovery plan

After merge: gh workflow run "Release (artifacts + signing)" --ref main -f tag=v0.3.1 → signed binaries + checksums + SBOMs append to the existing v0.3.1 release.

actionlint clean. Future tagged releases pick up the fix automatically on tag push.

🤖 Generated with Claude Code

The v0.3.1 release run failed: goreleaser's `sboms:` step shells out to syft,
but release.yml installed only cosign — `exec: "syft": not found`. Builds,
archives, and checksums all succeeded; SBOM cataloging aborted the release
before artifacts/signature attached.

- Install syft via anchore/sbom-action/download-syft (pin reused from
  security.yml) before the goreleaser step.
- Add workflow_dispatch(tag) + checkout ref=${{ inputs.tag || github.ref }} so
  the fixed workflow can re-run against an already-pushed (immutable) tag;
  goreleaser `release: mode: append` attaches artifacts to the existing release
  without re-cutting the tag.

actionlint clean. After merge, dispatch with tag=v0.3.1 to recover its signed
artifacts.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01LDQVJrixs2nJoea67a8pEG
@sonarqubecloud

Copy link
Copy Markdown

@aksOps aksOps merged commit ef0f45d into main Jun 18, 2026
17 checks passed
@aksOps aksOps deleted the fix/release-syft branch June 18, 2026 11:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant