From 0dc2dbb971665449f194935123d27390968203b6 Mon Sep 17 00:00:00 2001 From: Amit Kumar Date: Thu, 18 Jun 2026 11:52:49 +0000 Subject: [PATCH] fix(ci): install syft in release.yml + add workflow_dispatch recovery MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The v0.3.1 release run failed: goreleaser's `sboms:` step shells out to syft, but release.yml installed only cosign — `exec: "syft": not found`. Builds, archives, and checksums all succeeded; SBOM cataloging aborted the release before artifacts/signature attached. - Install syft via anchore/sbom-action/download-syft (pin reused from security.yml) before the goreleaser step. - Add workflow_dispatch(tag) + checkout ref=${{ inputs.tag || github.ref }} so the fixed workflow can re-run against an already-pushed (immutable) tag; goreleaser `release: mode: append` attaches artifacts to the existing release without re-cutting the tag. actionlint clean. After merge, dispatch with tag=v0.3.1 to recover its signed artifacts. Co-Authored-By: Claude Opus 4.8 Claude-Session: https://claude.ai/code/session_01LDQVJrixs2nJoea67a8pEG --- .github/workflows/release.yml | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 2f436d8..756a7f2 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -21,6 +21,15 @@ on: push: tags: - 'v*' + # Manual re-release: run the CURRENT (default-branch) workflow against an + # already-pushed tag. GoReleaser's `release: mode: append` adds artifacts to + # the existing release WITHOUT mutating the immutable tag — used to recover a + # release whose original tag-push run failed. + workflow_dispatch: + inputs: + tag: + description: 'Existing tag to (re)build + sign (e.g. v0.3.1)' + required: true # Workflow-level default: minimum needed for actions/checkout. The release job # escalates to contents: write (create/append the GitHub release + upload @@ -46,7 +55,10 @@ jobs: # actions/checkout v4.2.2 uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: - # Full history so goreleaser's changelog/version detection works. + # On workflow_dispatch, build the supplied existing tag; on a tag + # push, the pushed ref. Full history so goreleaser version detection + # works. + ref: ${{ inputs.tag || github.ref }} fetch-depth: 0 persist-credentials: false @@ -77,6 +89,13 @@ jobs: # signing step in .goreleaser.yaml (signs: cmd: cosign). uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 + - name: Install syft + # anchore/sbom-action v0.24.0 (download-syft sub-action) — puts `syft` + # on PATH for the goreleaser `sboms:` step, which shells out to syft per + # archive. Without this goreleaser fails: `exec: "syft": not found`. + # Pin reused from security.yml. + uses: anchore/sbom-action/download-syft@e22c389904149dbc22b58101806040fa8d37a610 + - name: Run GoReleaser # goreleaser/goreleaser-action v6.2.1 uses: goreleaser/goreleaser-action@90a3faa9d0182683851fbfa97ca1a2cb983bfca3