feat: resolve nightly to latest vX.Y.Z-<sha>-nightly release by caarlos0 · Pull Request #558 · goreleaser/goreleaser-action

caarlos0 · 2026-04-23T03:48:23Z

Resolve the nightly version input via the GitHub releases API to the latest immutable vX.Y.Z-<sha>-nightly tag, instead of relying on the moving nightly tag (which is being removed as part of supply-chain hardening — see goreleaser/goreleaser#6550).

getReleaseTag now calls a new resolveNightly helper when version === 'nightly'
resolveNightly queries api.github.com/repos/goreleaser/<distribution>/releases and picks the latest release matching /^v\d+\.\d+\.\d+-[0-9a-f]+-nightly$/. Uses GITHUB_TOKEN if present
getCertificateIdentity now treats any vX.Y.Z-<sha>-nightly tag as a nightly build for cosign verification
Removes the legacy plain nightly tag handling
Adds tests for getRelease('<dist>', 'nightly') (will start passing once the first immutable nightly is published)

Refs goreleaser/goreleaser#6550

Query GitHub releases API to resolve the 'nightly' version input to the latest immutable nightly tag, replacing the moving 'nightly' tag that is being removed for supply-chain hardening. Refs goreleaser/goreleaser#6550 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>

Fall back to the moving 'nightly' tag when no immutable vX.Y.Z-<sha>-nightly release is found, so the action keeps working between this release and the goreleaser nightly switchover. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

goreleaser-pro publishes nightly releases as e.g. 2.16.0-eaeb08c50-nightly (no 'v' prefix). Make the nightly tag regex tolerate either form, and split the integration tests so OSS asserts the legacy fallback while Pro asserts the new <version>-<sha>-nightly format. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

The missing 'v' prefix on the goreleaser-pro nightly was a release mistake; new nightlies will keep the 'v' prefix. This reverts commit 7673f7f. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

The new nightly resolution hits api.github.com/repos/.../releases, which is rate-limited for unauthenticated requests. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Adds a small note to `customization/ci/actions.md` explaining that `version: nightly` on `goreleaser-action` ≥ v7.2.0 now resolves to the latest immutable `vX.Y.Z-<sha>-nightly` release via the GitHub Releases API, and recommends exporting `GITHUB_TOKEN` to avoid rate limits. Companion to goreleaser/goreleaser-action#558. --------- Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) | action | major | `v6` → `v7` | --- ### Release Notes <details> <summary>goreleaser/goreleaser-action (goreleaser/goreleaser-action)</summary> ### [`v7.2.1`](https://github.com/goreleaser/goreleaser-action/releases/tag/v7.2.1) [Compare Source](goreleaser/goreleaser-action@v7.2.0...v7.2.1) This fully removes the usage of the old `nightly` moving tag. **Full Changelog**: <goreleaser/goreleaser-action@v7.2.0...v7.2.1> ### [`v7.2.0`](https://github.com/goreleaser/goreleaser-action/releases/tag/v7.2.0) [Compare Source](goreleaser/goreleaser-action@v7.1.0...v7.2.0) #### What's Changed - test: cover install across release eras by [@caarlos0](https://github.com/caarlos0) in [#555](goreleaser/goreleaser-action#555) - feat: add `version-file` input by [@caarlos0](https://github.com/caarlos0) in [#556](goreleaser/goreleaser-action#556) - feat: resolve nightly to latest vX.Y.Z-<sha>-nightly release by [@caarlos0](https://github.com/caarlos0) in [#558](goreleaser/goreleaser-action#558) **Full Changelog**: <goreleaser/goreleaser-action@v7...v7.2.0> ### [`v7.1.0`](https://github.com/goreleaser/goreleaser-action/releases/tag/v7.1.0) [Compare Source](goreleaser/goreleaser-action@v7...v7.1.0) #### What's Changed - feat: verify release checksum and cosign signature by [@caarlos0](https://github.com/caarlos0) in [#550](goreleaser/goreleaser-action#550) - docs: document cosign verification in README by [@caarlos0](https://github.com/caarlos0) in [#553](goreleaser/goreleaser-action#553) - docs: Upgrade import GPG action version by [@flecno](https://github.com/flecno) in [#547](goreleaser/goreleaser-action#547) - ci: drop docker-bake in favor of plain npm by [@caarlos0](https://github.com/caarlos0) in [#551](goreleaser/goreleaser-action#551) - ci: add release-major-tag workflow by [@caarlos0](https://github.com/caarlos0) in [#552](goreleaser/goreleaser-action#552) - ci: drop pre-cosign-v3 goreleaser versions from tests by [@caarlos0](https://github.com/caarlos0) in [#554](goreleaser/goreleaser-action#554) - ci(deps): bump the actions group with 2 updates by [@dependabot](https://github.com/dependabot)\[bot] in [#543](goreleaser/goreleaser-action#543) - ci(deps): bump the actions group with 5 updates by [@dependabot](https://github.com/dependabot)\[bot] in [#546](goreleaser/goreleaser-action#546) - chore(deps): bump undici from 6.23.0 to 6.24.1 by [@dependabot](https://github.com/dependabot)\[bot] in [#545](goreleaser/goreleaser-action#545) #### New Contributors - [@flecno](https://github.com/flecno) made their first contribution in [#547](goreleaser/goreleaser-action#547) **Full Changelog**: <goreleaser/goreleaser-action@v7...v7.1.0> ### [`v7.0.0`](https://github.com/goreleaser/goreleaser-action/releases/tag/v7.0.0) [Compare Source](goreleaser/goreleaser-action@v7...v7) #### What's Changed - feat!: node 24, update deps, rm yarn, ESM by [@caarlos0](https://github.com/caarlos0) in [#533](goreleaser/goreleaser-action#533) - sec: pin github action versions by [@caarlos0](https://github.com/caarlos0) in [#514](goreleaser/goreleaser-action#514) - docs: Upgrade checkout GitHub Action in README.md by [@dunglas](https://github.com/dunglas) in [#507](goreleaser/goreleaser-action#507) - chore(deps): bump actions/checkout from 4 to 5 by [@dependabot](https://github.com/dependabot)\[bot] in [#504](goreleaser/goreleaser-action#504) - ci(deps): bump the actions group with 2 updates by [@dependabot](https://github.com/dependabot)\[bot] in [#517](goreleaser/goreleaser-action#517) - ci(deps): bump the actions group with 2 updates by [@dependabot](https://github.com/dependabot)\[bot] in [#523](goreleaser/goreleaser-action#523) - ci(deps): bump docker/bake-action from 6.9.0 to 6.10.0 in the actions group by [@dependabot](https://github.com/dependabot)\[bot] in [#526](goreleaser/goreleaser-action#526) - ci(deps): bump the actions group across 1 directory with 4 updates by [@dependabot](https://github.com/dependabot)\[bot] in [#532](goreleaser/goreleaser-action#532) - ci(deps): bump actions/checkout from 6.0.1 to 6.0.2 in the actions group by [@dependabot](https://github.com/dependabot)\[bot] in [#534](goreleaser/goreleaser-action#534) - chore(deps): bump the npm group across 1 directory with 4 updates by [@dependabot](https://github.com/dependabot)\[bot] in [#536](goreleaser/goreleaser-action#536) - chore(deps): bump [@actions/http-client](https://github.com/actions/http-client) from 3.0.2 to 4.0.0 in the npm group by [@dependabot](https://github.com/dependabot)\[bot] in [#537](goreleaser/goreleaser-action#537) - ci(deps): bump docker/setup-buildx-action from 3.10.0 to 3.12.0 in the actions group by [@dependabot](https://github.com/dependabot)\[bot] in [#538](goreleaser/goreleaser-action#538) - chore(deps): bump semver from 7.7.3 to 7.7.4 in the npm group by [@dependabot](https://github.com/dependabot)\[bot] in [#539](goreleaser/goreleaser-action#539) **Full Changelog**: <goreleaser/goreleaser-action@v6...v7.0.0> ### [`v7`](goreleaser/goreleaser-action@v6.4.0...v7) [Compare Source](goreleaser/goreleaser-action@v6.4.0...v7) ### [`v6.4.0`](https://github.com/goreleaser/goreleaser-action/releases/tag/v6.4.0) [Compare Source](goreleaser/goreleaser-action@v6.3.0...v6.4.0) #### What's Changed - ci: set contents read as default workflow permissions by [@crazy-max](https://github.com/crazy-max) in [#494](goreleaser/goreleaser-action#494) - fix: support .config directory for goreleaser config files by [@haya14busa](https://github.com/haya14busa) in [#500](goreleaser/goreleaser-action#500) - chore(deps): bump semver from 7.7.1 to 7.7.2 by [@dependabot](https://github.com/dependabot)\[bot] in [#495](goreleaser/goreleaser-action#495) - chore(deps): bump brace-expansion from 1.1.11 to 1.1.12 by [@dependabot](https://github.com/dependabot)\[bot] in [#498](goreleaser/goreleaser-action#498) - fix: do not get releases.json if version is specific by [@caarlos0](https://github.com/caarlos0) in [#502](goreleaser/goreleaser-action#502) - chore(deps): bump undici from 5.28.5 to 5.29.0 by [@dependabot](https://github.com/dependabot)\[bot] in [#496](goreleaser/goreleaser-action#496) - feat: retry downloading releases json by [@caarlos0](https://github.com/caarlos0) in [#503](goreleaser/goreleaser-action#503) #### New Contributors - [@haya14busa](https://github.com/haya14busa) made their first contribution in [#500](goreleaser/goreleaser-action#500) **Full Changelog**: <goreleaser/goreleaser-action@v6.3.0...v6.4.0> ### [`v6.3.0`](https://github.com/goreleaser/goreleaser-action/releases/tag/v6.3.0) [Compare Source](goreleaser/goreleaser-action@v6.2.1...v6.3.0) - Bump undici from 5.28.3 to 5.28.5 in [#488](goreleaser/goreleaser-action#488) **Full Changelog**: <goreleaser/goreleaser-action@v6.2.1...v6.3.0> ### [`v6.2.1`](https://github.com/goreleaser/goreleaser-action/releases/tag/v6.2.1) [Compare Source](goreleaser/goreleaser-action@v6.2.0...v6.2.1) #### What's Changed This version of the actions adds support for GoReleaser Pro v2.7.0 versioning (which dropped the `-pro` suffix). Older versions should work fine. > \[!WARNING] > This version is **required** for GoReleaser Pro v2.7.0+. > Read more [here](https://goreleaser.com/blog/goreleaser-v2.7/). **Full Changelog**: <goreleaser/goreleaser-action@v6.2.0...v6.2.1> ### [`v6.2.0`](https://github.com/goreleaser/goreleaser-action/releases/tag/v6.2.0) [Compare Source](goreleaser/goreleaser-action@v6.1.0...v6.2.0) #### What's Changed This version of the actions adds support for GoReleaser Pro v2.7.0 versioning (which dropped the `-pro` suffix). Older versions should work fine. > \[!WARNING] > This version is **required** for GoReleaser Pro v2.7.0+. > Read more [here](https://goreleaser.com/blog/goreleaser-v2.7/). **Full Changelog**: <goreleaser/goreleaser-action@v6.1.0...v6.2.0> ### [`v6.1.0`](https://github.com/goreleaser/goreleaser-action/releases/tag/v6.1.0) [Compare Source](goreleaser/goreleaser-action@v6...v6.1.0) #### What's Changed - chore(deps): bump braces from 3.0.2 to 3.0.3 by [@dependabot](https://github.com/dependabot) in [#467](goreleaser/goreleaser-action#467) - chore(deps): bump docker/bake-action from 4 to 5 by [@dependabot](https://github.com/dependabot) in [#468](goreleaser/goreleaser-action#468) - chore(deps): bump semver from 7.6.2 to 7.6.3 by [@dependabot](https://github.com/dependabot) in [#470](goreleaser/goreleaser-action#470) - chore(deps): bump [@actions/http-client](https://github.com/actions/http-client) from 2.2.1 to 2.2.2 by [@dependabot](https://github.com/dependabot) in [#473](goreleaser/goreleaser-action#473) - chore(deps): bump [@actions/http-client](https://github.com/actions/http-client) from 2.2.2 to 2.2.3 by [@dependabot](https://github.com/dependabot) in [#474](goreleaser/goreleaser-action#474) - chore(deps): bump micromatch from 4.0.5 to 4.0.8 by [@dependabot](https://github.com/dependabot) in [#475](goreleaser/goreleaser-action#475) - chore(deps): bump [@actions/core](https://github.com/actions/core) from 1.10.1 to 1.11.1 by [@dependabot](https://github.com/dependabot) in [#478](goreleaser/goreleaser-action#478) - docs: bump upload-artifact version by [@dunglas](https://github.com/dunglas) in [#479](goreleaser/goreleaser-action#479) - chore: update generated content by [@crazy-max](https://github.com/crazy-max) in [#480](goreleaser/goreleaser-action#480) #### New Contributors - [@dunglas](https://github.com/dunglas) made their first contribution in [#479](goreleaser/goreleaser-action#479) **Full Changelog**: <goreleaser/goreleaser-action@v6.0.0...v6.1.0> </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate).  Reviewed-on: https://git.simoncor.net/golang/gogitlabber/pulls/2

This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) | action | major | `v6` → `v7` | --- ### Release Notes <details> <summary>goreleaser/goreleaser-action (goreleaser/goreleaser-action)</summary> ### [`v7.2.2`](https://github.com/goreleaser/goreleaser-action/releases/tag/v7.2.2) [Compare Source](goreleaser/goreleaser-action@v7.2.1...v7.2.2) #### What's Changed - ci(deps): bump the actions group with 3 updates by [@dependabot](https://github.com/dependabot)\[bot] in [#560](goreleaser/goreleaser-action#560) - fix: nightly resolution to select newest published release by [@Copilot](https://github.com/Copilot) in [#562](goreleaser/goreleaser-action#562) #### New Contributors - [@Copilot](https://github.com/Copilot) made their first contribution in [#562](goreleaser/goreleaser-action#562) **Full Changelog**: <goreleaser/goreleaser-action@v7...v7.2.2> ### [`v7.2.1`](https://github.com/goreleaser/goreleaser-action/releases/tag/v7.2.1) [Compare Source](goreleaser/goreleaser-action@v7.2.0...v7.2.1) This fully removes the usage of the old `nightly` moving tag. **Full Changelog**: <goreleaser/goreleaser-action@v7.2.0...v7.2.1> ### [`v7.2.0`](https://github.com/goreleaser/goreleaser-action/releases/tag/v7.2.0) [Compare Source](goreleaser/goreleaser-action@v7.1.0...v7.2.0) #### What's Changed - test: cover install across release eras by [@caarlos0](https://github.com/caarlos0) in [#555](goreleaser/goreleaser-action#555) - feat: add `version-file` input by [@caarlos0](https://github.com/caarlos0) in [#556](goreleaser/goreleaser-action#556) - feat: resolve nightly to latest vX.Y.Z-<sha>-nightly release by [@caarlos0](https://github.com/caarlos0) in [#558](goreleaser/goreleaser-action#558) **Full Changelog**: <goreleaser/goreleaser-action@v7...v7.2.0> ### [`v7.1.0`](https://github.com/goreleaser/goreleaser-action/releases/tag/v7.1.0) [Compare Source](goreleaser/goreleaser-action@v7...v7.1.0) #### What's Changed - feat: verify release checksum and cosign signature by [@caarlos0](https://github.com/caarlos0) in [#550](goreleaser/goreleaser-action#550) - docs: document cosign verification in README by [@caarlos0](https://github.com/caarlos0) in [#553](goreleaser/goreleaser-action#553) - docs: Upgrade import GPG action version by [@flecno](https://github.com/flecno) in [#547](goreleaser/goreleaser-action#547) - ci: drop docker-bake in favor of plain npm by [@caarlos0](https://github.com/caarlos0) in [#551](goreleaser/goreleaser-action#551) - ci: add release-major-tag workflow by [@caarlos0](https://github.com/caarlos0) in [#552](goreleaser/goreleaser-action#552) - ci: drop pre-cosign-v3 goreleaser versions from tests by [@caarlos0](https://github.com/caarlos0) in [#554](goreleaser/goreleaser-action#554) - ci(deps): bump the actions group with 2 updates by [@dependabot](https://github.com/dependabot)\[bot] in [#543](goreleaser/goreleaser-action#543) - ci(deps): bump the actions group with 5 updates by [@dependabot](https://github.com/dependabot)\[bot] in [#546](goreleaser/goreleaser-action#546) - chore(deps): bump undici from 6.23.0 to 6.24.1 by [@dependabot](https://github.com/dependabot)\[bot] in [#545](goreleaser/goreleaser-action#545) #### New Contributors - [@flecno](https://github.com/flecno) made their first contribution in [#547](goreleaser/goreleaser-action#547) **Full Changelog**: <goreleaser/goreleaser-action@v7...v7.1.0> ### [`v7.0.0`](https://github.com/goreleaser/goreleaser-action/releases/tag/v7.0.0) [Compare Source](goreleaser/goreleaser-action@v7...v7) #### What's Changed - feat!: node 24, update deps, rm yarn, ESM by [@caarlos0](https://github.com/caarlos0) in [#533](goreleaser/goreleaser-action#533) - sec: pin github action versions by [@caarlos0](https://github.com/caarlos0) in [#514](goreleaser/goreleaser-action#514) - docs: Upgrade checkout GitHub Action in README.md by [@dunglas](https://github.com/dunglas) in [#507](goreleaser/goreleaser-action#507) - chore(deps): bump actions/checkout from 4 to 5 by [@dependabot](https://github.com/dependabot)\[bot] in [#504](goreleaser/goreleaser-action#504) - ci(deps): bump the actions group with 2 updates by [@dependabot](https://github.com/dependabot)\[bot] in [#517](goreleaser/goreleaser-action#517) - ci(deps): bump the actions group with 2 updates by [@dependabot](https://github.com/dependabot)\[bot] in [#523](goreleaser/goreleaser-action#523) - ci(deps): bump docker/bake-action from 6.9.0 to 6.10.0 in the actions group by [@dependabot](https://github.com/dependabot)\[bot] in [#526](goreleaser/goreleaser-action#526) - ci(deps): bump the actions group across 1 directory with 4 updates by [@dependabot](https://github.com/dependabot)\[bot] in [#532](goreleaser/goreleaser-action#532) - ci(deps): bump actions/checkout from 6.0.1 to 6.0.2 in the actions group by [@dependabot](https://github.com/dependabot)\[bot] in [#534](goreleaser/goreleaser-action#534) - chore(deps): bump the npm group across 1 directory with 4 updates by [@dependabot](https://github.com/dependabot)\[bot] in [#536](goreleaser/goreleaser-action#536) - chore(deps): bump [@actions/http-client](https://github.com/actions/http-client) from 3.0.2 to 4.0.0 in the npm group by [@dependabot](https://github.com/dependabot)\[bot] in [#537](goreleaser/goreleaser-action#537) - ci(deps): bump docker/setup-buildx-action from 3.10.0 to 3.12.0 in the actions group by [@dependabot](https://github.com/dependabot)\[bot] in [#538](goreleaser/goreleaser-action#538) - chore(deps): bump semver from 7.7.3 to 7.7.4 in the npm group by [@dependabot](https://github.com/dependabot)\[bot] in [#539](goreleaser/goreleaser-action#539) **Full Changelog**: <goreleaser/goreleaser-action@v6...v7.0.0> ### [`v7`](goreleaser/goreleaser-action@v6.4.0...v7) [Compare Source](goreleaser/goreleaser-action@v6.4.0...v7) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate).  Reviewed-on: https://git.simoncor.net/golang/logger/pulls/3

caarlos0 requested a review from crazy-max as a code owner April 23, 2026 03:48

caarlos0 marked this pull request as draft April 23, 2026 03:58

caarlos0 and others added 3 commits April 26, 2026 15:26

Merge remote-tracking branch 'origin/master' into nightly

6606af0

Signed-off-by: Carlos Alexandro Becker <caarlos0@users.noreply.github.com>

test: assert isNightlyTag accepts legacy fallback

2c8756b

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

caarlos0 marked this pull request as ready for review April 26, 2026 18:29

caarlos0 and others added 4 commits April 26, 2026 15:32

Revert "fix: accept nightly tags without 'v' prefix"

c4183b1

The missing 'v' prefix on the goreleaser-pro nightly was a release mistake; new nightlies will keep the 'v' prefix. This reverts commit 7673f7f. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

ci: pass GITHUB_TOKEN to tests

a251931

The new nightly resolution hits api.github.com/repos/.../releases, which is rate-limited for unauthenticated requests. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

docs: note GITHUB_TOKEN need for nightly resolution

6e299d2

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

caarlos0 merged commit 4c6ab56 into master Apr 26, 2026
34 checks passed

caarlos0 deleted the nightly branch April 26, 2026 19:39

caarlos0 mentioned this pull request Apr 26, 2026

docs(actions): note immutable nightly resolution goreleaser/goreleaser#6590

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

feat: resolve nightly to latest vX.Y.Z-<sha>-nightly release#558

feat: resolve nightly to latest vX.Y.Z-<sha>-nightly release#558
caarlos0 merged 8 commits into
masterfrom
nightly

caarlos0 commented Apr 23, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Uh oh!

Conversation

caarlos0 commented Apr 23, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant