fix(test): pin goreleaser version in attestation e2e test#8518
Conversation
goreleaser v2.14.2 was released without GitHub artifact attestations, causing the test_aqua_github_attestations e2e test to fail on both main and PRs. Pin to v2.14.1 which has known-good attestations. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request enhances the stability of the end-to-end test for native GitHub artifact attestations. By explicitly pinning the goreleaser version used in the test, it mitigates issues where recent goreleaser releases might temporarily lack published attestations, which previously led to test failures. This change ensures the continuous reliability of the attestation verification process within the test suite. Highlights
Changelog
Activity
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
7a8655b to
307338d
Compare
There was a problem hiding this comment.
Code Review
This pull request correctly pins the goreleaser version in an e2e test to resolve flakiness. The change is a good practice for test stability. I've added a couple of suggestions to introduce a variable for the version string, which will improve maintainability by avoiding repetition.
| # Test: Install goreleaser which has GitHub artifact attestations configured (v2.7.0+) | ||
| # Pin to a specific version with known-good attestations to avoid failures when | ||
| # a new release hasn't published attestations yet (e.g. goreleaser v2.14.2). | ||
| echo "Installing goreleaser with native GitHub artifact attestations verification..." | ||
|
|
||
| # Capture the installation output to verify the native verification is being used | ||
| output=$(mise install aqua:goreleaser/goreleaser@latest 2>&1) | ||
| output=$(mise install aqua:goreleaser/goreleaser@2.14.1 2>&1) |
There was a problem hiding this comment.
To improve maintainability and avoid repeating the version string, you could define it as a variable. This makes it easier to update in the future and ensures consistency.
# Test: Install goreleaser which has GitHub artifact attestations configured (v2.7.0+)
# Pin to a specific version with known-good attestations to avoid failures when
# a new release hasn't published attestations yet (e.g. goreleaser v2.14.2).
GORELEASER_VERSION="2.14.1"
echo "Installing goreleaser@$GORELEASER_VERSION with native GitHub artifact attestations verification..."
# Capture the installation output to verify the native verification is being used
output=$(mise install "aqua:goreleaser/goreleaser@$GORELEASER_VERSION" 2>&1)
| echo "✓ goreleaser installed successfully" | ||
| # Cleanup | ||
| mise uninstall aqua:goreleaser/goreleaser@latest || true | ||
| mise uninstall aqua:goreleaser/goreleaser@2.14.1 || true |
Greptile SummaryThis PR pins the The fix is minimal and correct:
Confidence Score: 5/5
Flowchart%%{init: {'theme': 'neutral'}}%%
flowchart TD
A[test_aqua_github_attestations runs] --> B[mise install aqua:goreleaser/goreleaser@2.14.1]
B --> C{Output contains<br/>verify GitHub artifact<br/>attestations?}
C -- No --> D["❌ Exit 1 - verification not called"]
C -- Yes --> E["✅ Attestation verification confirmed"]
E --> F{Output contains<br/>✓ installed?}
F -- Yes --> G[mise uninstall aqua:goreleaser/goreleaser@2.14.1]
F -- No --> H["⚠️ Installation failed<br/>but verification was called<br/>test still passes"]
G --> I["✓ Test Passed"]
H --> I
Last reviewed commit: 307338d |
Hyperfine Performance
|
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2026.3.5 x -- echo |
23.0 ± 0.3 | 22.6 | 27.6 | 1.00 |
mise x -- echo |
23.2 ± 0.9 | 22.5 | 34.1 | 1.01 ± 0.04 |
mise env
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2026.3.5 env |
23.0 ± 0.7 | 22.1 | 29.4 | 1.00 |
mise env |
23.4 ± 1.2 | 22.2 | 41.4 | 1.02 ± 0.06 |
mise hook-env
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2026.3.5 hook-env |
23.8 ± 0.7 | 22.9 | 29.4 | 1.01 ± 0.03 |
mise hook-env |
23.4 ± 0.3 | 22.7 | 24.2 | 1.00 |
mise ls
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2026.3.5 ls |
22.7 ± 0.7 | 22.0 | 35.3 | 1.00 |
mise ls |
22.7 ± 0.2 | 22.0 | 23.8 | 1.00 ± 0.03 |
xtasks/test/perf
| Command | mise-2026.3.5 | mise | Variance |
|---|---|---|---|
| install (cached) | 150ms | 149ms | +0% |
| ls (cached) | 82ms | 81ms | +1% |
| bin-paths (cached) | 84ms | 84ms | +0% |
| task-ls (cached) | 837ms | 810ms | +3% |
### 🐛 Bug Fixes - **(activate)** reorder shims to front of PATH on re-source in fish by @jdx in [#8534](#8534) - **(backend)** strip mise shims from dependency_env PATH to prevent fork bomb by @pose in [#8475](#8475) - **(github)** resolve "latest" version correctly via GitHub API by @jdx in [#8532](#8532) - **(lock)** set env tags and clarify lockfile docs by @jdx in [#8519](#8519) - **(lock)** use separate mise.<env>.lock files instead of env tags by @jdx in [#8523](#8523) - **(task)** include args in task output prefix and truncate long prefixes by @jdx in [#8533](#8533) - **(task)** only include args in task prefix when disambiguating duplicates by @jdx in [#8536](#8536) - **(test)** pin goreleaser version in attestation e2e test by @jdx in [#8518](#8518) - **(windows)** env._.source needs to run bash.exe on Windows (fix #6513) by @pjeby in [#8520](#8520) - handle locked .exe shims on Windows during reshim by @davireis in [#8517](#8517) ### 🚜 Refactor - **(prepare)** remove touch_outputs and update docs to reflect blake3 hashing by @jdx in [#8535](#8535) ### 📚 Documentation - **(docker)** replace jdxcode/mise image with curl install, update to debian:13-slim by @jdx in [#8526](#8526) - fix "gzip: stdin is encrypted" error in shell tricks cookbook by @pjeby in [#8512](#8512) ### 📦 Registry - add tigerbeetle ([github:tigerbeetle/tigerbeetle](https://github.com/tigerbeetle/tigerbeetle)) by @risu729 in [#8514](#8514) ### New Contributors - @pjeby made their first contribution in [#8520](#8520) - @davireis made their first contribution in [#8517](#8517) - @Aurorxa made their first contribution in [#8511](#8511) ## 📦 Aqua Registry Updates #### New Packages (6) - [`betterleaks/betterleaks`](https://github.com/betterleaks/betterleaks) - [`majorcontext/moat`](https://github.com/majorcontext/moat) - [`princjef/gomarkdoc`](https://github.com/princjef/gomarkdoc) - [`remko/age-plugin-se`](https://github.com/remko/age-plugin-se) - [`sudorandom/fauxrpc`](https://github.com/sudorandom/fauxrpc) - [`swanysimon/mdlint`](https://github.com/swanysimon/mdlint) #### Updated Packages (1) - [`moonrepo/moon`](https://github.com/moonrepo/moon)
Summary
goreleaserto v2.14.1 intest_aqua_github_attestationse2e test instead of using@latestTest plan
mise run test:e2e test_aqua_github_attestationspasses locally🤖 Generated with Claude Code
Note
Low Risk
Test-only change that reduces flakiness by pinning a dependency version; no production code or security logic is modified.
Overview
Pins the
test_aqua_github_attestationse2e test to install/uninstallaqua:goreleaser/goreleaser@2.14.1instead of@latest, and documents why (new releases may ship without GitHub artifact attestations).This stabilizes the attestation-verification check by avoiding transient failures when the latest goreleaser release hasn’t published attestations yet.
Written by Cursor Bugbot for commit 307338d. This will update automatically on new commits. Configure here.