chore: Dependency and Release Updates (#45)

* use `v6` of setup-go

* bump go version

* update build steps

* update release

* update helper scripts

* remove deadcode for now

Author: GrantBirki

.github/workflows/build.yml

@@ -18,15 +18,16 @@ jobs:
           persist-credentials: false
 
       - name: setup go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v6
         with:
           go-version-file: 'go.mod'
           cache: true
 
-      - name: goreleaser
-        uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # pin@v6
+      - name: setup goreleaser
+        uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # pin@v6.4.0
         with:
           install-only: true
+          version: '~> v2'
 
       - name: bootstrap
         run: script/bootstrap

.github/workflows/copilot-setup-steps.yml

@@ -16,6 +16,6 @@ jobs:
           persist-credentials: false
 
       - name: setup go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v6
         with:
           go-version-file: 'go.mod'

.github/workflows/golangci-lint.yml

@@ -18,7 +18,7 @@ jobs:
           persist-credentials: false
 
       - name: setup go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v6
         with:
           go-version-file: 'go.mod'
           cache: true

.github/workflows/lint.yml

@@ -18,7 +18,7 @@ jobs:
           persist-credentials: false
 
       - name: setup go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v6
         with:
           go-version-file: 'go.mod'
           cache: true
@@ -44,14 +44,3 @@ jobs:
             assert-nothing-changed go mod tidy
 
             exit $STATUS
-
-      - name: deadcode
-        run: |
-          go install golang.org/x/tools/cmd/deadcode@latest
-
-          deadcode -test ./... > "deadcode.txt"
-          if [ -s "deadcode.txt" ]; then
-            echo "dead code found:"
-            cat deadcode.txt
-            exit 1
-          fi

.github/workflows/release.yml

@@ -15,35 +15,47 @@ jobs:
     runs-on: ubuntu-latest
     outputs:
       artifact-id: ${{ steps.upload-artifact.outputs.artifact-id }}
+      artifact_dir: ${{ steps.build.outputs.artifact_dir }}
 
     steps:
       - name: checkout
-        uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493 # pin@v4
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # pin@v5.0.0
         with:
           fetch-depth: 0
           persist-credentials: false
 
       - name: setup go
-        uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # pin@v5
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # pin@v6
         with:
           go-version-file: "go.mod"
           cache: false
 
       - name: bootstrap
         run: script/bootstrap
 
-      - name: goreleaser
-        uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # pin@v6
+      - name: setup goreleaser
+        uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # pin@v6.4.0
         with:
-          args: release --clean
+          install-only: true
+          version: '~> v2'
+
+      # IMPORTANT: this step MUST export for the following outputs:
+      # artifact_dir: the path to the dir where artifacts are stored - ex: "dist"
+      # Note: this step will build the binaries via goreleaser, place the artifacts in a dir (ex: "dist"), and then export that path as artifact_dir...
+      # ... finally it will then publish a GitHub Release with those artifacts attached
+      - name: build and release
+        id: build
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: script/build --release
 
       - name: upload artifact
-        uses: actions/upload-artifact@v4.6.2
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # pin@v4.6.2
         id: upload-artifact
         with:
-          path: dist/
+          name: ${{ steps.build.outputs.artifact_dir }} # name and path can just both be artifact_dir (ex: "dist") to keep it simple
+          path: ${{ steps.build.outputs.artifact_dir }}
+          if-no-files-found: error
 
   sign:
     needs: release
@@ -53,29 +65,36 @@ jobs:
       attestations: write
       contents: read
     steps:
-      - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0
+      - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # pin@v5.0.0
         with:
           artifact-ids: ${{ needs.release.outputs.artifact-id }}
+          path: ${{ needs.release.outputs.artifact_dir }}
+
+      - name: view artifact
+        env:
+          ARTIFACT_PATH: ${{ needs.release.outputs.artifact_dir }}
+        run: tree -L 2 -a --dirsfirst -C -F -h -D "${ARTIFACT_PATH}"
 
       - name: attest build provenance
-        uses: actions/attest-build-provenance@v3.0.0
+        uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # pin@v3.0.0
         with:
-          subject-path: "."
+          subject-path: "${{ needs.release.outputs.artifact_dir }}/"
 
   verify:
     permissions: {}
     runs-on: ubuntu-latest
     needs: [release, sign]
     steps:
-      - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0
+      - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # pin@v5.0.0
         with:
           artifact-ids: ${{ needs.release.outputs.artifact-id }}
+          path: ${{ needs.release.outputs.artifact_dir }}
 
       - name: verify
         env:
           OWNER: ${{ github.repository_owner }}
           REPO: ${{ github.event.repository.name }}
-          ARTIFACT_PATH: "."
+          ARTIFACT_PATH: "${{ needs.release.outputs.artifact_dir }}/"
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           echo "Scanning for files in $ARTIFACT_PATH"

.github/workflows/test.yml

@@ -18,7 +18,7 @@ jobs:
           persist-credentials: false
 
       - name: setup go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v6
         with:
           go-version-file: 'go.mod'
           cache: true

.go-version

@@ -1 +1 @@
-1.23.8
+1.25.1

go.mod

@@ -1,6 +1,6 @@
 module github.com/github/gh-combine
 
-go 1.23.8
+go 1.25.1
 
 require github.com/briandowns/spinner v1.23.2
 

script/bootstrap

@@ -8,6 +8,7 @@ echo -e "${BLUE}🥾 Bootstrapping...${OFF}"
 
 # Hermetic check: ensure all imports resolve from vendor/ only
 # This avoids touching the network or the module cache.
+# This command will fail if the project is not fully vendored.
 go list -mod=vendor -deps ./... > /dev/null
 
 echo -e "${GREEN}✅ Bootstrap complete!${OFF}"

script/build

@@ -12,7 +12,26 @@ BUILD_TIME="$(date -u '+%Y-%m-%dT%H:%M:%SZ')"
 
 goreleaser check
 
-# Pass all arguments through to goreleaser build
-goreleaser build --snapshot --clean "$@"
+# Check if --release flag is passed
+if [[ " $* " == *" --release "* ]]; then
+  # Remove --release from arguments and run goreleaser in release mode
+  args=("$@")
+  filtered_args=()
+  for arg in "${args[@]}"; do
+    if [[ "$arg" != "--release" ]]; then
+      filtered_args+=("$arg")
+    fi
+  done
+  
+  goreleaser release --clean "${filtered_args[@]}"
+else
+  # Default: Pass all arguments through to goreleaser build in snapshot mode
+  goreleaser build --snapshot --clean "$@"
+fi
+
+if [[ "$CI" == "true" ]]; then
+  tree -L 2 -a --dirsfirst -C -F -h -D dist/
+  echo "artifact_dir=dist" >> $GITHUB_OUTPUT
+fi
 
 echo -e "${GREEN}Build completed successfully!${OFF}"