Skip to content

fix(release): correct go-licenses v2 module path #4

fix(release): correct go-licenses v2 module path

fix(release): correct go-licenses v2 module path #4

Workflow file for this run

name: Release Engine
on:
push:
tags:
- 'engine/v*'
permissions:
contents: write
packages: write
jobs:
release:
name: Build and Release
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: actions/setup-go@v5
with:
go-version: '1.25'
- name: Log in to GHCR
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- uses: docker/setup-qemu-action@v3
- uses: docker/setup-buildx-action@v3
- name: Set goreleaser tag
run: |
# Strip "engine/" prefix so goreleaser sees a clean semver tag
TAG="${GITHUB_REF#refs/tags/engine/}"
echo "GORELEASER_CURRENT_TAG=${TAG}" >> "$GITHUB_ENV"
# Create a local tag alias so goreleaser can validate the tag against
# the current commit. Goreleaser reads tags but never pushes them, so
# this won't pollute the remote. The namespaced tag (engine/vX.Y.Z) is
# what triggered this workflow; goreleaser needs the plain vX.Y.Z form.
git tag "${TAG}"
- name: Generate NOTICE
run: |
go install github.com/google/go-licenses/v2@v2.0.1
go-licenses report ./... > NOTICE
working-directory: packages/engine
- name: Run goreleaser
uses: goreleaser/goreleaser-action@v6
with:
version: '~> v2'
args: release --clean
workdir: packages/engine
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
trivy:
name: Trivy Scan
runs-on: ubuntu-latest
needs: release
steps:
- name: Extract version
id: vars
run: |
TAG="${GITHUB_REF#refs/tags/engine/v}"
echo "version=${TAG}" >> "$GITHUB_OUTPUT"
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@0.28.0
with:
image-ref: "ghcr.io/dvflw/mantle:${{ steps.vars.outputs.version }}"
format: table
exit-code: '1'
severity: CRITICAL,HIGH