ci(release): integrate Windows ABE payload into goreleaser#590
ci(release): integrate Windows ABE payload into goreleaser#590
Conversation
- Add `make payload` to before.hooks (zig 0.16.0 via mlugg/setup-zig@v2) - Split windows/amd64 into dedicated build with abe_embed tag - Add workflow inputs: mode (snapshot/release), tag, draft - Snapshot mode uploads dist/ as artifact for verification
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #590 +/- ##
=======================================
Coverage 73.60% 73.60%
=======================================
Files 61 61
Lines 2815 2815
=======================================
Hits 2072 2072
Misses 553 553
Partials 190 190
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
There was a problem hiding this comment.
Pull request overview
Integrates the Windows ABE reflective-injection payload into the GoReleaser-based release pipeline and adds workflow_dispatch inputs to support snapshot vs. tagged release runs from the GitHub UI.
Changes:
- Added a dedicated
windows/amd64GoReleaser build that compiles with theabe_embedbuild tag and included it in archives. - Added a
make payloadstep to GoReleaserbefore.hooksto generate the embedded payload during releases. - Updated the release workflow to support
mode/tag/draftinputs, install Zig, run snapshot vs. release conditionally, and uploaddist/for snapshot runs.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
.goreleaser.yml |
Adds payload generation hook and a separate Windows/amd64 build ID to embed the ABE payload in release artifacts. |
.github/workflows/release.yml |
Adds dispatch inputs, Zig setup, tag creation, conditional GoReleaser execution, and snapshot artifact upload. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| git tag ${{ inputs.tag }} | ||
| git push origin ${{ inputs.tag }} | ||
|
|
There was a problem hiding this comment.
git tag will fail if the tag already exists locally or on the remote (common when re-running a manual release). Add an explicit check for an existing tag (local + git ls-remote --tags) and fail with a clear error before attempting to create/push it, rather than failing mid-workflow.
| git tag ${{ inputs.tag }} | |
| git push origin ${{ inputs.tag }} | |
| TAG="${{ inputs.tag }}" | |
| if git rev-parse -q --verify "refs/tags/$TAG" >/dev/null; then | |
| echo "::error::Tag '$TAG' already exists locally" | |
| exit 1 | |
| fi | |
| if git ls-remote --tags --exit-code origin "refs/tags/$TAG" >/dev/null 2>&1; then | |
| echo "::error::Tag '$TAG' already exists on origin" | |
| exit 1 | |
| fi | |
| git tag "$TAG" | |
| git push origin "$TAG" |
| run: | | ||
| git tag ${{ inputs.tag }} | ||
| git push origin ${{ inputs.tag }} |
There was a problem hiding this comment.
The inputs.tag value is interpolated directly into a multi-line shell script without quoting. For workflow_dispatch, a crafted tag containing shell metacharacters (e.g., v1.2.3; ...) would be executed by the runner. Quote and pass the tag as a single argument (e.g., git tag -- "..." / git push origin -- "...") to avoid command injection.
| run: | | |
| git tag ${{ inputs.tag }} | |
| git push origin ${{ inputs.tag }} | |
| env: | |
| TAG: ${{ inputs.tag }} | |
| run: | | |
| git tag -- "$TAG" | |
| git push origin -- "$TAG" |
- Move `make payload` from .goreleaser before.hooks to a dedicated workflow step so goreleaser doesn't depend on zig for non-Windows builds - Quote inputs.tag via env var and add `--` separator (CWE-78) - Reject already-existing tags before push to fail fast
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - name: Build ABE payload | ||
| run: make payload | ||
|
|
There was a problem hiding this comment.
make payload is run as a standalone workflow step, but the PR description indicates this should be handled by GoReleaser (before.hooks). Keeping the payload generation in only one place will reduce drift (e.g., local goreleaser release --snapshot vs CI) and make it clearer which component owns the Zig/payload prerequisite.
| - name: Build ABE payload | |
| run: make payload |
Summary
windows-amd64ship with it (previously onlymake build-windowsproduced an ABE-capable binary)mode/tag/draftworkflow inputs so releases can be triggered as snapshot dry-runs or real tagged drafts from the GitHub UIdist/as an artifact for offline verificationChanges
.goreleaser.yml:make payloadinbefore.hooks; newhack-browser-data-windows-amd64build withtags: [abe_embed]; original build now ignoreswindows/amd64;archives.idslists both builds.github/workflows/release.yml:mode(snapshot/release),tag,draftinputs;mlugg/setup-zig@v2installs zig 0.16.0; conditional snapshot vs release goreleaser steps; snapshot artifact upload