ci: update release pipelines/scripts

Author: damienbutt

.github/workflows/release-prechecks.yml

@@ -61,16 +61,9 @@ jobs:
               cargo install typos-cli --force
           fi
 
-      - name: Import GPG key
-        uses: crazy-max/ghaction-import-gpg@v6
-        with:
-          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
-
       - name: Run GoReleaser test
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           RELEASE_TOKEN: ${{ secrets.RELEASE_TOKEN }}
-          GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
-          GPG_FINGERPRINT: ${{ secrets.GPG_FINGERPRINT }}
         run: |
           make goreleaser-test

.github/workflows/release.yml

@@ -58,11 +58,6 @@ jobs:
               cargo install typos-cli --force
           fi
 
-      - name: Import GPG key
-        uses: crazy-max/ghaction-import-gpg@v6
-        with:
-          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
-
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v6
         with:
@@ -72,7 +67,6 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           RELEASE_TOKEN: ${{ secrets.RELEASE_TOKEN }}
-          GPG_FINGERPRINT: ${{ secrets.GPG_FINGERPRINT }}
 
       - name: Update GitHub Release with Release Notes
         env:

.goreleaser.yml

@@ -12,9 +12,11 @@ before:
 
 builds:
   - main: ./main.go
-    binary: spc
+    binary: spc.exe
     env:
       - CGO_ENABLED=0
+    goos:
+      - windows
     goarch:
       - amd64
     flags:
@@ -36,24 +38,6 @@ archives:
       - goos: windows
         formats: [zip]
 
-signs:
-  - artifacts: checksum
-    args:
-      [
-        "--pinentry-mode",
-        "loopback",
-        "--batch",
-        "-u",
-        "{{ .Env.GPG_FINGERPRINT }}",
-        "--output",
-        "${signature}",
-        "--detach-sign",
-        "${artifact}",
-      ]
-
-source:
-  enabled: true
-
 checksum:
   name_template: checksums.txt
 
@@ -76,7 +60,7 @@ scoops:
   - name: spc
     repository:
       owner: Norgate-AV
-      name: scoop-bucket-crestron
+      name: scoop-norgateav-crestron
       token: "{{ .Env.RELEASE_TOKEN }}"
     directory: bucket
     homepage: https://github.com/Norgate-AV/spc

Makefile

@@ -99,6 +99,9 @@ deps:
 
 ci: deps lint test build
 
+goreleaser-test:
+	@./scripts/test-goreleaser.sh
+
 # Show help
 help:
 	@echo "Available targets:"
@@ -114,5 +117,6 @@ help:
 	@echo "  lint          - Run fmt, vet, and golangci-lint"
 	@echo "  deps          - Download dependencies"
 	@echo "  ci            - Run CI pipeline (deps, lint, test, build)"
+	@echo "  goreleaser-test - Test GoReleaser configuration (snapshot build)"
 	@echo "  all           - Clean, test, and build"
 	@echo "  help          - Show this help"

scripts/commit-changelog.sh

@@ -12,20 +12,47 @@ if [[ -z "$TAG" ]]; then
     exit 1
 fi
 
+# Determine the default branch - try multiple methods for CI reliability
+if [[ -n "$GITHUB_REF_NAME" ]]; then
+    # In GitHub Actions, use the base ref or default to master
+    DEFAULT_BRANCH="${GITHUB_BASE_REF:-master}"
+elif git symbolic-ref refs/remotes/origin/HEAD &>/dev/null; then
+    # If symbolic ref exists, use it
+    DEFAULT_BRANCH=$(git symbolic-ref refs/remotes/origin/HEAD | sed 's@^refs/remotes/origin/@@')
+else
+    # Fallback to fetching default branch from GitHub API or assume master
+    DEFAULT_BRANCH=$(git remote show origin | grep 'HEAD branch' | cut -d' ' -f5 || echo "master")
+fi
+
+echo "Target branch: $DEFAULT_BRANCH"
+
 # Check if CHANGELOG.md has changes
 if [[ -n "$(git status --porcelain CHANGELOG.md)" ]]; then
-    echo "📝 Committing updated CHANGELOG.md for $TAG"
+    echo "Committing updated CHANGELOG.md for $TAG"
+
+    # Configure git
     git config --global user.name "github-actions[bot]"
     git config --global user.email "github-actions[bot]@users.noreply.github.com"
+
+    # Fetch the latest state of the default branch
+    git fetch origin "$DEFAULT_BRANCH"
+
+    # Checkout the default branch (handles detached HEAD)
+    git checkout "$DEFAULT_BRANCH"
+
+    # Pull latest changes to avoid conflicts
+    git pull origin "$DEFAULT_BRANCH" --rebase || {
+        echo "Warning: Could not rebase. Attempting to continue..."
+    }
+
+    # Add and commit the changelog
     git add CHANGELOG.md
     git commit -m "chore: update CHANGELOG.md for $TAG [skip ci]"
 
-    # Determine the default branch from the remote 'origin'
-    # This is more reliable in CI environments (detached HEAD)
-    DEFAULT_BRANCH=$(git symbolic-ref refs/remotes/origin/HEAD | sed 's@^refs/remotes/origin/@@')
-    git push origin HEAD:"$DEFAULT_BRANCH"
+    # Push to the default branch
+    git push origin "$DEFAULT_BRANCH"
 
-    echo "✅ CHANGELOG.md committed and pushed to $DEFAULT_BRANCH"
+    echo "CHANGELOG.md committed and pushed to $DEFAULT_BRANCH"
 else
-    echo "ℹ️  No changes to CHANGELOG.md to commit"
+    echo "No changes to CHANGELOG.md to commit"
 fi

scripts/test-goreleaser.sh

@@ -81,18 +81,6 @@ check_gh_auth() {
     fi
 }
 
-check_ghcr_auth() {
-    local token="$1"
-    local actor="$2"
-
-    if echo "${token}" | docker login ghcr.io -u "${actor}" --password-stdin &> /dev/null; then
-        print_success "Authenticated with GHCR"
-    else
-        MISSING_AUTH+=("GHCR")
-        print_error "Failed to authenticate with GHCR"
-    fi
-}
-
 check_token_contents_permission() {
     local token="$1"
     local repo="$2"
@@ -135,33 +123,6 @@ check_token_contents_permission() {
     fi
 }
 
-check_token_pr_permission() {
-    local token="$1"
-    local repo="$2"
-    local token_name="$3"
-
-    if [ -z "$token" ]; then
-        return
-    fi
-
-    local http_status
-    http_status=$(curl -s -o /dev/null -w "%{http_code}" \
-        -X POST \
-        -H "Authorization: token $token" \
-        -d '{"title":"Test PR","head":"test-branch","base":"master","draft":true}' \
-        "https://api.github.com/repos/$repo/pulls")
-
-    if [ "$http_status" -eq 422 ]; then
-        print_success "pull_requests:write permission verified for $repo"
-    elif [ "$http_status" -eq 403 ]; then
-        print_error "Failed to create draft PR on $repo (HTTP status: $http_status). This indicates a permission issue."
-        MISSING_PERMISSIONS+=("$token_name (failed to create draft PR on $repo)")
-    else
-        print_error "Unexpected error when creating a draft PR on $repo (HTTP status: $http_status)"
-        MISSING_PERMISSIONS+=("$token_name (unexpected error when creating a draft PR on $repo)")
-    fi
-}
-
 check_goreleaser_env_vars() {
     print_status "Checking for referenced environment variables in .goreleaser.yml..."
 
@@ -200,16 +161,13 @@ echo ""
 print_status "2. 📋 Checking Required Secrets..."
 
 check_secret "GITHUB_TOKEN" "GitHub Actions token (auto-provided)"
-check_secret "RELEASE_TOKEN" "Token for Homebrew tap repository"
-check_secret "GPG_PRIVATE_KEY" "GPG private key for package signing"
-check_secret "GPG_FINGERPRINT" "GPG key fingerprint for package signing"
+check_secret "RELEASE_TOKEN" "Token for Scoop repository"
 echo ""
 
 # 3. Required repositories check
 print_status "3. 🏗️ Checking Required Repositories..."
 
-check_github_repo "damienbutt/scoop-bucket" "Scoop bucket repository" "${GITHUB_TOKEN}"
-check_github_repo "damienbutt/winget-pkgs" "Winget package repository" "${GITHUB_TOKEN}"
+check_github_repo "Norgate-AV/scoop-norgateav-crestron" "Scoop bucket repository" "${GITHUB_TOKEN}"
 echo ""
 
 # 4. Check build tools
@@ -218,7 +176,6 @@ print_status "4. 🔧 Checking Build Tools..."
 check_tool "go"
 check_tool "git"
 check_tool "gh"
-check_tool "gpg"
 check_tool "git-cliff"
 check_tool "typos"
 check_tool "curl"
@@ -237,23 +194,18 @@ if command -v gh &> /dev/null; then
     check_gh_auth
 fi
 
-check_ghcr_auth "${GITHUB_TOKEN}" "${GITHUB_ACTOR}"
-echo ""
-
 print_status "6. 🔑 Checking Release Token Permissions..."
 
 if [ -z "${RELEASE_TOKEN}" ]; then
     print_warning "RELEASE_TOKEN is not set; skipping permission checks"
     WARNINGS+=("RELEASE_TOKEN is not set; skipping permission checks")
 else
     REPOS_TO_CHECK=(
-        "damienbutt/scoop-bucket"
-        "damienbutt/winget-pkgs"
+        "Norgate-AV/scoop-norgateav-crestron"
     )
 
     for repo in "${REPOS_TO_CHECK[@]}"; do
         check_token_contents_permission "${RELEASE_TOKEN}" "$repo" "RELEASE_TOKEN"
-        check_token_pr_permission "${RELEASE_TOKEN}" "$repo" "RELEASE_TOKEN"
     done
 fi
 echo ""
@@ -342,7 +294,6 @@ print_success "All required repositories are accessible."
 print_success "All required build tools are installed."
 print_success "All release token permissions are verified."
 print_success "GitHub CLI is authenticated."
-print_success "Authenticated with GHCR."
 
 if [ "$GO_RELEASER_SUCCESS" = true ]; then
     print_success "GoReleaser release process completed successfully."