GoReleaser improvements

Author: albertony

.github/workflows/build.yml

@@ -1,7 +1,25 @@
 name: Build
 
-on: push
-
+on:
+  # Run automatically when pushing a commit or tag.
+  push:
+  # Support manually running the workflow.
+  workflow_dispatch:
+    # Configurable input properties when running manually.
+    inputs:
+      # Option to run go-releaser, by default publishing a (draft) release from latest tag.
+      release:
+        description: Run GoReleaser step
+        type: boolean
+        required: true
+        default: false
+      # Additional option, when option release is true, to run as snapshot build from
+      # latest commit instead of latest tag and without publishing as a release.
+      snapshot:
+        description: GoReleaser Snapshot mode (latest commit, no publishing)
+        type: boolean
+        required: true
+        default: false
 jobs:
   build:
     name: Build
@@ -49,24 +67,38 @@ jobs:
         name: Run govulncheck
         run: govulncheck ./...
 
-      # If pushing v* tag: Clean workspace to remove remnants from the linter.
-      # This will remove "undefined/", which avoids goreleaser failing with:
+      # If pushing v* tag, or manual run with option release: Clean workspace to remove remnants from the linter.
+      # This will remove "undefined/", which avoids go-release failing with:
       #   git is currently in a dirty state
       #   Please check in your pipeline what can be changing the following files:
       #   ?? undefined/
       - id: clean
-        name: Prepare go release (if pushing v-tag)
-        if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')
+        name: Prepare go release (if pushing v-tag or triggered manually)
+        if: github.event.inputs.release == 'true' || (github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v'))
         run: git clean -xdf
 
-      # If pushing v* tag: Build and create release.
-      - id: go-release
-        name: Run go release (if pushing v-tag)
+      # If pushing v* tag, or manual run with option "release" but not "snapshot": Build and create release from latest tag.
+      # Note: If manual run it must be on the tag (same commit), or else go-releaser will fail with: "git tag <tag_name> was not made against commit <commit_hash>",
+      # and one must consider using the snapshot mode instead (see below).
+      - id: go-release-tag
+        name: Run go release tag (if pushing v-tag or triggered manually)
+        uses: goreleaser/goreleaser-action@v4
+        if: (github.event.inputs.release == 'true' && github.event.inputs.snapshot != 'true') || (github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v'))
+        with:
+          version: latest
+          args: release --clean
+        env:
+          GOVERSION: ${{ steps.go-setup.outputs.go-version }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      # If manual run with options "release" and "snapshot": Build latest commit without publishing a release.
+      - id: go-release-snapshot
+        name: Run go release snapshot (if triggered manually)
         uses: goreleaser/goreleaser-action@v4
-        if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')
+        if: github.event.inputs.release == 'true' && github.event.inputs.snapshot == 'true'
         with:
           version: latest
-          args: release --rm-dist
+          args: release --clean --snapshot
         env:
           GOVERSION: ${{ steps.go-setup.outputs.go-version }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.goreleaser.yml

@@ -72,8 +72,10 @@ release:
       <summary>Checksums</summary>
     <p></p>
 
-    Below are the SHA-256 checksums of release assets, the same that you can find in text file asset `npiperelay_checksums.txt`. Note that the .zip asset for the amd64 (x64, 64-bit) and 386 (x86, 32-bit) architectures both contain a single executable with name `npiperelay.exe`, and it is identical to the .exe asset with same name as the .zip asset, i.e. `npiperelay_windows_386.exe` and `npiperelay_windows_amd64.exe`, and should therefore have same checksums.
+    The SHA-256 checksums of the binary release assets are published as text file asset `npiperelay_checksums.txt`. Note that the .zip asset for the amd64 (x64/64-bit) and 386 (x86/32-bit) architectures both contain a single executable with name `npiperelay.exe`, and it is identical to the .exe asset with same name as the .zip asset, i.e. `npiperelay_windows_386.exe` and `npiperelay_windows_amd64.exe`, and should therefore have the same checksum.
     <!--
+
+    These are the SHA-256 checksums of all binary release assets, as published in `npiperelay_checksums.txt`:
     ```
     *** TODO: Copy content of npiperelay_checksums.txt here! ***
     ```
@@ -86,7 +88,8 @@ release:
 
     If your local antivirus treats the downloaded archive or executable as suspicious or malicious, you should try to report it as a false positive, e.g. to Symantec on [symsubmit.symantec.com](https://symsubmit.symantec.com) (select "Clean software incorrectly detected"). At the time of the release, no security vendors on [VirusTotal](https://www.virustotal.com) flagged the asset download urls as malicious, but some very few (well below 10%) did flag the zip archive and executable files themselves (see report for each of the assets in expandable section below). The implementation is less than 300 lines of go code, plus a single, commonly used, third party dependency. The source code is automatically run through a vulnerability analysis, using [govulncheck](https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck), and a long list of code quality checks (linters), using [golangci-lint](https://golangci-lint.run/) (see [.golangci.yml](https://github.com/albertony/npiperelay/blob/fork/.golangci.yml) for the complete list). If you do worry, you are free to analyse the code yourself, and you can also [build](https://github.com/albertony/npiperelay#building) the executable locally from source.
     <!--
-    *** TODO: Analyse asset urls and files and update report links below! ***
+
+    *** TODO: Analyze asset urls and files, and update report links below! ***
     [VirusTotal](https://www.virustotal.com/) scan reports for release assets:
     - Asset download URLs:
       - npiperelay_windows_386.zip: [Report](https://www.virustotal.com/gui/url/??)