Skip to content


Releases are managed with goreleaser.


To build a test release, without publishing, (Ubuntu Linux only) first ensure that the musl-tools and snapcraft packages are installed:

$ sudo apt-get install musl-tools snapcraft

Then run:

$ make test-release


Publish a new release by creating and pushing a tag, for example:

$ git tag v1.2.3
$ git push --tags

This triggers a GitHub Action that builds and publishes archives, packages, and snaps, creates a new GitHub Release, and deploys the website.


Publishing Snaps requires a SNAPCRAFT_STORE_CREDENTIALS repository secret.

Snapcraft store credentials periodically expire. Create new snapcraft store credentials by running:

$ snapcraft export-login --snaps=chezmoi --channels=stable,candidate,beta,edge --acls=package_upload -


brew automation will automatically detect new releases of chezmoi within a few hours and open a pull request in to bump the version.

If needed, the pull request can be created with:

$ brew bump-formula-pr --tag=v1.2.3 chezmoi


chezmoi is in Scoop's Main bucket. Scoop's automation will automatically detect new releases within a few hours.


chezmoi uses GoReleaser's support for signing to sign the checksums of its release assets with cosign.


  • The cosign private key was generated with cosign v1.12.1 on a private recently-installed Ubuntu 22.04.1 system with a single user and all available updates applied.

  • The private key uses a long (more than 32 character) password generated locally by a password manager.

  • The password-protected private key is stored in chezmoi's public GitHub repo.

  • The private key's password is stored as a GitHub Actions secret and only available to the release step of release job of the main workflow.

  • The cosign public key is included in the release assets and also uploaded to Since is served by GitHub pages, it probably has equivalent security to chezmoi's GitHub Releases page, which is also managed by GitHub.