Skip to content

Releases

Releases are managed with goreleaser.

Testing

To build a test release, without publishing, (Ubuntu Linux only) first ensure that the musl-tools and snapcraft packages are installed:

$ sudo apt-get install musl-tools snapcraft

Then run:

$ make test-release

Publishing

Publish a new release by creating and pushing a tag, for example:

$ git tag v1.2.3
$ git push --tags

This triggers a GitHub Action that builds and publishes archives, packages, and snaps, creates a new GitHub Release, and deploys the website.

Note

Publishing Snaps requires a SNAPCRAFT_STORE_CREDENTIALS repository secret.

Snapcraft store credentials periodically expire. Create new snapcraft store credentials by running:

$ snapcraft export-login --snaps=chezmoi --channels=stable,candidate,beta,edge --acls=package_upload -

Note

brew automation will automatically detect new releases of chezmoi within a few hours and open a pull request in github.com/Homebrew/homebrew-core to bump the version.

If needed, the pull request can be created with:

$ brew bump-formula-pr --tag=v1.2.3 chezmoi

Note

chezmoi is in Scoop's Main bucket. Scoop's automation will automatically detect new releases within a few hours.

Signing

chezmoi uses GoReleaser's support for signing to sign the checksums of its release assets with cosign.

Details:

  • The cosign private key was generated with cosign v1.12.1 on a private recently-installed Ubuntu 22.04.1 system with a single user and all available updates applied.

  • The private key uses a long (more than 32 character) password generated locally by a password manager.

  • The password-protected private key is stored in chezmoi's public GitHub repo.

  • The private key's password is stored as a GitHub Actions secret and only available to the release step of release job of the main workflow.

  • The cosign public key is included in the release assets and also uploaded to https://chezmoi.io/cosign.pub. Since https://chezmoi.io is served by GitHub pages, it probably has equivalent security to chezmoi's GitHub Releases page, which is also managed by GitHub.