Releases are managed with
To build a test release, without publishing, (Ubuntu Linux only) first ensure
snapcraft packages are installed:
$ sudo apt-get install musl-tools snapcraft
$ make test-release
Publish a new release by creating and pushing a tag, for example:
$ git tag v1.2.3
$ git push --tags
Snapcraft store credentials periodically expire. Create new snapcraft store credentials by running:
$ snapcraft export-login --snaps=chezmoi --channels=stable,candidate,beta,edge --acls=package_upload -
If needed, the pull request can be created with:
$ brew bump-formula-pr --tag=v1.2.3 chezmoi
chezmoi is in Scoop's Main bucket. Scoop's automation will automatically detect new releases within a few hours.
The cosign private key was generated with cosign v1.12.1 on a private recently-installed Ubuntu 22.04.1 system with a single user and all available updates applied.
The private key uses a long (more than 32 character) password generated locally by a password manager.
The password-protected private key is stored in chezmoi's public GitHub repo.
The private key's password is stored as a GitHub Actions secret and only available to the
releasejob of the
The cosign public key is included in the release assets and also uploaded to
https://chezmoi.iois served by GitHub pages, it probably has equivalent security to chezmoi's GitHub Releases page, which is also managed by GitHub.