Announcing GoReleaser v2.17
A packaging and verification release: Windows .msix packages, RISC-V 64
packaging through nFPM v2.47, post-release verification, and templated
Dockerfiles in dockers_v2.
Windows MSIX packages
GoReleaser can now build Windows .msix packages through the nfpms pipe.
This wires up nfpm’s MSIX packager, and started as @umaidshahid’s work in #6647 โ thanks!
A single nfpms entry can list both Linux formats and msix: GoReleaser feeds
Windows binaries to the msix format and Linux binaries to the others, so each
binary ends up only in the package that matches its platform.
nfpms:
- formats: [deb, rpm, msix]
msix:
publisher: "CN=MyCompany"
properties:
logo: ./assets/logo.png
applications:
- id: MyApp
executable: myapp.exemsix.publisher, msix.properties.logo, and at least one msix.applications
entry are required. Unlike the Linux formats, bindir doesn’t apply โ binaries
always land at the root of the package, so each application’s executable is
simply the binary’s file name.
Warning
The msix format is experimental.
See the documentation for the full configuration reference, including identity, properties, and signing.
RISC-V 64 packages, via nFPM v2.47
GoReleaser now bundles nFPM v2.47.
The headline for packagers is RISC-V 64 support: if you build riscv64
binaries, GoReleaser can now turn them into .deb, .rpm, .apk, and the
other nFPM formats โ no extra configuration needed.
builds:
- goos: [linux]
goarch: [riscv64]
nfpms:
- formats: [deb, rpm, apk]The bump also carries the usual round of dependency and security updates that flow straight into GoReleaser.
See the nFPM release notes for the full list.
Soft-float and hard-float ARM builds
Go lets you append an optional floating-point ABI suffix to GOARM to control
the assembly emitted for variants with and without an FPU. You can now use that
suffix in your goarm targets:
builds:
- goarm:
- "6,softfloat"
- "7,hardfloat"A new .Abi template field exposes the selected ABI (softfloat/hardfloat,
empty unless set). Only one ABI per GOARM version is supported, since the two
are indistinguishable once packaged, and ignore matches the exact form you
wrote (goarm: 7 ignores a bare 7 target, not 7,softfloat).
Thanks to Marvin Drees for contributing this.
See the documentation for more details.
Templated Dockerfiles and build retries in dockers_v2
dockers_v2 gains two options ported from the v1 dockers pipe:
templated_dockerfile and templated_extra_files.
templated_dockerfile renders a Dockerfile as a template before building, and
its rendered content is also used to resolve the .BaseImage and
.BaseImageDigest annotations. templated_extra_files renders source files as
templates before copying them into the build context.
Docker builds can also be retried now, which helps with flaky registries and transient network failures.
dockers_v2:
- images:
- myuser/myimage
templated_dockerfile: Dockerfile.tmpl
templated_extra_files:
- src: config.yml.tmpl
dst: config.yml
retry:
attempts: 5
delay: 5sSee the documentation for more details.
Post-release verification
The new verify pipe and goreleaser verify command re-download your published
release assets from their public URLs and run your verification commands against
them.
This catches the failures that happen after everything “succeeded”: broken or truncated uploads, bad signatures, and CDN propagation issues.
It is opt-in โ add a verify section to enable it โ and runs automatically at
the end of goreleaser release and goreleaser publish, right before
announcing. You can skip it with --skip=verify, or run it on its own against a
previously prepared dist directory with goreleaser verify.
verify:
commands:
- cmd: sha256sum
args: ["-c", "{{ .ProjectName }}_{{ .Version }}_checksums.txt"]Commands can run once in the download directory, once per asset, or once per published image โ so verifying blob and image signatures with cosign is a matter of a couple more commands.
See the documentation for the full configuration reference.
Fallback license keys
The --key flag can now be set multiple times. GoReleaser tries each key in
order and uses the first one that validates.
This is mainly useful with offline (air-gapped) license keys: you can provide your offline key and fall back to the regular online check in case the offline key is stale โ for example, if you renewed your license but forgot to regenerate the offline key.
goreleaser release --key goreleaser.key --key "your-online-key"If no --key flag is provided, GoReleaser still falls back to the
GORELEASER_KEY environment variable, as before.
See the documentation for more details.
Other updates
- builds: reject empty target strings; return a proper error when
go.modis unreadable - default the pull request branch name for homebrew_casks, scoop, nix, winget, and krew
- skip the GitHub
merge-upstreamsync when the target repo isn’t a fork - scm: allow a custom token on the release repository
- winget: configure the manifest locale via
default_locale(defaults toen-US) - nfpm: produce a valid arch for Termux packages
- mcp: clean the subfolder path
- dependencies: Go 1.26.4;
golang.org/x/netandgo-pkcs12security updates; dropped thedocker/dockerdependency - pro/templates: new
.Disttemplate variable with the absolute path to thedistdirectory - pro/dockers_v2:
hooksnow honor theiffield - pro/npm: use a universal archive for darwin
arm64andamd64
Other news
- GoReleaser now has ~15.9k stars and 474 contributors! Thanks, everyone!
- You can follow release updates on our Telegram channel.
- We’ve decided to close our Discord server โ please use GitHub Discussions instead.
- nFPM had new releases as well, check it out.
Download
You can install or upgrade using your favorite package manager, or see the full release notes and download the pre-compiled binaries from GitHub:
Install v2.17.0 (OSS) v2.17.0 (Pro)
Helping out
You can help by reporting issues, contributing features, documentation improvements, and bug fixes. You can also sponsor the project, or get a GoReleaser Pro license.