Separate jobs of build and release for security

[suzuki-shunsuke]

Now this workflow builds and releases assets using GoReleaser in the same job. But in terms of security, and to meet SLSA Level 3, we should separate build and release jobs.

One of concerns is releases to Winget and Homebrew. I'm not sure if I can implement them without GoReleaser by myself.

[suzuki-shunsuke]

https://github.com/aquaproj/aqua/blob/main/.goreleaser.yml

• Winget: https://github.com/marketplace/actions/winget-releaser
  • e.g. https://github.com/microsoft/winget-pkgs/pull/176341
• Homebrew: https://github.com/marketplace/actions/homebrew-releaser
  • e.g. https://github.com/aquaproj/homebrew-aqua/blob/main/aqua.rb
• Release to scoop is not so difficult: https://github.com/aquaproj/scoop-bucket/blob/main/aqua.json
• Cosign https://github.com/aquaproj/aqua/blob/bd19e6f66333ff1f150093b55981f8f84c964e6c/.goreleaser.yml#L29-L44

[suzuki-shunsuke]

Maybe we can build assets by goreleaser build and release them by goreleaser release in another job.

Build:

      --skip strings       Skip the given options (valid options are: before, post-hooks, pre-hooks, validate)

• before
• post-hooks
• pre-hooks
• validate

Release:

      --skip strings                 Skip the given options (valid options are announce, archive, aur, before, chocolatey, docker, homebrew, ko, nfpm, nix, notarize, publish, sbom, scoop, sign, snapcraft, validate, winget)

      --snapshot                     Generate an unversioned snapshot release, skipping all validations and without publishing any artifacts (implies --skip=announce,publish,validate)

• announce
• archive
• aur
• before
• chocolatey
• docker
• homebrew
• ko
• nfpm
• nix
• notarize
• publish
• sbom
• scoop
• sign
• snapcraft
• validate
• winget

[suzuki-shunsuke]

Separating build and sign and release may be a feature of GoReleaser Pro.

https://goreleaser.com/cmd/goreleaser_continue/