chore(deps): update dependency goreleaser to v2.15.4

[renovate]

This PR contains the following updates:

Package	Update	Change
goreleaser	minor	2.14.1 → 2.15.4

---

Release Notes

goreleaser/goreleaser (goreleaser)

v2.15.4

Compare Source

Announcement

Read the official announcement: Announcing GoReleaser v2.15.

Changelog

Bug fixes

• d077fe1: fix(build): allow explicit binary with ellipsis when single main (@​caarlos0)
• 3140abb: fix(build): set per-binary artifact IDs for ./... builds (@​caarlos0 and @​Copilot)
• eb11599: fix(deps): quill git-lfs (#​6577) (@​caarlos0)
• 343700b: fix(docker): install syft, cosign, docker, and docker-buildx from upstream releases (#​6576) (@​caarlos0, @​kevinburkesegment, and @​Copilot)
• 87b542b: fix(homebrew_cask): sha256 before url in per-arch blocks (@​kkd16)
• e35ff62: fix(rust): add arm- and armv7-unknown-linux-musleabihf build targets (#​6581) (@​mozzieongit)
• 03735a4: fix(rust): grouping of different arm version when creating archives (#​6582) (@​caarlos0)
• 1f86232: fix: gen-nix-licenses script (@​caarlos0)

Documentation updates

• 0136377: docs: clarify template vars (@​caarlos0 and @​SAY-5)
• b026ca9: docs: fix image URLs (@​caarlos0)
• fcc53cb: docs: fix image urls (#​6578) (@​caarlos0)
• 24df9ce: docs: fix include, prefix shortcodes to avoid collisions (@​caarlos0)
• 5b47f38: docs: fix version link when full version (@​caarlos0)

Full Changelog: goreleaser/goreleaser@v2.15.3...v2.15.4

Helping out

This release is only possible thanks to all the support of some awesome people!

Want to be one of them?
You can sponsor, get a Pro License or contribute with code.

Where to go next?

• Find examples and commented usage of all options in our website.
• Reach out on Discord, Twitter, and Telegram!

v2.15.3

Compare Source

Announcement

Read the official announcement: Announcing GoReleaser v2.15.

Changelog

Security updates

• d1cdbb2: sec: prevent secret leaks in logs and improve redaction (@​caarlos0)

Bug fixes

• cba5b9f: fix(aur,krew,aursources): apply template to SkipUpload before checking its value (@​caarlos0)
• 4d1924d: fix(blob): evaluate template in provider before checking for S3 ACL support (@​caarlos0)
• 38577c6: fix(build): fix broken backtick and missing GOMIPS64 in --single-target help text (@​caarlos0)
• ff02d82: fix(build): prevent panic when command has single element (@​caarlos0)
• 2a10e3e: fix(bun): show original target in parse error, not trimmed version (@​caarlos0)
• 88daaf3: fix(changelog): prevent panic on negative abbrev values other than -1 (@​caarlos0)
• 6c7798f: fix(changelog): use %t instead of %b for bool in debug log format (@​caarlos0)
• f39c233: fix(checksums): prevent panic in sort when line has no double-space (@​caarlos0)
• f8e7ec9: fix(client): off-by-one in truncateReleaseBody (#​6534) (@​caarlos0)
• d788340: fix(docker): check evaluated Dockerfile template for emptiness, not raw template (@​caarlos0)
• 921e6cb: fix(docker): fix "did you mean?" suggestion always suggesting the input name itself (@​caarlos0)
• 9e9f87c: fix(docker): prevent panic in parsePlatform with missing arch (@​caarlos0)
• a0875e5: fix(docker): remove duplicate WithOutput in error wrapping (@​caarlos0)
• e7a4afa: fix(dockers/v2): digest log (@​caarlos0)
• 4a9d25f: fix(gitea): fix misleading 'using master' log when default branch lookup fails (@​caarlos0)
• 1ca21f0: fix(github): nil-guard resp in updateRelease before accessing Header (@​caarlos0)
• ff9035a: fix(http): remove double-close of response body in executeHTTPRequest (@​caarlos0)
• 50a034d: fix(nfpm): show correct value in content mtime parse error (@​caarlos0)
• 206120a: fix(opencollective): handle errors, more tests (#​6512) (@​caarlos0)
• e15276b: fix(partial): add missing ppc64le to archExtraEnvs map (@​caarlos0)
• a05ecb8: fix(partial): use GGOMIPS64/GOMIPS64 instead of GGOMIPS/GOMIPS for mips64/mips64le (@​caarlos0)
• f48613d: fix(redact): return 0 bytes written on underlying write failure (@​caarlos0)
• 44133de: fix(release): log correct repo name for GitLab and Gitea releases (@​caarlos0)
• e4262d5: fix(rust): glibc version stripping for gnueabi/gnueabihf targets (@​caarlos0)
• 889107f: fix(rust): show all workspace members in error message, not just first (@​caarlos0)
• 634a0cb: fix(rust): strip custom glibc version from target for rustup command (@​mozzieongit)
• 292203e: fix(sbom): use matched filename for artifact Name instead of glob pattern (@​caarlos0)
• 053c68a: fix(srpm): remove double close of package file (@​caarlos0)
• 0099417: fix(targz): close gzip reader in Copy (@​caarlos0)
• c2f16b9: fix(tmpl): return error instead of panicking on invalid filter regex (@​caarlos0)
• ed201bd: fix(winget): use filepath.Join instead of path.Join for local filesystem paths (@​caarlos0)
• a176567: fix: add retries everywhere possible (#​6528) (@​caarlos0)
• 6a19ea9: fix: better log (@​caarlos0)
• e09e23a: fix: check buildx for dockers v1 (#​6526) (@​caarlos0)
• be89f2a: fix: guard iterator bounds in gerrors Details (@​caarlos0)
• 8b77358: fix: handle io.ReadAll error in bodyOf instead of discarding it (@​caarlos0)
• 5042b84: fix: preserve original error details in git config extraction (@​caarlos0)
• 68ebdd7: fix: remove duplicate WithField in gitea client push logging (#​6532) (@​caarlos0)
• 60028b1: fix: replace recursive rateLimitChecker with single check and context-aware sleep (@​caarlos0)
• 7e7f9b2: fix: use Mattermost.Color instead of Teams.Color in mattermost pipe (#​6533) (@​caarlos0)
• e31f01d: fix: use typed structs for LinkedIn API responses (@​caarlos0)
• f236e07: refactor(http): remove global assetOpen mock pattern (@​caarlos0)
• 17d61b6: refactor(tests): simplify client tests with helpers (#​6537) (@​caarlos0)
• 3dba4a6: refactor: use io.WriteString (@​caarlos0)

Documentation updates

• 9ee7477: docs(rust): document ability to specify custom glibc version (@​mozzieongit)
• c4a137b: docs: Fix signature verification of checksum file (#​6513) (@​nicholasdille)
• 5a92c1d: docs: add v2.15 banner (@​caarlos0)
• e9c3a11: docs: ai usage guidelines (#​6525) (@​caarlos0)
• ad86abe: docs: fix output (@​caarlos0)
• 1171390: docs: regenerate favicons with transparent background (#​6521) (@​caarlos0)

Other work

• 035aafd: chore: go 1.26.2 (#​6547) (@​caarlos0)

Full Changelog: goreleaser/goreleaser@v2.15.2...v2.15.3

Helping out

This release is only possible thanks to all the support of some awesome people!

Want to be one of them?
You can sponsor, get a Pro License or contribute with code.

Where to go next?

• Find examples and commented usage of all options in our website.
• Reach out on Discord, Twitter, and Telegram!

v2.15.2

Compare Source

Announcement

Read the official announcement: Announcing GoReleaser v2.15.

Changelog

Bug fixes

• b5eabc8: fix(checksum): exclude signature and certificates (@​caarlos0)

Documentation updates

• 5fc0e0e: docs: add Telegram channel alongside Twitter/social links (@​caarlos0 and @​Copilot)

Other work

• 8620b25: chore: fmt (@​caarlos0)

Full Changelog: goreleaser/goreleaser@v2.15.1...v2.15.2

Helping out

This release is only possible thanks to all the support of some awesome people!

Want to be one of them?
You can sponsor, get a Pro License or contribute with code.

Where to go next?

• Find examples and commented usage of all options in our website.
• Reach out on Discord, Twitter, and Telegram!

v2.15.1

Compare Source

Announcement

Read the official announcement: Announcing GoReleaser v2.15.

Changelog

Bug fixes

• 87a55ea: fix: exclude signatures and certificates from sign pipe "all" filter (#​6509) (@​caarlos0 and @​Copilot)
• be844be: fix: retry git clone/push on transient network errors, clean up partial clones (#​6506) (@​Copilot and @​caarlos0)
• eb944f9: fix: retry snapcraft upload on 5xx error (#​6504) (@​Copilot and @​caarlos0)
• 5b156e9: refactor: fix modernize lint issues (#​6507) (@​alexandear)

Documentation updates

• ed46860: docs: announce v2.15 (@​caarlos0)
• 28e97e8: docs: v2.15 (@​caarlos0)

Full Changelog: goreleaser/goreleaser@v2.15.0...v2.15.1

Helping out

This release is only possible thanks to all the support of some awesome people!

Want to be one of them?
You can sponsor, get a Pro License or contribute with code.

Where to go next?

• Find examples and commented usage of all options in our website.
• Reach out on Discord and Twitter!

v2.15.0

Compare Source

Announcement

Read the official announcement: Announcing GoReleaser v2.15.

Changelog

New Features

• 8cf8e11: feat(builders/go): build ./..., better defaults (#​6457) (@​caarlos0)
• 9af5eed: feat(cask): add generate_completions_from_executable stanza support (#​6485) (@​caarlos0 and @​Copilot)
• e7fe177: feat(telegram): message thread id (#​6442) (@​caarlos0)
• 3f66a19: feat: added blake3 checksumming support (#​6412) (@​philocalyst)
• cdf9453: feat: flatpak (#​6448) (@​caarlos0)
• 1acc920: feat: retry go mod proxy on 404 with exponential backoff (#​6440) (@​Copilot and @​caarlos0)
• b888013: feat: source rpm support (#​6493) (@​caarlos0 and @​Copilot)

Bug fixes

• 928493f: fix(archive): use current binary for ExtraReplaces in skip (#​6499) (@​cuiweixie)
• c776812: fix(docker): check if --provenance and --sbom flags are available (#​6458) (@​caarlos0)
• 4e49e3a: fix(flatpak): singular (@​caarlos0)
• 612d843: fix(go): remove windows/arm from valid build targets (@​Sim-hu)
• 0b98cb5: fix(homebrew_cask): stanza order (#​6466) (@​caarlos0)
• 9cbb3c2: fix(homebrew_casks): use heredoc for cask caveats to handle shell metacharacters (#​6460) (@​Copilot and @​caarlos0)
• 6f074fe: fix(rust): cargo zigbuild targets with custom glibc version (#​6492) (@​caarlos0)
• d90710a: fix(snapcraft): correct channel template args in fmt.Errorf (#​6498) (@​cuiweixie)
• 75f9bf1: fix(telegram): make sure to close resp.body (@​caarlos0)
• 1ca5270: fix(telegram): message thread id is not required (@​caarlos0)
• 0a02951: fix: add flatpak to checksums and sign (@​caarlos0)
• 5bc053e: fix: better logs (@​caarlos0)
• 0944d9f: fix: consistent error outputs across all pipes (#​6441) (@​caarlos0 and @​Copilot)
• dd611ec: fix: filterOut returns excluded tag when multiple ignore_tags are set (#​6462) (@​abhay1999)
• 44a1887: fix: lint (@​caarlos0)
• 50fbf9e: fix: lint (@​caarlos0)
• 15a1d6b: refactor: add UploadableTypes canonical var and use it across pipes (#​6490) (@​caarlos0 and @​Copilot)

Documentation updates

• a9378e4: docs(deps): bump mkdocs-material from 9.7.4 to 9.7.5 in /www in the docs group (#​6454) (@​dependabot[bot])
• 600a886: docs(deps): bump mkdocs-material from 9.7.5 to 9.7.6 in /www in the docs group (#​6469) (@​dependabot[bot])
• fa067d1: docs: add lang icons (@​caarlos0)
• 855f02c: docs: better homepage (@​caarlos0)
• 3436aca: docs: button style (@​caarlos0)
• a70477d: docs: clarify .Binary (@​caarlos0)
• a4779e3: docs: fix 404 (@​caarlos0)
• 24b9187: docs: fix build (@​caarlos0)
• a52b714: docs: fix favicons (@​caarlos0)
• d6a070e: docs: fix nsis typo (@​caarlos0)
• 215ac6f: docs: fix static url (#​6478) (@​caarlos0)
• de75958: docs: hide screenshot on mobile (@​caarlos0)
• ecbce4c: docs: improve Contributing (@​caarlos0)
• 1f7c7f0: docs: language icons (@​caarlos0)
• fd46091: docs: less stars on mobile (@​caarlos0)
• 77bec10: docs: meta tags (@​caarlos0)
• 65216db: docs: new docs using hugo and hextra (#​6474) (@​caarlos0 and @​Copilot)
• 785776a: docs: new sponsors tool (@​caarlos0)
• 97c05b9: docs: semver docs improvements (@​caarlos0)
• 521d96f: docs: sponsor aliases (@​caarlos0)
• 1436d79: docs: sponsor links utm (@​caarlos0)
• 692fea6: docs: sponsors.md update (@​caarlos0)
• 399ef14: docs: udpate (@​caarlos0)
• bddeee6: fixup! docs: language icons (@​caarlos0)
• 367aa84: fixup! fixup! docs: language icons (@​caarlos0)

Other work

• 8cf0155: chore: note (@​caarlos0)
• d9a1447: chore: remove todo (@​caarlos0)
• b48220d: ci(deps): bump the actions group with 3 updates (#​6497) (@​dependabot[bot])
• 001e1ca: ci(deps): bump the actions group with 4 updates (#​6477) (@​dependabot[bot])
• b7fc219: ci(deps): bump the actions group with 5 updates (#​6453) (@​dependabot[bot])
• 0221846: ci(deps): bump the actions group with 7 updates (#​6470) (@​dependabot[bot])

Full Changelog: goreleaser/goreleaser@v2.14.3...v2.15.0

Helping out

This release is only possible thanks to all the support of some awesome people!

Want to be one of them?
You can sponsor, get a Pro License or contribute with code.

Where to go next?

• Find examples and commented usage of all options in our website.
• Reach out on Discord and Twitter!

v2.14.3

Compare Source

Announcement

Read the official announcement: Announcing GoReleaser v2.14.

Changelog

Other work

• 7cc4509: chore: fix svu config (@​caarlos0)

Full Changelog: goreleaser/goreleaser@v2.14.2...v2.14.3

Helping out

This release is only possible thanks to all the support of some awesome people!

Want to be one of them?
You can sponsor, get a Pro License or contribute with code.

Where to go next?

• Find examples and commented usage of all options in our website.
• Reach out on Discord and Twitter!

v2.14.2

Compare Source

Announcement

Read the official announcement: Announcing GoReleaser v2.14.

Changelog

Bug fixes

• a5070ed: fix(sbom): fix Windows CI test failure in catalog_source_archives (@​caarlos0 and @​Copilot)
• 89d4957: fix(telegram): chat_id should be allowed in the @channelname form (@​caarlos0)
• 7089915: fix(telegram): improve default message template (@​caarlos0)
• 6a3f983: fix(upload): prevent sendFile race condition on Windows (@​caarlos0 and @​Copilot)
• 0c0906d: fix: go1.26.1 (@​caarlos0)
• 0dfb84b: fix: improve logs (@​caarlos0)
• 53dd3b7: fix: lint (@​caarlos0)

Documentation updates

• b2b85e0: docs(deps): bump mkdocs-material in /www in the docs group (@​dependabot[bot])
• 3227c59: docs(deps): bump mkdocs-material in /www in the docs group (@​dependabot[bot])
• a6aee4a: docs: fix badges (@​caarlos0)
• 3722f3c: docs: improve telegram docs (@​caarlos0)
• 43ce1c2: docs: telegram link (@​caarlos0)
• ed620f1: docs: update install.md (@​caarlos0)

Other work

• 7e53058: chore(ci): switch artifact attestations gen to actions/attest (@​scop)
• b8b56ef: chore: add .env to .gitignore (@​caarlos0)
• 0513ddb: chore: add comment (@​caarlos0)
• ec28ed7: ci(deps): bump the actions group with 11 updates (@​dependabot[bot])
• b51c2e8: ci(deps): bump the actions group with 7 updates (@​dependabot[bot])

Full Changelog: goreleaser/goreleaser@v2.14.1...v2.14.2

Helping out

This release is only possible thanks to all the support of some awesome people!

Want to be one of them?
You can sponsor, get a Pro License or contribute with code.

Where to go next?

• Find examples and commented usage of all options in our website.
• Reach out on Discord and Twitter!

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[fossabot]

[fossabot]

✓ Safe to upgrade

I recommend merging this upgrade because it is a purely infrastructural change to the CI/CD release tooling with no impact on application source code. The most notable included change is a high-severity security fix that prevents secret leakage in build logs — directly relevant given this project's workflows inject GITHUB_TOKEN, DOCKER_PASSWORD, and DOCKER_USERNAME as environment secrets into goreleaser. The project's .goreleaser.yaml uses standard version: 2 schema features (builds, archives, brews, dockers, docker_manifests) that are unaffected by the 71 bug fixes and 7 new features bundled in this release. No breaking changes were detected that would impact the existing configuration.

Fix Suggestions

We identified 1 fixable issue in this upgrade.

• Update goreleaser version from '2.14.1' to '2.15.4' in all three GitHub Actions workflow files. Search for 'version: 2.14.1' (or 'version: "2.14.1"') in the goreleaser-action step and replace with 'version: 2.15.4' (or 'version: "2.15.4"') to align CI with the mise.toml pin.
  Run: sed -i 's/version: 2\.14\.1/version: 2.15.4/g' .github/workflows/development.yaml .github/workflows/prerelease.yaml .github/workflows/release.yaml
  Files: .github/workflows/development.yaml and 2 other files

AI Assistant Prompt

Copy prompt for AI assistant

## Dependency Upgrade: goreleaser 2.14.1 → 2.15.4

The project's `mise.toml` has already been updated to pin goreleaser 2.15.4, but the three GitHub Actions workflow files still reference version 2.14.1. Update them to match.

### What to change

In each of these files, find the `goreleaser/goreleaser-action` step and change the goreleaser version from `2.14.1` to `2.15.4`:

1. `.github/workflows/development.yaml`
2. `.github/workflows/prerelease.yaml`
3. `.github/workflows/release.yaml`

Search for `version: 2.14.1` (it may or may not be quoted) and replace with `version: 2.15.4`.

### Why

This aligns CI with the mise.toml pin and picks up a high-severity security fix that prevents secret leakage in build logs — important since these workflows inject `GITHUB_TOKEN`, `DOCKER_PASSWORD`, and `DOCKER_USERNAME` into goreleaser. No breaking changes affect the existing `.goreleaser.yaml` configuration.

Please make these changes now.

What we checked

• Configuration declares version: 2 schema, which remains valid in the target version. All directives used (builds, archives, brews, dockers, docker_manifests, snapshot, changelog, release) are stable v2 features with no detected breaking changes. ^[1]
• Tool version pinned to goreleaser = "2.15.4" — the target version of this upgrade — used when running goreleaser locally via scripts/build.sh and scripts/release.sh. ^[2]
• GitHub Actions workflow pins goreleaser to version: 2.14.1 (the current version). All three CI workflows reference this same version and will need updating to align with mise.toml. ^[3]
• Prerelease workflow pins version: 2.14.1. This workflow injects GITHUB_TOKEN as an environment variable — directly benefiting from the secret-redaction security fix included in the upgrade. ^[4]
• Release workflow pins version: 2.14.1 and injects both GITHUB_TOKEN and Docker Hub credentials (DOCKER_USERNAME, DOCKER_PASSWORD) as environment secrets. The security fix preventing secret leaks in logs is especially valuable here. ^[5]
• Local build script calls goreleaser check and goreleaser release --verbose --snapshot --clean directly, relying on the mise-managed goreleaser binary. No flags or subcommands used here have known breaking changes in the target version. ^[6]
• Release script invokes goreleaser --debug release --clean. The --debug flag and release subcommand remain fully supported in the target version. ^[7]
• Security fix: sec: prevent secret leaks in logs and improve redaction — this fix is included in the target version, making it a positive signal for upgrading. It directly mitigates risk of secrets like GITHUB_TOKEN and Docker Hub credentials appearing in workflow logs. ^[8]

Dependency Usage

goreleaser is a build and release automation tool used exclusively within the project's CI/CD pipeline and build infrastructure — it has no presence in application source code. It is invoked across all three GitHub Actions workflows (development.yaml, prerelease.yaml, release.yaml) via the goreleaser/goreleaser-action and is also called directly in the scripts/build.sh and scripts/release.sh scripts managed through mise.toml. This dependency enables the project's entire binary distribution lifecycle, handling cross-compilation, artifact packaging, and publishing of releases (including snapshots for development builds and official releases for production), making it a critical — though purely infrastructural — component of the delivery pipeline.

• Configuration declares version: 2 schema, which remains valid in the target version. All directives used (builds, archives, brews, dockers, docker_manifests, snapshot, changelog, release) are stable v2 features with no detected breaking changes.
  .goreleaser.yaml:2
• Tool version pinned to goreleaser = "2.15.4" — the target version of this upgrade — used when running goreleaser locally via scripts/build.sh and scripts/release.sh.
  mise.toml:6

View 5 more usages

• GitHub Actions workflow pins goreleaser to version: 2.14.1 (the current version). All three CI workflows reference this same version and will need updating to align with mise.toml.
  .github/workflows/development.yaml:40
• Prerelease workflow pins version: 2.14.1. This workflow injects GITHUB_TOKEN as an environment variable — directly benefiting from the secret-redaction security fix included in the upgrade.
  .github/workflows/prerelease.yaml:32
• Release workflow pins version: 2.14.1 and injects both GITHUB_TOKEN and Docker Hub credentials (DOCKER_USERNAME, DOCKER_PASSWORD) as environment secrets. The security fix preventing secret leaks in logs is especially valuable here.
  .github/workflows/release.yaml:38
• Local build script calls goreleaser check and goreleaser release --verbose --snapshot --clean directly, relying on the mise-managed goreleaser binary. No flags or subcommands used here have known breaking changes in the target version.
  scripts/build.sh:10
• Release script invokes goreleaser --debug release --clean. The --debug flag and release subcommand remain fully supported in the target version.
  scripts/release.sh:11

Changes

Security: goreleaser was updated to patch a secret leak vulnerability where sensitive values were not properly redacted from logs. This release also includes 71 bug fixes addressing panics in changelog, docker, checksums, and tmpl pipes, race conditions in file uploads on Windows, resource leaks (double-closes, unclosed response bodies), and retry logic for transient network failures in git operations and snapcraft uploads.

• d1cdbb23fcca7de37bdf0e1316fd3e3884f9d224: sec: prevent secret leaks in logs and improve redaction (@​caarlos0) (v2.15.3, release notes)
• a5070ed2d4bd751e3abfc30c3e025ded2465b432: fix(sbom): fix Windows CI test failure in catalog_source_archives (@​caarlos0 and @​Copilot) (v2.14.2, release notes)
• 89d4957538bf5ba2c6ea1ec607249e5f7c010b0f: fix(telegram): chat_id should be allowed in the @​channelname form (@​caarlos0) (v2.14.2, release notes)

View 141 more changes

• 7089915a98555ca6afca9817df30aec83825aec5: fix(telegram): improve default message template (@​caarlos0) (v2.14.2, release notes)
• 6a3f983c7e7963dded48166185d205b6f31fc54a: fix(upload): prevent sendFile race condition on Windows (@​caarlos0 and @​Copilot) (v2.14.2, release notes)
• 0dfb84b03945a0b1499536e30bc5f1360de651bf: fix: improve logs (@​caarlos0) (v2.14.2, release notes)
• 928493f6ca1c728e1e3c5ee3598d004bfe7d0fd4: fix(archive): use current binary for ExtraReplaces in skip (#6499) (@​cuiweixie) (v2.15.0, release notes)
• c7768121ff1fa74a2df967d782b636e4ff4c4484: fix(docker): check if --provenance and --sbom flags are available (#6458) (@​caarlos0) (v2.15.0, release notes)
• 4e49e3afb78dafdc5ef46b79c555356dfda00c3a: fix(flatpak): singular (@​caarlos0) (v2.15.0, release notes)
• 612d843702991eeabd4cce424ea332cb3a62c53d: fix(go): remove windows/arm from valid build targets (@​Sim-hu) (v2.15.0, release notes)
• 0b98cb57c95a8257baf1cb94ae040986897589d8: fix(homebrew_cask): stanza order (#6466) (@​caarlos0) (v2.15.0, release notes)
• 9cbb3c2e2b63499bd9531a28deaeb4cf17790b97: fix(homebrew_casks): use heredoc for cask caveats to handle shell metacharacters (#6460) (@​Copilot and @​caarlos0) (v2.15.0, release notes)
• 6f074fe80b75b2db5009eb8b3e6d92e8412b8f43: fix(rust): cargo zigbuild targets with custom glibc version (#6492) (@​caarlos0) (v2.15.0, release notes)
• d90710af19c1e3ffe1aa3c0d605fda2b8c0ad943: fix(snapcraft): correct channel template args in fmt.Errorf (#6498) (@​cuiweixie) (v2.15.0, release notes)
• 75f9bf1405400ffb65cfeff42b2dee0492149261: fix(telegram): make sure to close resp.body (@​caarlos0) (v2.15.0, release notes)
• 1ca52706b27398727de3aa68ad8bf2b8acf2e149: fix(telegram): message thread id is not required (@​caarlos0) (v2.15.0, release notes)
• 0a02951366dfecdf113f8a22d3462888d8e646da: fix: add flatpak to checksums and sign (@​caarlos0) (v2.15.0, release notes)
• 5bc053e067e127f0167cf6b9f1e3998734e4603d: fix: better logs (@​caarlos0) (v2.15.0, release notes)
• 0944d9f59ea63a867d8cd3cb9c226b1f3be47bc0: fix: consistent error outputs across all pipes (#6441) (@​caarlos0 and @​Copilot) (v2.15.0, release notes)
• dd611ec90c08797429dbb93c1603bd2995fc9619: fix: filterOut returns excluded tag when multiple ignore_tags are set (#6462) (@​abhay1999) (v2.15.0, release notes)
• 215ac6f9814cd7db0753f602cb34654f8ff5ccb6: docs: fix static url (#6478) (@​caarlos0) (v2.15.0, release notes)
• 87a55ea68fabc19de9f8ad317b882b322e5b6b04: fix: exclude signatures and certificates from sign pipe "all" filter (#6509) (@​caarlos0 and @​Copilot) (v2.15.1, release notes)
• be844be78740a5b509cf1894b5f81505c1ba60c8: fix: retry git clone/push on transient network errors, clean up partial clones (#6506) (@​Copilot and @​caarlos0) (v2.15.1, release notes)
• eb944f9b8df174f484e7fb0af8eced98c3097f9f: fix: retry snapcraft upload on 5xx error (#6504) (@​Copilot and @​caarlos0) (v2.15.1, release notes)
• b5eabc8938efc9a7f691c9f96767fe8da12ff0fe: fix(checksum): exclude signature and certificates (@​caarlos0) (v2.15.2, release notes)
• cba5b9fc84d21536de7aae89be56e1241c734844: fix(aur,krew,aursources): apply template to SkipUpload before checking its value (@​caarlos0) (v2.15.3, release notes)
• 4d1924d3dd5c85e0ddaecc0c049390bcc702b32e: fix(blob): evaluate template in provider before checking for S3 ACL support (@​caarlos0) (v2.15.3, release notes)
• 38577c607e7a06c5207ae4831f112f722dfcb95c: fix(build): fix broken backtick and missing GOMIPS64 in --single-target help text (@​caarlos0) (v2.15.3, release notes)
• ff02d82d90acf321ea7f361a2a71b41aa2cd259e: fix(build): prevent panic when command has single element (@​caarlos0) (v2.15.3, release notes)
• 2a10e3edf6d1883b59f0b2573dacb9dc5df24bb5: fix(bun): show original target in parse error, not trimmed version (@​caarlos0) (v2.15.3, release notes)
• 88daaf34fc39dcb5a4bfb4d3385dfff5acedbc24: fix(changelog): prevent panic on negative abbrev values other than -1 (@​caarlos0) (v2.15.3, release notes)
• 6c7798f7183ab88137e41d510ae5822fa5676965: fix(changelog): use %t instead of %b for bool in debug log format (@​caarlos0) (v2.15.3, release notes)
• f39c23383313f4633dccb1c1c4b7181add3c69f0: fix(checksums): prevent panic in sort when line has no double-space (@​caarlos0) (v2.15.3, release notes)
• f8e7ec99186d3d4f2b81381c8f2f779938058623: fix(client): off-by-one in truncateReleaseBody (#6534) (@​caarlos0) (v2.15.3, release notes)
• d7883409bb192fc9f8ad1d69c7546d0519cce1df: fix(docker): check evaluated Dockerfile template for emptiness, not raw template (@​caarlos0) (v2.15.3, release notes)
• 921e6cbb71ff9f17888bc50e2b97c4238e68d68e: fix(docker): fix "did you mean?" suggestion always suggesting the input name itself (@​caarlos0) (v2.15.3, release notes)
• 9e9f87cb14664df55e821ab60f21d8583a91f9dd: fix(docker): prevent panic in parsePlatform with missing arch (@​caarlos0) (v2.15.3, release notes)
• a0875e57d1fa6db8128fa44eaf5231f58433f19c: fix(docker): remove duplicate WithOutput in error wrapping (@​caarlos0) (v2.15.3, release notes)
• e7a4afa60ec87e60984c5a0c96824cd6dd3bd1af: fix(dockers/v2): digest log (@​caarlos0) (v2.15.3, release notes)
• 4a9d25f5dbd1c64f99a5ffa72886d3389812bbd3: fix(gitea): fix misleading 'using master' log when default branch lookup fails (@​caarlos0) (v2.15.3, release notes)
• 1ca21f0effe7287cb7a16d237023eb8cb668bcba: fix(github): nil-guard resp in updateRelease before accessing Header (@​caarlos0) (v2.15.3, release notes)
• ff9035a872c0a9c989e6081fab1c89569cafaa87: fix(http): remove double-close of response body in executeHTTPRequest (@​caarlos0) (v2.15.3, release notes)
• 50a034dd0f1cf04c625da560bb35765b714bc30e: fix(nfpm): show correct value in content mtime parse error (@​caarlos0) (v2.15.3, release notes)
• 206120a80e9997c1761e296ad6c4f2c29dd61bf7: fix(opencollective): handle errors, more tests (#6512) (@​caarlos0) (v2.15.3, release notes)
• e15276bb19593afdfe8cf3d5239e6399b0aa625e: fix(partial): add missing ppc64le to archExtraEnvs map (@​caarlos0) (v2.15.3, release notes)
• a05ecb82865f9239270ed1c8b628ced4587f8172: fix(partial): use GGOMIPS64/GOMIPS64 instead of GGOMIPS/GOMIPS for mips64/mips64le (@​caarlos0) (v2.15.3, release notes)
• f48613d9a8f169ff84163878a1dbce46da45f55a: fix(redact): return 0 bytes written on underlying write failure (@​caarlos0) (v2.15.3, release notes)
• 44133de0edf43fa97af11a3871534b8594fa6bc3: fix(release): log correct repo name for GitLab and Gitea releases (@​caarlos0) (v2.15.3, release notes)
• e4262d5d00599b2bb20a7e521cd5ece75387ef41: fix(rust): glibc version stripping for gnueabi/gnueabihf targets (@​caarlos0) (v2.15.3, release notes)
• 889107f3ce52968b863ab84f51cbceb2c0ed53fc: fix(rust): show all workspace members in error message, not just first (@​caarlos0) (v2.15.3, release notes)
• 634a0cbf273ad6b26c1deff171c3d046845a5281: fix(rust): strip custom glibc version from target for rustup command (@​mozzieongit) (v2.15.3, release notes)
• 292203e5aa5cba7fef49f0ef2aefb64aea148fcc: fix(sbom): use matched filename for artifact Name instead of glob pattern (@​caarlos0) (v2.15.3, release notes)
• 053c68a05c006c3ab4e7e5c73eb6bf9877b09154: fix(srpm): remove double close of package file (@​caarlos0) (v2.15.3, release notes)
• 0099417f305938d022f94efadf0e3a71a9eca1e4: fix(targz): close gzip reader in Copy (@​caarlos0) (v2.15.3, release notes)
• c2f16b97f02364434fd61f487fc8c5f23dc445a6: fix(tmpl): return error instead of panicking on invalid filter regex (@​caarlos0) (v2.15.3, release notes)
• ed201bdefb81b97377f7f8766e3966d18304087a: fix(winget): use filepath.Join instead of path.Join for local filesystem paths (@​caarlos0) (v2.15.3, release notes)
• a176567869ad67dbac690a4632d853b3b85965c2: fix: add retries everywhere possible (#6528) (@​caarlos0) (v2.15.3, release notes)
• 6a19ea9092d89b2d00f3f403ac693135a3dff6fb: fix: better log (@​caarlos0) (v2.15.3, release notes)
• e09e23a71c820afbb9f5144666a25ad50616c04c: fix: check buildx for dockers v1 (#6526) (@​caarlos0) (v2.15.3, release notes)
• be89f2a6439970eded91463b6b70475738e3b3cf: fix: guard iterator bounds in gerrors Details (@​caarlos0) (v2.15.3, release notes)
• 8b77358c4e06d3fd1d0a72372cc22f6509dfb7c8: fix: handle io.ReadAll error in bodyOf instead of discarding it (@​caarlos0) (v2.15.3, release notes)
• 5042b84f120e5c2c48d110ffcce3bba1259f2761: fix: preserve original error details in git config extraction (@​caarlos0) (v2.15.3, release notes)
• 68ebdd7de05ae4cf3119e70562437a9fd8787327: fix: remove duplicate WithField in gitea client push logging (#6532) (@​caarlos0) (v2.15.3, release notes)
• 60028b19eb6845164ed7bac541032efe1b07fe14: fix: replace recursive rateLimitChecker with single check and context-aware sleep (@​caarlos0) (v2.15.3, release notes)
• 7e7f9b276bf4eda3e339131075c9b77ea040d887: fix: use Mattermost.Color instead of Teams.Color in mattermost pipe (#6533) (@​caarlos0) (v2.15.3, release notes)
• e31f01d110a1868791a2b8d3d150e8b52fa9ae59: fix: use typed structs for LinkedIn API responses (@​caarlos0) (v2.15.3, release notes)
• d077fe1cfc533bf5351c2d0993ac32d7f59bcdb3: fix(build): allow explicit binary with ellipsis when single main (@​caarlos0) (v2.15.4, release notes)
• 3140abb162e23ff77ebf27ca4094c6f7bdbd6c47: fix(build): set per-binary artifact IDs for ./... builds (@​caarlos0 and @​Copilot) (v2.15.4, release notes)
• 87b542bc0d7c31942154d1f9df1e3e15f1c7d7d9: fix(homebrew_cask): sha256 before url in per-arch blocks (@​kkd16) (v2.15.4, release notes)
• 03735a41036a25f03662cd75e169458403c64fc3: fix(rust): grouping of different arm version when creating archives (#6582) (@​caarlos0) (v2.15.4, release notes)
• 1f8623275212b1482ae230ba06f05fa898bb52e0: fix: gen-nix-licenses script (@​caarlos0) (v2.15.4, release notes)
• 24df9cef7dfd7b678f65ad7d844a536263e6ef01: docs: fix include, prefix shortcodes to avoid collisions (@​caarlos0) (v2.15.4, release notes)
• 8cf8e11c97e1a88a736ec8c7d63d6d98c80b9912: feat(builders/go): build ./..., better defaults (#6457) (@​caarlos0) (v2.15.0, release notes)
• 9af5eeda5f79a977fa36a851d4b01472c5bb0577: feat(cask): add generate_completions_from_executable stanza support (#6485) (@​caarlos0 and @​Copilot) (v2.15.0, release notes)
• e7fe1779fbbe471df5221b35a4aba4b2856552f8: feat(telegram): message thread id (#6442) (@​caarlos0) (v2.15.0, release notes)
• 3f66a19c1219d9fe302a9ed49674496d0e7392c7: feat: added blake3 checksumming support (#6412) (@​philocalyst) (v2.15.0, release notes)
• cdf9453a91adda00bb42c67d32f2e2beee52bd72: feat: flatpak (#6448) (@​caarlos0) (v2.15.0, release notes)
• 1acc9207097d75ccbfebc480dcde2f6342ff6cb0: feat: retry go mod proxy on 404 with exponential backoff (#6440) (@​Copilot and @​caarlos0) (v2.15.0, release notes)
• b888013a8f0e4c4dfc064e68a1280577c41a5124: feat: source rpm support (#6493) (@​caarlos0 and @​Copilot) (v2.15.0, release notes)
• 0c0906d5c66482ac750f5508c324f3020280da85: fix: go1.26.1 (@​caarlos0) (v2.14.2, release notes)
• 53dd3b7290d3913c652ff3a6a913ec30ab8acc49: fix: lint (@​caarlos0) (v2.14.2, release notes)
• b2b85e07e619b7fe7bd21a5666b8db20cb0caea4: docs(deps): bump mkdocs-material in /www in the docs group (@​dependabot[bot]) (v2.14.2, release notes)
• a6aee4ae99a481cbb8932e480f03e9cbeab3bd26: docs: fix badges (@​caarlos0) (v2.14.2, release notes)
• 3722f3c67f9630170f141a2d1555dc61fc2d3976: docs: improve telegram docs (@​caarlos0) (v2.14.2, release notes)
• 43ce1c231759a9d53b3aab77aab6c44d6d3a7db6: docs: telegram link (@​caarlos0) (v2.14.2, release notes)
• ed620f1557b33fe3029cb4f6b91dc53b7b00dc1d: docs: update install.md (@​caarlos0) (v2.14.2, release notes)
• 7e5305831e946fefc0d069ad9f7e0dc11e5fe668: chore(ci): switch artifact attestations gen to actions/attest (@​scop) (v2.14.2, release notes)
• b8b56ef89a6338e241c39eed6cb807ba02ebc4ad: chore: add .env to .gitignore (@​caarlos0) (v2.14.2, release notes)
• 0513ddbd12616b6494fcb8c9911c01970159323d: chore: add comment (@​caarlos0) (v2.14.2, release notes)
• ec28ed71dfabed8fd695a4a8de2d53accf257bf8: ci(deps): bump the actions group with 11 updates (@​dependabot[bot]) (v2.14.2, release notes)
• Find examples and commented usage of all options in our website. (v2.14.2, release notes)
• Reach out on Discord and Twitter! (v2.14.2, release notes)
• 7cc45095d4e0bebd44c8d2bbf97823856405cfd7: chore: fix svu config (@​caarlos0) (v2.14.3, release notes)
• 15a1d6bf5b94a7de76d4adc509d2bf91d2a3092e: refactor: add UploadableTypes canonical var and use it across pipes (#6490) (@​caarlos0 and @​Copilot) (v2.15.0, release notes)
• a9378e420c24f3bffa2becdddf9d0dd1f104dc77: docs(deps): bump mkdocs-material from 9.7.4 to 9.7.5 in /www in the docs group (#6454) (@​dependabot[bot]) (v2.15.0, release notes)
• fa067d157eea10efe07e88c6fab435193ba0ed5f: docs: add lang icons (@​caarlos0) (v2.15.0, release notes)
• 855f02c78586b97605dded5f4ab9ffb20d8ec3ab: docs: better homepage (@​caarlos0) (v2.15.0, release notes)
• 3436acabb9ec88414a53d7ae85787bea96e80323: docs: button style (@​caarlos0) (v2.15.0, release notes)
• a70477d8490244dcb1fd07dc734a1f6ffc64f642: docs: clarify .Binary (@​caarlos0) (v2.15.0, release notes)
• a4779e30097c6b6a6bcd1d28047be649e02ea0f5: docs: fix 404 (@​caarlos0) (v2.15.0, release notes)

View 44 more changes in the full analysis

References (8)

[1]: Configuration declares version: 2 schema, which remains valid in the target version. All directives used (builds, archives, brews, dockers, docker_manifests, snapshot, changelog, release) are stable v2 features with no detected breaking changes.

go-jsonschema/.goreleaser.yaml

Line 2 in 0d4db47

version: 2

[2]: Tool version pinned to goreleaser = "2.15.4" — the target version of this upgrade — used when running goreleaser locally via scripts/build.sh and scripts/release.sh.

go-jsonschema/mise.toml

Line 6 in 0d4db47

goreleaser = "2.15.4"

[3]: GitHub Actions workflow pins goreleaser to version: 2.14.1 (the current version). All three CI workflows reference this same version and will need updating to align with mise.toml.

go-jsonschema/.github/workflows/development.yaml

Line 40 in 0d4db47

version: 2.14.1

[4]: Prerelease workflow pins version: 2.14.1. This workflow injects GITHUB_TOKEN as an environment variable — directly benefiting from the secret-redaction security fix included in the upgrade.

go-jsonschema/.github/workflows/prerelease.yaml

Line 32 in 0d4db47

version: 2.14.1

[5]: Release workflow pins version: 2.14.1 and injects both GITHUB_TOKEN and Docker Hub credentials (DOCKER_USERNAME, DOCKER_PASSWORD) as environment secrets. The security fix preventing secret leaks in logs is especially valuable here.

go-jsonschema/.github/workflows/release.yaml

Line 38 in 0d4db47

version: 2.14.1

[6]: Local build script calls goreleaser check and goreleaser release --verbose --snapshot --clean directly, relying on the mise-managed goreleaser binary. No flags or subcommands used here have known breaking changes in the target version.

go-jsonschema/scripts/build.sh

Line 10 in 0d4db47

goreleaser check

[7]: Release script invokes goreleaser --debug release --clean. The --debug flag and release subcommand remain fully supported in the target version.

go-jsonschema/scripts/release.sh

Line 11 in 0d4db47

goreleaser --debug release --clean

[8]: Security fix: sec: prevent secret leaks in logs and improve redaction — this fix is included in the target version, making it a positive signal for upgrading. It directly mitigates risk of secrets like GITHUB_TOKEN and Docker Hub credentials appearing in workflow logs. (source link)

---

fossabot analyzed this PR using dependency research. View this analysis on the web