Skip to main content
Releases are managed with goreleaser, providing automated builds, packaging, and distribution across multiple platforms.

Testing a Release

To build a test release without publishing (Ubuntu Linux only), first ensure that the musl-tools and snapcraft packages are installed: 
sudo apt-get install musl-tools snapcraft
Then run: 
make test-release
This creates a local build with all distribution formats but skips publishing and code signing.

Publishing a Release

Publish a new release by creating and pushing a tag: 
git tag v1.2.3
git push --tags
This triggers a GitHub Action that:
  1. Builds archives, packages, and snaps for all supported platforms
  2. Creates a new GitHub Release
  3. Publishes to package repositories
  4. Deploys the website

Distribution Channels

Snaps

Publishing Snaps requires a SNAPCRAFT_STORE_CREDENTIALS repository secret.

Credential Expiration

Snapcraft store credentials periodically expire. This is visible in the release GitHub Action reporting: 
Run snapcraft whoami
Store operation failed:
- macaroon-authorization-required: The request is missing an Authorization header field containing a valid macaroon

Refreshing Credentials

Create new snapcraft store credentials by running: 
snapcraft export-login --snaps=chezmoi --channels=stable,candidate,beta,edge --acls=package_upload -
This command requires a Ubuntu machine with snapcraft installed and a keyring, which is typically not available over SSH connections.
Login to a GNOME session on a Ubuntu machine and run: 
sudo snap install --classic snapcraft
snapcraft login

Homebrew

Homebrew automation automatically detects new releases of chezmoi within a few hours and opens a pull request in github.com/Homebrew/homebrew-core to bump the version. If needed, the pull request can be created manually: 
brew bump-formula-pr --tag=v1.2.3 chezmoi

Scoop

chezmoi is in Scoop’s Main bucket. Scoop’s automation automatically detects new releases within a few hours.

Signing

chezmoi uses GoReleaser’s support for signing to sign the checksums of its release assets with cosign.

Security Details

  • The cosign private key was generated with cosign v1.12.1
  • Generated on a private recently-installed Ubuntu 22.04.1 system
  • Single user system with all available updates applied
  • The private key uses a long (more than 32 character) password
  • Password generated locally by a password manager
  • The password-protected private key is stored in chezmoi’s public GitHub repo
  • The private key’s password is stored as a GitHub Actions secret
  • Only available to the release step of release job of the main workflow

Verifying Releases

Users can verify release checksums using cosign: 
# Download the public key
curl -O https://chezmoi.io/cosign.pub

# Verify the checksums
cosign verify-blob \
  --key cosign.pub \
  --signature chezmoi_${VERSION}_checksums.txt.sig \
  chezmoi_${VERSION}_checksums.txt

Release Checklist

Before creating a release:
  • All tests pass on main branch
  • Documentation is up to date
  • CHANGELOG is updated
  • Version number follows semantic versioning
  • No open critical issues
After creating a release:
  • GitHub Release is created successfully
  • All distribution formats are available
  • Checksums are signed
  • Website is deployed
  • Package repositories are updated

See Also

Build docs developers (and LLMs) love

Get started for freeTalk to us