.goreleaser: simplify and harden signing Pass envvar via stdin instead of writing to a file. Remove base64. Restrict secret to release-build environment. Co-Authored-By: sketch <hello@sketch.dev> Change-ID: saf0aa2158a183abek

commit: a50a3bf9e4b996498289df50744bdce09a59cc13 [log] [tgz]
author: Josh Bleecher Snyder <josharian@gmail.com> Mon Jul 14 19:40:48 2025 +0000
committer: Josh Bleecher Snyder <josharian@gmail.com> Mon Jul 14 13:18:34 2025 -0700
tree: 92194e1c19ef8805b1fc725cf74d54a919d99fb9
parent: 9b39aa66590f68f9039a8efc0c4e1917551016e6 [diff] [blame]
diff --git a/.goreleaser.yml b/.goreleaser.yml
index ddc4407..9957af1 100644
--- a/.goreleaser.yml
+++ b/.goreleaser.yml

@@ -45,8 +45,9 @@
     cmd: selfupdatectl
     args:
       - "sign"
-      - "--private-key={{.Env.SELFUPDATE_PRIVKEY_PATH}}"
+      - "--private-key=/dev/stdin"
       - "${artifact}"
+    stdin: "{{ .Env.SELFUPDATE_SIGNING_KEY }}"
     signature: "${artifact}.ed25519"
     artifacts: all
commit	a50a3bf9e4b996498289df50744bdce09a59cc13	[log] [tgz]
author	Josh Bleecher Snyder <josharian@gmail.com>	Mon Jul 14 19:40:48 2025 +0000
committer	Josh Bleecher Snyder <josharian@gmail.com>	Mon Jul 14 13:18:34 2025 -0700
tree	92194e1c19ef8805b1fc725cf74d54a919d99fb9
parent	9b39aa66590f68f9039a8efc0c4e1917551016e6 [diff] [blame]