fix(deps): update module github.com/goreleaser/goreleaser to v1.24.0 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/goreleaser/goreleaser	v1.23.0 -> v1.24.0

GitHub Vulnerability Alerts

CVE-2024-23840

Summary

Hello 👋

goreleaser release --debug log shows secret values used in the in the custom publisher.

How to reproduce the issue:

• Define a custom publisher as the one below. Make sure to provide a custom script to the cmd field and to provide a secret to env

#.goreleaser.yml 
publishers:
  - name: my-publisher
  # IDs of the artifacts we want to sign
    ids:
      - linux_archives
      - linux_package
    cmd: "./build/package/linux_notarize.sh"
    env:
      - VERSION={{ .Version }}
      - SECRET_1={{.Env.SECRET_1}}
      - SECRET_2={{.Env.SECRET_2}}

• run goreleaser release --debug

You should see your secret value in the gorelease log. The log shows also the GITHUB_TOKEN

Example:

running                                        cmd= ....
SECRET_1=secret_value

---

Release Notes

goreleaser/goreleaser (github.com/goreleaser/goreleaser)

v1.24.0

Compare Source

Changelog

New Features

• ee7a1e6: feat(artifactory): publish source archives too, log when no archives found (#​4586) (@​caarlos0)
• 189aa15: feat(blob): acl support for s3 (@​caarlos0)
• e800061: feat(blob): allow to customize whether to force path style (@​caarlos0)
• 88ebab0: feat(blob): cache_control (@​caarlos0)
• a342f02: feat(blob): content disposition (@​caarlos0)
• 5040227: feat(blob): deprecate disableSSL (@​caarlos0)
• 0f57398: feat(blob): deprecate kmskey (@​caarlos0)
• b294759: feat(nfpm): add .Format tmpl var (@​caarlos0)
• 765d534: feat(nfpm): support libraries (#​4587) (@​caarlos0)
• 1ba3138: feat(tmpl): .GitTreeState and .IsGitClean (@​caarlos0)
• 5d44ed1: feat(tmpl): contains (@​caarlos0)
• f724460: feat: --skip=chocolately (@​twpayne)
• 5e9f01e: feat: --skip=nfpm (@​caarlos0)
• 29f30b6: feat: deprecated changelog.skip in favor of changelog.disable (@​caarlos0)
• 12469c4: feat: store which action is being taken in the context (#​4508) (@​caarlos0)

Security updates

• e91a0f5: sec(deps): bump github.com/go-git/go-git/v5 from 5.7.0 to 5.11.0 (#​4505) (@​dependabot[bot])
• 5df54b7: sec: do not log env when --verbose (@​caarlos0)

Bug fixes

• ac398de: fix(brew): improve handling of single os (#​4562) (@​caarlos0)
• 917cae5: fix(config): handle relative git repos (#​4575) (@​aauren)
• 2ced7ac: fix(docker): remove --builder=default from default args when use=buildx (#​4566) (@​caarlos0)
• 7f95ff0: fix(nix): improve generated derivations (#​4582) (@​caarlos0)
• da30c39: fix(nix): prevent importing makeWrapper when it's not needed (@​caarlos0)
• 1e0d269: fix(nix): sourceRoot when using archives.wrap_in_directory (#​4550) (@​caarlos0)
• 003a881: fix(nix): use stdenvNoCC (@​caarlos0)
• 0becc41: fix(winget): schema (@​caarlos0)
• 2a71473: fix: Allow using double quotes for templates in Slack notifications (#​4555) (@​jamietanna)
• fe1bc52: fix: build does not run chocolatey (@​caarlos0)
• 6f72ac3: fix: improve linkedin error message (@​caarlos0)
• 6e0fc79: fix: improve skip details (#​4522) (@​caarlos0)
• 9ce21d3: fix: invalid jsonschema (@​caarlos0)
• 6097ea5: fix: possible nil pointers on logs (@​caarlos0)
• e7f4b10: fix: prevent having whitespaces in artifact names (#​4515) (@​caarlos0)
• 2ab840b: fix: remove disgo dependency (#​4521) (@​caarlos0)
• a0ead03: fix: typo in jsonschema (@​caarlos0)
• 1d44832: refactor(http): remove redundant nil check (#​4563) (@​Juneezee)
• bfa9e7f: refactor(winget): improve winget code (@​caarlos0)

Dependency updates

• 2de878e: feat(deps): bump github.com/aws/aws-sdk-go from 1.49.0 to 1.49.17 (@​dependabot[bot])
• 5c0c82a: feat(deps): bump github.com/aws/aws-sdk-go from 1.49.17 to 1.49.18 (@​dependabot[bot])
• f0bf2d7: feat(deps): bump github.com/cloudflare/circl from 1.3.5 to 1.3.7 (#​4525) (@​dependabot[bot])
• 8ac985b: feat(deps): bump golang from 1.21.5-alpine to 1.21.6-alpine (@​dependabot[bot])
• 835ee39: feat(deps): bump golang.org/x/oauth2 from 0.15.0 to 0.16.0 (#​4528) (@​dependabot[bot])
• 45d2152: fix(deps): bump code.gitea.io/sdk/gitea from 0.17.0 to 0.17.1 (#​4512) (@​dependabot[bot])
• 2a45266: fix(deps): bump github.com/goreleaser/nfpm/v2 from 2.35.1 to 2.35.2 (#​4519) (@​dependabot[bot])
• bbb6b5c: fix(deps): bump gocloud.dev from 0.35.0 to 0.36.0 (#​4506) (@​dependabot[bot])
• dcdd623: fix(deps): bump golang.org/x/sync from 0.5.0 to 0.6.0 (#​4518) (@​dependabot[bot])

Documentation updates

• afd8410: docs(blob): update (@​caarlos0)
• 87aa3b6: docs(blog): fixed backlinks, imported last post (@​caarlos0)
• 5bff616: docs(blog): import more posts (#​4544) (@​caarlos0)
• 29d55a7: docs(blog): import more posts (@​caarlos0)
• 75c23ab: docs: GitHub Actions code example (#​4516) (@​cafferata)
• aea2568: docs: add installation links for mkdocs and extensions (@​zimeg)
• e41178c: docs: add more details to the gon integration (@​caarlos0)
• 66b3daa: docs: announce v1.23.0 (@​caarlos0)
• 00c2ff7: docs: announce v1.24 (#​4602) (@​caarlos0)
• deaa221: docs: correct a typo in the apple notes (@​zimeg)
• 9e02a14: docs: document nightly oss install options (@​caarlos0)
• c8c7e3e: docs: fix description of AUR directory parameter (#​4581) (@​j178)
• 1feae08: docs: fix typo in link to nightly releases (@​zimeg)
• f62e945: docs: format (@​caarlos0)
• dd365c2: docs: github changeloger needs tags to be pushed (@​caarlos0)
• 368db21: docs: ignore medium.com in htmltest (@​caarlos0)
• 15e77cb: docs: include a section for running documentation (@​zimeg)
• d15dab3: docs: little formatting improvements (@​caarlos0)
• ea6910a: docs: udpate starcharts url (@​caarlos0)
• 325cea7: docs: update (@​caarlos0)
• 24722b0: docs: update (@​caarlos0)
• 87a2370: docs: update (@​caarlos0)
• 2489da3: docs: update continue --dist docs (@​caarlos0)
• be92144: docs: update deprecations page (@​caarlos0)
• e74c849: docs: update docs/readme.md (@​caarlos0)
• 46c639b: docs: update gitlab docs (@​caarlos0)
• 136b4d5: docs: update gon link (@​cfabianski)
• 1134f9b: docs: update run script (@​caarlos0)
• a4ecc87: docs: update users.md (@​caarlos0)
• d245afc: docs: updated the GitHub Code Search syntax (#​4579) (@​cafferata)

Build process updates

• 4d82016: build(nix): shell dont need CC (@​caarlos0)
• 0c90fb4: build: fix generate workflow (@​caarlos0)
• 48f036b: build: nix devShell (#​4507) (@​caarlos0)
• 90a1bbe: build: publish :nightly docker images (@​caarlos0)
• 28ced1d: build: remove duplicated schema generation (@​caarlos0)
• cbb288b: ci: change dependabot commit prefix to chore (@​caarlos0)
• 8e3b7ef: ci: dependabot automerge (@​caarlos0)
• 75c6d1a: ci: improve changelog (@​caarlos0)
• f07af4c: ci: remove dependabot auto approve (@​caarlos0)

Full Changelog: goreleaser/goreleaser@v1.23.0...v1.24.0

Helping out

This release is only possible thanks to all the support of some awesome people!

Want to be one of them?
You can sponsor, get a Pro License or contribute with code.

Where to go next?

• Find examples and commented usage of all options in our website.
• Reach out on Discord and Twitter!

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.