.github/workflows/actionlint.yaml

@@ -1,18 +1,19 @@
 ---
-# Separate the workflow for actionlint to other workflows, because if a workflow for actionlint is broken actionlint isn't run
 name: actionlint
-on:
-  pull_request:
-    paths:
-      - .github/workflows/*.yaml
-      - aqua/imports/actionlint.yaml
-      - aqua/imports/reviewdog.yaml
+on: pull_request
+permissions: {}
 jobs:
   actionlint:
-    uses: suzuki-shunsuke/actionlint-workflow/.github/workflows/actionlint.yaml@932d2dbef166b2f6f7e11790954e8245289ffd0d # v1.2.1
-    with:
-      aqua_version: v2.45.0
-      aqua_policy_allow: true
+    runs-on: ubuntu-24.04
+    if: failure()
+    timeout-minutes: 10
+    permissions: {}
+    needs:
+      - main
+    steps:
+      - run: exit 1
+  main:
+    uses: suzuki-shunsuke/actionlint-workflow/.github/workflows/actionlint.yaml@1af1919efef445ad960f5ab4cf370e47e961d721 # v2.0.0
     permissions:
       pull-requests: write
       contents: read

.github/workflows/autofix.yaml

@@ -10,7 +10,7 @@ jobs:
     steps:
       - uses: suzuki-shunsuke/go-autofix-action@559f0cb21668a975222826fa376dbec951abc2f6 # v0.1.4
         with:
-          aqua_version: v2.45.0
+          aqua_version: v2.45.1
       - run: aqua upc -prune
         working-directory: pkg/cosign
       - run: aqua upc -prune

.github/workflows/debug-with-action-tmate.yaml

@@ -27,7 +27,7 @@ jobs:
           GITHUB_TOKEN: ${{github.token}}
       - uses: aquaproj/aqua-installer@e2d0136abcf70b7a2f6f505720640750557c4b33 # v3.1.1
         with:
-          aqua_version: v2.45.0
+          aqua_version: v2.45.1
         env:
           AQUA_GITHUB_TOKEN: ${{github.token}}
       - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0

.github/workflows/release.yaml

@@ -11,7 +11,7 @@ jobs:
       homebrew: true
       go-version-file: go.mod
       aqua_policy_allow: true
-      aqua_version: v2.45.0
+      aqua_version: v2.45.1
       app_token_repositories: >-
         [
           "${{github.event.repository.name}}",

.github/workflows/wc-ghalint.yaml

@@ -15,7 +15,7 @@ jobs:
           persist-credentials: false
       - uses: aquaproj/aqua-installer@e2d0136abcf70b7a2f6f505720640750557c4b33 # v3.1.1
         with:
-          aqua_version: v2.45.0
+          aqua_version: v2.45.1
         env:
           AQUA_GITHUB_TOKEN: ${{github.token}}
       - run: ghalint run

.github/workflows/wc-typos.yaml

@@ -14,7 +14,7 @@ jobs:
           persist-credentials: false
       - uses: aquaproj/aqua-installer@e2d0136abcf70b7a2f6f505720640750557c4b33 # v3.1.1
         with:
-          aqua_version: v2.45.0
+          aqua_version: v2.45.1
         env:
           AQUA_GITHUB_TOKEN: ${{github.token}}
       - run: typos

Dockerfile-prebuilt

@@ -9,5 +9,5 @@ WORKDIR /home/foo/workspace
 RUN curl -sSfL -O https://raw.githubusercontent.com/aquaproj/aqua-installer/v3.1.1/aqua-installer
 RUN echo "e9d4c99577c6b2ce0b62edf61f089e9b9891af1708e88c6592907d2de66e3714  aqua-installer" | sha256sum -c -
 RUN chmod +x aqua-installer
-RUN ./aqua-installer -v "v2.45.0"
+RUN ./aqua-installer -v "v2.45.1"
 ENV PATH=/home/foo/.local/share/aquaproj-aqua/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

aqua/aqua-checksums.json

@@ -56,28 +56,28 @@
       "algorithm": "sha256"
     },
     {
-      "id": "github_release/github.com/goreleaser/goreleaser/v2.7.0/goreleaser_Darwin_all.tar.gz",
-      "checksum": "A3D431D41E48A6A699B51BAA41221E1712420AD6C53B426710324966877EE1D0",
+      "id": "github_release/github.com/goreleaser/goreleaser/v2.8.1/goreleaser_Darwin_all.tar.gz",
+      "checksum": "B72908A129ABC227247FD9BD706F160F4AE9196BB351FC78D6F774C560337183",
       "algorithm": "sha256"
     },
     {
-      "id": "github_release/github.com/goreleaser/goreleaser/v2.7.0/goreleaser_Linux_arm64.tar.gz",
-      "checksum": "5B3646CEF976EA610019D4EE5523E4FB1B243E4E89A416FF9B9AC645C7E26342",
+      "id": "github_release/github.com/goreleaser/goreleaser/v2.8.1/goreleaser_Linux_arm64.tar.gz",
+      "checksum": "9D4A8AA6B95A1390ECE6B55F62F53BDF041440A7E6EF639E7375B0E95284C2AE",
       "algorithm": "sha256"
     },
     {
-      "id": "github_release/github.com/goreleaser/goreleaser/v2.7.0/goreleaser_Linux_x86_64.tar.gz",
-      "checksum": "075CB78E414664E50EE6900DD93FF1748C2D3FCE19C9830F40186E99FC90BA0E",
+      "id": "github_release/github.com/goreleaser/goreleaser/v2.8.1/goreleaser_Linux_x86_64.tar.gz",
+      "checksum": "76A456F7E9B3D8644638D804D0FCDA2F8557858AF9B116D1A30B1AAA1D6A1EBC",
       "algorithm": "sha256"
     },
     {
-      "id": "github_release/github.com/goreleaser/goreleaser/v2.7.0/goreleaser_Windows_arm64.zip",
-      "checksum": "D89FFED2D0AA3D25DF6E8CA627E60C3D061945710B346539A03C45D9C7A68E04",
+      "id": "github_release/github.com/goreleaser/goreleaser/v2.8.1/goreleaser_Windows_arm64.zip",
+      "checksum": "C53C89D3AA73E996D803A8115C60C274666480343EEF3F8E1CB448C95B77A0FC",
       "algorithm": "sha256"
     },
     {
-      "id": "github_release/github.com/goreleaser/goreleaser/v2.7.0/goreleaser_Windows_x86_64.zip",
-      "checksum": "CEB6EA7136E4D5F166E1C3FA35CBB993E1FD50546A557C12731C90556633E5E1",
+      "id": "github_release/github.com/goreleaser/goreleaser/v2.8.1/goreleaser_Windows_x86_64.zip",
+      "checksum": "EAF4E90BD9A324F9D9245F492547D6EA4A80C4A0DCE24969682032D9AFC9A20D",
       "algorithm": "sha256"
     },
     {

aqua/imports/goreleser.yaml

@@ -1,2 +1,2 @@
 packages:
-  - name: goreleaser/goreleaser@v2.7.0
+  - name: goreleaser/goreleaser@v2.8.1

go.mod

@@ -19,7 +19,7 @@ require (
 	github.com/otiai10/copy v1.14.1
 	github.com/schollz/progressbar/v3 v3.18.0
 	github.com/sirupsen/logrus v1.9.3
-	github.com/spf13/afero v1.12.0
+	github.com/spf13/afero v1.14.0
 	github.com/suzuki-shunsuke/flute v1.0.1
 	github.com/suzuki-shunsuke/gen-go-jsonschema v0.1.0
 	github.com/suzuki-shunsuke/go-error-with-exit-code v1.0.0
@@ -85,8 +85,8 @@ require (
 	github.com/ulikunitz/xz v0.5.12 // indirect
 	github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1 // indirect
 	go4.org v0.0.0-20230225012048-214862532bf5 // indirect
-	golang.org/x/crypto v0.32.0 // indirect
-	golang.org/x/term v0.28.0 // indirect
-	golang.org/x/text v0.21.0 // indirect
+	golang.org/x/crypto v0.36.0 // indirect
+	golang.org/x/term v0.30.0 // indirect
+	golang.org/x/text v0.23.0 // indirect
 	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
 )

go.sum

@@ -207,8 +207,8 @@ github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/sorairolake/lzip-go v0.3.5 h1:ms5Xri9o1JBIWvOFAorYtUNik6HI3HgBTkISiqu0Cwg=
 github.com/sorairolake/lzip-go v0.3.5/go.mod h1:N0KYq5iWrMXI0ZEXKXaS9hCyOjZUQdBDEIbXfoUwbdk=
-github.com/spf13/afero v1.12.0 h1:UcOPyRBYczmFn6yvphxkn9ZEOY65cpwGKb5mL36mrqs=
-github.com/spf13/afero v1.12.0/go.mod h1:ZTlWwG4/ahT8W7T0WQ5uYmjI9duaLQGy3Q2OAl4sk/4=
+github.com/spf13/afero v1.14.0 h1:9tH6MapGnn/j0eb0yIXiLjERO8RB6xIVZRDCX7PtqWA=
+github.com/spf13/afero v1.14.0/go.mod h1:acJQ8t0ohCGuMN3O+Pv0V0hgMxNYDlvdk+VTfyZmbYo=
 github.com/spf13/cast v1.7.0 h1:ntdiHjuueXFgm5nzDRdOS4yfT43P5Fnud6DH50rz/7w=
 github.com/spf13/cast v1.7.0/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
@@ -270,8 +270,8 @@ golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
 golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg=
-golang.org/x/crypto v0.32.0 h1:euUpcYgM8WcP71gNpTqQCn6rC2t6ULUPiOzfWaXVVfc=
-golang.org/x/crypto v0.32.0/go.mod h1:ZnnJkOaASj8g0AjIduWNlq2NRxL0PlBrbKVyZ6V/Ugc=
+golang.org/x/crypto v0.36.0 h1:AnAEvhDddvBdpY+uR+MyHmuZzzNqXSe/GvuDeob5L34=
+golang.org/x/crypto v0.36.0/go.mod h1:Y4J0ReaxCR1IMaabaSMugxJES1EpwhBHhv2bDHklZvc=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -370,8 +370,8 @@ golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
 golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
 golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU=
 golang.org/x/term v0.16.0/go.mod h1:yn7UURbUtPyrVJPGPq404EukNFxcm/foM+bV/bfcDsY=
-golang.org/x/term v0.28.0 h1:/Ts8HFuMR2E6IP/jlo7QVLZHggjKQbhu/7H0LJFr3Gg=
-golang.org/x/term v0.28.0/go.mod h1:Sw/lC2IAUZ92udQNf3WodGtn4k/XoLyZoh8v/8uiwek=
+golang.org/x/term v0.30.0 h1:PQ39fJZ+mfadBm0y5WlL4vlM7Sx1Hgf13sMIY2+QS9Y=
+golang.org/x/term v0.30.0/go.mod h1:NYYFdzHoI5wRh/h5tDMdMqCqPJZEuNqVR5xJLd/n67g=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -382,8 +382,8 @@ golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
-golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
-golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
+golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY=
+golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=

pkg/controller/generate-registry/generate.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"regexp"
 	"strings"
 
 	"github.com/aquaproj/aqua/v2/pkg/asset"
@@ -169,15 +170,15 @@ func (c *Controller) getPackageInfoMain(ctx context.Context, logE *logrus.Entry,
 
 	arr := c.listReleaseAssets(ctx, logE, pkgInfo, release.GetID())
 	logE.WithField("num_of_assets", len(arr)).Debug("got assets")
-	assets := make([]*github.ReleaseAsset, 0, len(arr))
+	assetNames := make([]string, 0, len(arr))
 	for _, asset := range arr {
 		if excludeAsset(logE, asset.GetName(), cfg) {
 			continue
 		}
-		assets = append(assets, asset)
+		assetNames = append(assetNames, asset.GetName())
 	}
 
-	c.patchRelease(logE, pkgInfo, pkgName, release.GetTagName(), assets)
+	c.patchRelease(logE, pkgInfo, pkgName, release.GetTagName(), assetNames)
 	return pkgInfo, []string{version}
 }
 
@@ -200,7 +201,7 @@ func getChecksum(checksumNames map[string]struct{}, assetName string) *registry.
 	return nil
 }
 
-func (c *Controller) patchRelease(logE *logrus.Entry, pkgInfo *registry.PackageInfo, pkgName, tagName string, assets []*github.ReleaseAsset) { //nolint:cyclop
+func (c *Controller) patchRelease(logE *logrus.Entry, pkgInfo *registry.PackageInfo, pkgName, tagName string, assets []string) { //nolint:cyclop
 	if len(assets) == 0 {
 		pkgInfo.NoAsset = true
 		return
@@ -209,8 +210,7 @@ func (c *Controller) patchRelease(logE *logrus.Entry, pkgInfo *registry.PackageI
 	pkgNameContainChecksum := strings.Contains(strings.ToLower(pkgName), "checksum")
 	assetNames := map[string]struct{}{}
 	checksumNames := map[string]struct{}{}
-	for _, aset := range assets {
-		assetName := aset.GetName()
+	for _, assetName := range assets {
 		if !pkgNameContainChecksum {
 			chksum := checksum.GetChecksumConfigFromFilename(assetName, tagName)
 			if chksum != nil {
@@ -244,6 +244,7 @@ func (c *Controller) patchRelease(logE *logrus.Entry, pkgInfo *registry.PackageI
 			if chksum != nil {
 				assetInfo := asset.ParseAssetName(checksumName, tagName)
 				chksum.Asset = assetInfo.Template
+				chksum.Cosign = checkChecksumCosign(pkgInfo, checksumName, assetNames)
 				pkgInfo.Checksum = chksum
 				break
 			}
@@ -285,3 +286,45 @@ func checkSLSAProvenance(assetName, tagName string) *registry.SLSAProvenance {
 		Asset: &assetInfo.Template,
 	}
 }
+
+func checkChecksumCosign(pkgInfo *registry.PackageInfo, checksumAssetName string, assetNames map[string]struct{}) *registry.Cosign {
+	var signatureAssetName string
+	for _, suf := range []string{"-keyless.sig", ".sig"} {
+		if _, ok := assetNames[checksumAssetName+suf]; ok {
+			signatureAssetName = checksumAssetName + suf
+			break
+		}
+	}
+	if signatureAssetName == "" {
+		return nil
+	}
+	var certificateAssetName string
+	for _, suf := range []string{"-keyless.pem", ".pem"} {
+		if _, ok := assetNames[checksumAssetName+suf]; ok {
+			certificateAssetName = checksumAssetName + suf
+			break
+		}
+	}
+	if certificateAssetName == "" {
+		return nil
+	}
+
+	downloadURL := fmt.Sprintf("https://github.com/%s/%s/releases/download/{{.Version}}/",
+		pkgInfo.RepoOwner, pkgInfo.RepoName)
+	return &registry.Cosign{
+		Opts: []string{
+			"--certificate-identity-regexp",
+			fmt.Sprintf(
+				`^https://github\.com/%s/%s/\.github/workflows/.+\.ya?ml@refs/tags/`,
+				regexp.QuoteMeta(pkgInfo.RepoOwner),
+				regexp.QuoteMeta(pkgInfo.RepoName),
+			),
+			"--certificate-oidc-issuer",
+			"https://token.actions.githubusercontent.com",
+			"--signature",
+			downloadURL + signatureAssetName,
+			"--certificate",
+			downloadURL + certificateAssetName,
+		},
+	}
+}

pkg/controller/generate-registry/group.go

@@ -111,19 +111,24 @@ func mergeGroups(pkg *registry.PackageInfo, groups []*Group) []string { //nolint
 	return versions
 }
 
-func replaceVersion(assetName, version string) string {
-	return strings.Replace(
-		strings.Replace(assetName, version, "{{.Version}}", 1),
-		strings.TrimPrefix(version, "v"), "{{trimV .Version}}", 1)
+func replaceVersion(assetName, version, semver string) string {
+	s := strings.ReplaceAll(
+		strings.ReplaceAll(assetName, version, "{{.Version}}"),
+		strings.TrimPrefix(version, "v"), "{{trimV .Version}}")
+	if semver == version {
+		return s
+	}
+	return strings.ReplaceAll(s, semver, "{{.SemVer}}")
 }
 
 func groupByAllAsset(releases []*Release) []*Group {
 	groups := []*Group{}
 	var group *Group
 	for _, release := range releases {
 		assetNames := make([]string, len(release.assets))
+		semver := strings.TrimPrefix(release.Tag, release.VersionPrefix)
 		for i, asset := range release.assets {
-			assetNames[i] = replaceVersion(asset.GetName(), release.Tag)
+			assetNames[i] = replaceVersion(asset.GetName(), release.Tag, semver)
 		}
 		sort.Strings(assetNames)
 		allAsset := strings.Join(assetNames, "\n")
@@ -218,6 +223,9 @@ func excludeGroupsAssets(groups []*Group, pkgName string) {
 }
 
 func groupByExcludedAsset(groups []*Group) []*Group {
+	if len(groups) == 0 {
+		return groups
+	}
 	newGroups := make([]*Group, 0, len(groups))
 	prevGroup := groups[0]
 	for _, group := range groups[1:] {
@@ -238,7 +246,7 @@ func groupByExcludedAsset(groups []*Group) []*Group {
 	return newGroups
 }
 
-func (c *Controller) group(logE *logrus.Entry, pkgName string, releases []*Release) []*Group {
+func (c *Controller) group(logE *logrus.Entry, pkgInfo *registry.PackageInfo, pkgName string, releases []*Release) []*Group {
 	if len(releases) == 0 {
 		return nil
 	}
@@ -248,8 +256,11 @@ func (c *Controller) group(logE *logrus.Entry, pkgName string, releases []*Relea
 
 	for _, group := range groups {
 		release := group.releases[0]
-		pkgInfo := &registry.PackageInfo{}
-		c.patchRelease(logE, pkgInfo, pkgName, release.Tag, release.assets)
+		pkgInfo := &registry.PackageInfo{
+			RepoOwner: pkgInfo.RepoOwner,
+			RepoName:  pkgInfo.RepoName,
+		}
+		c.patchRelease(logE, pkgInfo, pkgName, release.Tag, group.assetNames)
 		group.pkg = &Package{
 			Info:    pkgInfo,
 			Version: release.Tag,
@@ -283,5 +294,5 @@ func (c *Controller) group(logE *logrus.Entry, pkgName string, releases []*Relea
 }
 
 func (c *Controller) generatePackage(logE *logrus.Entry, pkgInfo *registry.PackageInfo, pkgName string, releases []*Release) []string {
-	return mergeGroups(pkgInfo, c.group(logE, pkgName, releases))
+	return mergeGroups(pkgInfo, c.group(logE, pkgInfo, pkgName, releases))
 }