Bump Go v1.24.4 to fix CVEs

.github/workflows/binaries.yml

@@ -2,7 +2,16 @@ name: Release Binaries
 
 on:
   release:
-    types: [created]
+    types:
+    - created
+    - published
+  workflow_dispatch:
+    inputs:
+      tag_name:
+        description: 'Release tag name (e.g., v1.4.5). Can ignore this if selecting workflow run from a release tag.'
+        required: false
+        type: string
+        default: ''
 
 permissions:
   contents: write
@@ -14,6 +23,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v2
+      with:
+        ref: ${{ inputs.tag_name || github.ref_name }}
     - uses: wangyoucao577/[email protected]
       with:
         github_token: ${{ secrets.GITHUB_TOKEN }}
@@ -22,11 +33,14 @@ jobs:
         project_path: cmd/envsubst
         asset_name: envsubst-Linux-x86_64
         compress_assets: OFF
+        release_name: ${{ inputs.tag_name || '' }}
   release-linux-arm64:
     name: release linux/arm64
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v2
+      with:
+        ref: ${{ inputs.tag_name || github.ref_name }}
     - uses: wangyoucao577/[email protected]
       with:
         github_token: ${{ secrets.GITHUB_TOKEN }}
@@ -35,11 +49,14 @@ jobs:
         project_path: cmd/envsubst
         asset_name: envsubst-Linux-arm64
         compress_assets: OFF
+        release_name: ${{ inputs.tag_name || '' }}
   release-darwin-amd64:
     name: release darwin/amd64
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v2
+      with:
+        ref: ${{ inputs.tag_name || github.ref_name }}
     - uses: wangyoucao577/[email protected]
       with:
         github_token: ${{ secrets.GITHUB_TOKEN }}
@@ -48,11 +65,14 @@ jobs:
         project_path: cmd/envsubst
         asset_name: envsubst-Darwin-x86_64
         compress_assets: OFF
+        release_name: ${{ inputs.tag_name || '' }}
   release-darwin-arm64:
     name: release darwin/arm64
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v2
+      with:
+        ref: ${{ inputs.tag_name || github.ref_name }}
     - uses: wangyoucao577/[email protected]
       with:
         github_token: ${{ secrets.GITHUB_TOKEN }}
@@ -61,11 +81,14 @@ jobs:
         project_path: cmd/envsubst
         asset_name: envsubst-Darwin-arm64
         compress_assets: OFF
+        release_name: ${{ inputs.tag_name || '' }}
   release-windows:
     name: release windows
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v2
+      with:
+        ref: ${{ inputs.tag_name || github.ref_name }}
     - uses: wangyoucao577/[email protected]
       with:
         github_token: ${{ secrets.GITHUB_TOKEN }}
@@ -75,3 +98,4 @@ jobs:
         binary_name: envsubst-windows #release fails if the binary name is the same as the asset name
         asset_name: envsubst
         compress_assets: OFF
+        release_name: ${{ inputs.tag_name || '' }}

.github/workflows/create-release.yml

@@ -0,0 +1,60 @@
+name: Create Release
+
+on:
+  workflow_dispatch:
+    inputs:
+      tag_name:
+        description: 'Release tag name (e.g., v1.4.5)'
+        required: true
+        type: string
+      release_title:
+        description: 'Release title (optional)'
+        required: false
+        type: string
+        default: ''
+      release_body:
+        description: 'Release description (optional)'
+        required: false
+        type: string
+        default: ''
+
+permissions:
+  contents: write
+  packages: write
+
+jobs:
+  create-release:
+    name: Create Release
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+        token: ${{ secrets.GITHUB_TOKEN }}
+
+    - name: Create tag
+      run: |
+        git config --local user.email "[email protected]"
+        git config --local user.name "GitHub Action"
+
+        # Check if tag already exists
+        if git rev-parse "${{ inputs.tag_name }}" >/dev/null 2>&1; then
+          echo "Tag ${{ inputs.tag_name }} already exists, skipping tag creation"
+        else
+          git tag -a "${{ inputs.tag_name }}" -m "Release ${{ inputs.tag_name }}"
+          git push origin "${{ inputs.tag_name }}"
+        fi
+
+    - name: Create Release
+      id: create_release
+      uses: actions/create-release@v1
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      with:
+        tag_name: ${{ inputs.tag_name }}
+        release_name: ${{ inputs.release_title || inputs.tag_name }}
+        body: ${{ inputs.release_body }}
+        draft: false
+        prerelease: false
+      continue-on-error: true

.github/workflows/test.yml

@@ -7,7 +7,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        go: [ '1.23', '1.24' ]
+        go: [ '1.24', '1.25' ]
 
     name: Go ${{ matrix.go }} testing
     steps:

README.md

@@ -94,6 +94,70 @@ func main() {
 
 * `os.ExpandEnv(s string) string` - only supports `$var` and `${var}` notations
 
+#### Creating Releases
+
+This project uses automated workflows to create releases with prebuilt binaries for multiple platforms.
+
+##### Release Workflows
+
+**`create-release.yml`**: Creates git tags and GitHub releases
+- **Trigger**: Manual via GitHub Actions UI
+- **Inputs**: Tag name, optional release title and description
+- **Features**: 
+  - Creates git tag (skips if already exists)
+  - Creates GitHub release
+  - Handles existing tags gracefully (rerunnable)
+
+**`binaries.yml`**: Builds and uploads binaries
+- **Triggers**: 
+  - Automatically on release creation
+  - Manual dispatch with optional tag name
+- **Platforms**: Linux (amd64, arm64), macOS (amd64, arm64), Windows (amd64)
+- **Features**: Builds from specific tag or latest release
+
+##### Release Procedure
+
+1. Go to the **Actions** tab in the GitHub repository
+2. Select the **"Create Release"** workflow
+3. Click **"Run workflow"**
+4. Enter the tag name following semantic versioning (e.g., `v1.4.5`)
+5. Optionally provide a release title and description
+6. Click **"Run workflow"**
+7. Wait for the workflow to complete successfully
+8. Go back to the **Actions** tab and select the **"Release Binaries"** workflow
+9. Click **"Run workflow"** to build and upload binaries for the new release
+10. Enter the same tag name in step (4) (or select `Use workflow from` released tag)
+11. Click **"Run workflow"**
+
+##### What Happens During Release
+
+1. **Tag Creation**: Creates a git tag with the specified version
+2. **Release Creation**: Creates a GitHub release with optional title/description
+3. **Binary Building**: Automatically triggers binary builds for all platforms:
+   - `envsubst-Linux-x86_64` (Linux AMD64)
+   - `envsubst-Linux-arm64` (Linux ARM64)
+   - `envsubst-Darwin-x86_64` (macOS Intel)
+   - `envsubst-Darwin-arm64` (macOS Apple Silicon)
+   - `envsubst` (Windows AMD64)
+4. **Asset Upload**: Binaries are automatically attached to the release
+
+##### Rerunning Releases
+
+- **Same Tag**: Both workflows can be rerun with the same tag name
+- **Tag Exists**: The create-release workflow will skip tag creation if it already exists
+- **Release Exists**: The workflow continues even if the release already exists
+- **Binary Rebuild**: Use the binaries workflow to rebuild assets for existing releases
+
+##### Supported Platforms
+
+| Platform | Architecture  | Binary Name              |
+|----------|---------------|--------------------------|
+| Linux    | AMD64         | `envsubst-Linux-x86_64`  |
+| Linux    | ARM64         | `envsubst-Linux-arm64`   |
+| macOS    | Intel         | `envsubst-Darwin-x86_64` |
+| macOS    | Apple Silicon | `envsubst-Darwin-arm64`  |
+| Windows  | AMD64         | `envsubst`               |
+
 #### License
 MIT
 

go.mod

@@ -1,3 +1,3 @@
 module github.com/a8m/envsubst
 
-go 1.24
+go 1.25.5