uinaf/gh-release-pipeline
Set up or align a GitHub Actions release pipeline for a versioned package, library, CLI, or marketplace action. Use when standardizing repos around the verify-then-release shape: push to main → guardrails → semantic-release tags + publishes → version-bump commit back to main with [skip ci].
99
1.55x
Quality
100%
Does it follow best practices?
Impact
98%
1.55xAverage score across 4 eval scenarios
Securityby
Passed
No known issues
criteria.jsonevals/scenario-3/
{
"context": "Tests whether the agent correctly sets up a Go CLI release pipeline using semantic-release (tag-only) combined with GoReleaser for binary distribution and Homebrew tap automation, including proper token scoping, plugin selection, GoReleaser flags, attestation permissions, and Homebrew tap naming conventions.",
"type": "weighted_checklist",
"checklist": [
{
"name": "Tag-only SR plugins",
"description": "The semantic-release plugins list includes commit-analyzer, release-notes-generator, and github — but does NOT include @semantic-release/git or @semantic-release/npm",
"max_score": 10
},
{
"name": "GoReleaser conditional",
"description": "The GoReleaser step is conditional on `steps.release.outputs.new_release_published == 'true'` (or equivalent output check)",
"max_score": 10
},
{
"name": "GoReleaser --clean flag",
"description": "The goreleaser-action invocation passes `args: release --clean` (the --clean flag is present)",
"max_score": 10
},
{
"name": "Tap repo naming",
"description": "The Homebrew tap repo is referenced with the `homebrew-` prefix in its name (e.g., `homebrew-tap`, `homebrew-<name>`)",
"max_score": 8
},
{
"name": "TAP_GITHUB_TOKEN scope",
"description": "The workflow or documentation specifies that TAP_GITHUB_TOKEN is a fine-grained PAT (or equivalent) scoped only to the tap repo, NOT a broad classic PAT",
"max_score": 8
},
{
"name": "Attestation permissions",
"description": "The release job's permissions include `id-token: write` and `attestations: write` (required for the attest-build-provenance step)",
"max_score": 8
},
{
"name": "Attest step conditional",
"description": "The actions/attest-build-provenance step is also conditional on `new_release_published == 'true'`",
"max_score": 8
},
{
"name": "GoReleaser brews block",
"description": "A `.goreleaser.yaml` (or equivalent) file is produced containing a `brews:` block that references the Homebrew tap repo",
"max_score": 8
},
{
"name": "No non-Go Homebrew action for Go",
"description": "The solution does not add `Justintime50/homebrew-releaser`, `dawidd6/action-homebrew-bump-formula`, or an inline tap-update script for the Go CLI; GoReleaser owns the tap update",
"max_score": 6
},
{
"name": "fetch-depth: 0",
"description": "Both verify and release job checkout steps use `fetch-depth: 0`",
"max_score": 6
},
{
"name": "skip ci guards",
"description": "Both verify and release jobs have `if:` guards checking for `[skip ci]` in the commit message",
"max_score": 6
},
{
"name": "Release concurrency",
"description": "The release job has a job-level concurrency group with `cancel-in-progress: false`",
"max_score": 6
},
{
"name": "Secrets on step",
"description": "GITHUB_TOKEN and TAP_GITHUB_TOKEN are declared in the GoReleaser step's `env:`, not at the job level",
"max_score": 6
},
{
"name": "SR action version",
"description": "Uses `cycjimmy/semantic-release-action@v4`",
"max_score": 6
}
]
}