LOTP

GoReleaser

cli config-file eval-sh

References

• https://goreleaser.com/customization/hooks/
• https://goreleaser.com/customization/publishers/#how-it-works

goreleaser and its github action goreleaser/goreleaser-action is configure using a local .goreleaser.yaml.

build

goreleaser build allows RCE via hooks:

before:
  hooks:
    - sh -c "id"

release

goreleaser release allows RCE via hooks and custom publishers:

before:
  hooks:
    - sh -c "id"
publishers:
  - name: poc
    cmd: sh -c "id"

*Note: publishers requires a new tag, which should be already defined if a workflow uses goreleaser