ci: add goreleaser config and release workflow

[shreemaan-abhishek]

Summary

• Port .goreleaser.yml from a7 (project name a6, module github.com/api7/a6); upgrade to goreleaser v2 syntax (version: 2, formats: [...]).
• Add .github/workflows/release.yml that runs goreleaser on tag push (v*), producing tar.gz/zip archives for linux/darwin/windows on amd64/arm64 plus a checksums.txt.
• Asset naming a6_<version>_<os>_<arch>.<ext> matches what internal/update.FindAsset looks for, so a6 update will discover assets from this workflow once a tag is published.

Locally validated with goreleaser check and goreleaser release --snapshot --clean; verified the produced binary reports the linker-injected version.

Closes part of #37 (config + workflow). Tagging v0.1.0-rc1 and the end-to-end a6 update verification will be done after this PR merges, so the workflow fires from main.

Refs #33, #37

Test plan

• CI green on this PR
• After merge, push tag v0.1.0-rc1 and confirm the Release workflow uploads 6 archives + checksums.txt
• Run a dev build of a6 update against the published release and confirm it finds the asset, downloads, and self-replaces

Summary by CodeRabbit

• Chores
  • Added an automated release pipeline that runs on version tag pushes.
  • Builds and publishes binaries for Linux, macOS, and Windows on x86-64 and ARM64.
  • Generates checksums and archives (tar.gz / zip) and produces curated changelogs.
  • Publishes releases to GitHub (non-draft, prerelease auto), and embeds version/commit/date into built binaries.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: c6108991-b6cb-4a63-b5ba-deb483d1db7e

📥 Commits

Reviewing files that changed from the base of the PR and between a7bc3f8 and 74c8388.

📒 Files selected for processing (1)

• .github/workflows/release.yml

---

📝 Walkthrough

Walkthrough

Adds a GitHub Actions Release workflow and a .goreleaser.yml. On tags v* it builds ./cmd/a6 for linux/darwin/windows (amd64, arm64), packages archives (tar.gz/zip), writes checksums, generates a filtered changelog, and publishes a GitHub release.

Changes

Release Automation

Layer / File(s)	Summary
Release workflow trigger and job orchestration .github/workflows/release.yml	Workflow triggers on pushed tags v*, grants contents: write, checks out the repo, sets up Go from go.mod, and runs goreleaser/goreleaser-action with release --clean, passing GITHUB_TOKEN.
GoReleaser build and release configuration .goreleaser.yml	Defines project name, pre-build go mod tidy, builds ./cmd/a6 with ldflags injecting Version/Commit/Date, targets linux/darwin/windows on amd64/arm64, produces tar.gz/zip archives, writes checksums.txt, filters changelog, and configures GitHub release for api7/a6.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related issues

• Wire goreleaser, cut v0.1.0-rc1, and verify a6 update end-to-end #37 — Adds the same .goreleaser.yml and .github/workflows/release.yml to wire goreleaser and run releases on tag pushes.
• Wire .goreleaser.yml to a release workflow and cut the first tag a7#53 — Related; also proposes wiring .goreleaser.yml into a release workflow triggered by tags.

🚥 Pre-merge checks | ✅ 6

✅ Passed checks (6 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main changes: adding a GoReleaser configuration file and a GitHub Actions release workflow for automated releases.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
E2e Test Quality Review	✅ Passed	The PR adds only CI/CD configuration files (.github/workflows/release.yml and .goreleaser.yml) with no test code. The E2E Test Quality Review check is not applicable to configuration-only PRs.
Security Check	✅ Passed	No security vulnerabilities: GITHUB_TOKEN from secrets (auto-masked), actions pinned to commit SHAs, persist-credentials false, minimal permissions, no hardcoded secrets or sensitive data exposure.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/release-goreleaser

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/release.yml:
- Around line 16-24: The workflow uses floating action tags and leaves checkout
credentials persisted, increasing risk; update the release workflow to pin
actions to specific SHAs or full version tags and disable credential persistence
when calling actions/checkout (set persist-credentials: false) and reduce
repository permissions by setting permissions.contents to read (or none) instead
of write; locate the uses of actions/checkout@v4, actions/setup-go@v5, and
goreleaser/goreleaser-action@v6 in the file and replace them with pinned
references and add persist-credentials: false under actions/checkout, and adjust
the top-level permissions block to remove or lower contents write access.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 1fce8335-e02c-4457-9bcf-c628accb0d48

📥 Commits

Reviewing files that changed from the base of the PR and between efb26dd and a7bc3f8.

📒 Files selected for processing (2)

• .github/workflows/release.yml
• .goreleaser.yml

[shreemaan-abhishek]

Thanks for the review. Pushed 74c8388:

• Pinned actions/checkout@v4, actions/setup-go@v5, and goreleaser/goreleaser-action@v6 to commit SHAs (with the major-version tag in a trailing comment).
• Added persist-credentials: false to the checkout step; goreleaser auths via GITHUB_TOKEN env, so the persisted git credential isn't needed.

Kept the top-level permissions: contents: write since the only job in this workflow is goreleaser, which needs write access to create the GitHub Release. Splitting it to job-level would be no-op given there is one job.