From 53d79aea5a6506d9cf70e174d1f55920b3953abc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marc=20Sch=C3=A4fer?= <git@marcschaeferger.de>
Date: Sun, 22 Feb 2026 23:05:06 +0100
Subject: [PATCH] Refactor .goreleaser.yaml for improved release management and
 update README with installation instructions Add script to append release
 notes and enhance publish-apt.sh for asset downloading
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Marc Schäfer <git@marcschaeferger.de>
---
 .goreleaser.yaml                | 26 +++++----------
 README.md                       | 13 ++++++--
 scripts/append-release-notes.sh | 22 +++++++++++++
 scripts/publish-apt.sh          | 56 +++++++++++++++++++--------------
 4 files changed, 74 insertions(+), 43 deletions(-)
 create mode 100644 scripts/append-release-notes.sh

diff --git a/.goreleaser.yaml b/.goreleaser.yaml
index bb30892..0200ee5 100644
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -1,42 +1,33 @@
+version: 2
 project_name: newt
 
 release:
-  # du nutzt Tags wie 1.2.3 und 1.2.3-rc.1 (ohne v)
   draft: true
-  prerelease: auto
+  prerelease: "{{ contains .Tag \"-rc.\" }}"
   name_template: "{{ .Tag }}"
-  mode: replace
 
 builds:
   - id: newt
-    main: ./main.go   # <- falls du cmd/newt hast: ./cmd/newt
+    main: ./main.go
     binary: newt
     env:
       - CGO_ENABLED=0
     goos:
       - linux
-      - darwin
-      - windows
-      - freebsd
     goarch:
       - amd64
       - arm64
-    goarm:
-      - "6"
-      - "7"
     flags:
       - -trimpath
     ldflags:
-      - -s -w -X main.version={{ .Tag }}
+      - -s -w -X main.newtVersion={{ .Tag }}
 
 archives:
-  # Wichtig: format "binary" -> keine tar.gz, sondern raw binary wie bei dir aktuell
-  - id: raw
+  - id: binaries
     builds:
       - newt
     format: binary
-    name_template: >-
-      {{ .ProjectName }}_{{ .Os }}_{{ if eq .Arch "amd64" }}amd64{{ else if eq .Arch "arm64" }}arm64{{ else if eq .Arch "386" }}386{{ else }}{{ .Arch }}{{ end }}{{ if .Arm }}v{{ .Arm }}{{ end }}{{ if .Mips }}_{{ .Mips }}{{ end }}{{ if .Amd64 }}_{{ .Amd64 }}{{ end }}{{ if .Riscv64 }}_{{ .Riscv64 }}{{ end }}{{ if .Os | eq "windows" }}.exe{{ end }}
+    name_template: "{{ .ProjectName }}_{{ .Os }}_{{ .Arch }}"
 
 checksum:
   name_template: "checksums.txt"
@@ -49,14 +40,13 @@ nfpms:
     vendor: fosrl
     maintainer: fosrl <repo@fosrl.io>
     description: Newt - userspace tunnel client and TCP/UDP proxy
-    license: AGPL-3.0
+    license: AGPL-3.0-or-later
     formats:
       - deb
       - rpm
       - apk
     bindir: /usr/bin
-    # sorgt dafür, dass die Paketnamen gut pattern-matchbar sind
-    file_name_template: "{{ .PackageName }}_{{ .Version }}_{{ .Arch }}"
+    file_name_template: "newt_{{ .Version }}_{{ .Arch }}"
     contents:
       - src: LICENSE
         dst: /usr/share/doc/newt/LICENSE
diff --git a/README.md b/README.md
index 3ac0be7..3488cd1 100644
--- a/README.md
+++ b/README.md
@@ -1,15 +1,24 @@
 # Newt
+
 [![PkgGoDev](https://pkg.go.dev/badge/github.com/fosrl/newt)](https://pkg.go.dev/github.com/fosrl/newt)
 [![GitHub License](https://img.shields.io/github/license/fosrl/newt)](https://github.com/fosrl/newt/blob/main/LICENSE)
 [![Go Report Card](https://goreportcard.com/badge/github.com/fosrl/newt)](https://goreportcard.com/report/github.com/fosrl/newt)
 
 Newt is a fully user space [WireGuard](https://www.wireguard.com/) tunnel client and TCP/UDP proxy, designed to securely expose private resources controlled by Pangolin. By using Newt, you don't need to manage complex WireGuard tunnels and NATing.
 
-### Installation and Documentation
+## Installation and Documentation
 
 Newt is used with Pangolin and Gerbil as part of the larger system. See documentation below:
 
--   [Full Documentation](https://docs.pangolin.net/manage/sites/understanding-sites)
+- [Full Documentation](https://docs.pangolin.net/manage/sites/understanding-sites)
+
+### Install via APT (Debian/Ubuntu)
+
+```bash
+curl -fsSL https://repo.dev.fosrl.io/apt/public.key | sudo gpg --dearmor -o /usr/share/keyrings/newt-archive-keyring.gpg
+echo "deb [signed-by=/usr/share/keyrings/newt-archive-keyring.gpg] https://repo.dev.fosrl.io/apt stable main" | sudo tee /etc/apt/sources.list.d/newt.list
+sudo apt update && sudo apt install newt
+```
 
 ## Key Functions
 
diff --git a/scripts/append-release-notes.sh b/scripts/append-release-notes.sh
new file mode 100644
index 0000000..54015b0
--- /dev/null
+++ b/scripts/append-release-notes.sh
@@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+: "${TAG:?}"
+: "${GHCR_REF:?}"
+: "${DIGEST:?}"
+
+NOTES_FILE="$(mktemp)"
+
+existing_body="$(gh release view "${TAG}" --json body --jq '.body')"
+cat > "${NOTES_FILE}" <<EOF
+${existing_body}
+
+## Container Images
+- GHCR: \`${GHCR_REF}\`
+- Docker Hub: \`${DH_REF:-N/A}\`
+**Digest:** \`${DIGEST}\`
+EOF
+
+gh release edit "${TAG}" --draft --notes-file "${NOTES_FILE}"
+
+rm -f "${NOTES_FILE}"
diff --git a/scripts/publish-apt.sh b/scripts/publish-apt.sh
index eba6315..c7f9590 100644
--- a/scripts/publish-apt.sh
+++ b/scripts/publish-apt.sh
@@ -19,6 +19,23 @@ fi
 WORKDIR="$(pwd)"
 mkdir -p repo/apt assets build
 
+download_asset() {
+  local tag="$1"
+  local pattern="$2"
+  local attempts=12
+
+  for attempt in $(seq 1 "${attempts}"); do
+    if gh release download "${tag}" -R "${GH_REPO}" -p "${pattern}" -D assets; then
+      return 0
+    fi
+    echo "Asset ${pattern} not available yet (attempt ${attempt}/${attempts}); retrying..."
+    sleep 5
+  done
+
+  echo "ERROR: Failed to download asset ${pattern} for ${tag} after ${attempts} attempts"
+  return 1
+}
+
 echo "${APT_GPG_PRIVATE_KEY}" | gpg --batch --import >/dev/null 2>&1 || true
 
 KEYID="$(gpg --list-secret-keys --with-colons | awk -F: '$1=="sec"{print $5; exit}')"
@@ -37,6 +54,8 @@ else
     TAGS="${INPUT_TAG}"
   elif [[ -n "${EVENT_TAG:-}" ]]; then
     TAGS="${EVENT_TAG}"
+  elif [[ -n "${PUSH_TAG:-}" ]]; then
+    TAGS="${PUSH_TAG}"
   else
     echo "No tag provided; using latest release tag..."
     TAGS="$(gh release view -R "${GH_REPO}" --json tagName --jq '.tagName')"
@@ -58,32 +77,23 @@ while IFS= read -r TAG; do
   rm -rf assets build
   mkdir -p assets build
 
-  gh release download "${TAG}" -R "${GH_REPO}" -p "newt_linux_amd64" -D assets
-  gh release download "${TAG}" -R "${GH_REPO}" -p "newt_linux_arm64" -D assets
+  deb_amd64="${PKG_NAME}_${TAG}_amd64.deb"
+  deb_arm64="${PKG_NAME}_${TAG}_arm64.deb"
 
-  VERSION="${TAG#v}"
+  download_asset "${TAG}" "${deb_amd64}"
+  download_asset "${TAG}" "${deb_arm64}"
 
-  for arch in amd64 arm64; do
-    bin="assets/newt_linux_${arch}"
-    if [[ ! -f "${bin}" ]]; then
-      echo "ERROR: Missing release asset: ${bin}"
-      exit 1
-    fi
-
-    install -Dm755 "${bin}" "build/newt"
-
-    # Create nfpm config from template file (no heredoc here)
-    sed \
-      -e "s/__PKG_NAME__/${PKG_NAME}/g" \
-      -e "s/__ARCH__/${arch}/g" \
-      -e "s/__VERSION__/${VERSION}/g" \
-      scripts/nfpm.yaml.tmpl > nfpm.yaml
-
-    nfpm package -p deb -f nfpm.yaml -t "build/${PKG_NAME}_${VERSION}_${arch}.deb"
-  done
+  if [[ ! -f "assets/${deb_amd64}" ]]; then
+    echo "ERROR: Missing release asset: ${deb_amd64}"
+    exit 1
+  fi
+  if [[ ! -f "assets/${deb_arm64}" ]]; then
+    echo "ERROR: Missing release asset: ${deb_arm64}"
+    exit 1
+  fi
 
   mkdir -p "repo/apt/pool/${COMPONENT}/${PKG_NAME:0:1}/${PKG_NAME}/"
-  cp -v build/*.deb "repo/apt/pool/${COMPONENT}/${PKG_NAME:0:1}/${PKG_NAME}/"
+  cp -v assets/*.deb "repo/apt/pool/${COMPONENT}/${PKG_NAME:0:1}/${PKG_NAME}/"
 
 done <<< "${TAGS}"
 
@@ -124,7 +134,7 @@ gpg --batch --yes --pinentry-mode loopback \
 
 # Export public key into apt repo root
 cd ../../..
-gpg --batch --yes --armor --export "${KEYID}" > public.key
+gpg --batch --yes --armor --export "${KEYID}" > "${WORKDIR}/repo/apt/public.key"
 
 # Upload to S3
 echo "Uploading to S3..."