forge¶
Forge release operations for Go — a provider contract, a registry, and a credential chain for GitHub, GitLab, Gitea, Codeberg, Bitbucket and plain download sources, with no vendor SDK in the core.
factory, err := forge.Lookup(sourceType)
provider, err := factory(source, cfg)
rel, err := provider.GetLatestRelease(ctx, owner, repo)
Why¶
- Depend on the contract, not a client. Consuming code takes a
forge.Provider, never a*github.Client. Switching forges is a one-line constructor change, not a second code path. See backend agnosticism. - You pay only for what you use. The core imports no forge SDK — a guard test enforces it — and each provider is its own module, enabled by a blank import.
- Any forge, including one we have never heard of. The registry is keyed by a plain string, so a provider ships as your module with nothing contributed here. See author a provider.
- One credential chain. Environment reference, OS keychain, literal, then a well-known fallback — configured identically whichever forge is behind the interface. See authenticate.
- Credentials pinned to the host they were issued for. Asset URLs come from release metadata, which a release author controls. See credential pinning.
- A conformance harness, not just an interface. The compiler checks your
method set;
RunProviderConformancechecks the protocol the compiler cannot see.
Where next¶
- Getting started — resolve a provider and read a release.
- Author a provider — teach it a new forge, in your own module.
- Authenticate — the credential chain and how to pin it.
- Verify releases — checksums and signatures.
- Direct provider — releases from a plain web server.
- Testing — doubles, mocks, and the conformance harness.
Reference¶
The API reference is on pkg.go.dev.