Skip to content

forge

Forge release operations for Go — a provider contract, a registry, and a credential chain for GitHub, GitLab, Gitea, Codeberg, Bitbucket and plain download sources, with no vendor SDK in the core.

go get gitlab.com/phpboyscout/go/forge
factory, err := forge.Lookup(sourceType)
provider, err := factory(source, cfg)

rel, err := provider.GetLatestRelease(ctx, owner, repo)

Why

  • Depend on the contract, not a client. Consuming code takes a forge.Provider, never a *github.Client. Switching forges is a one-line constructor change, not a second code path. See backend agnosticism.
  • You pay only for what you use. The core imports no forge SDK — a guard test enforces it — and each provider is its own module, enabled by a blank import.
  • Any forge, including one we have never heard of. The registry is keyed by a plain string, so a provider ships as your module with nothing contributed here. See author a provider.
  • One credential chain. Environment reference, OS keychain, literal, then a well-known fallback — configured identically whichever forge is behind the interface. See authenticate.
  • Credentials pinned to the host they were issued for. Asset URLs come from release metadata, which a release author controls. See credential pinning.
  • A conformance harness, not just an interface. The compiler checks your method set; RunProviderConformance checks the protocol the compiler cannot see.

Where next

Reference

The API reference is on pkg.go.dev.