From c75b4e5c4c458320194830e38101feecd5087ad7 Mon Sep 17 00:00:00 2001
From: Ahmed ElMallah <ahmed@bomly.dev>
Date: Thu, 18 Jun 2026 10:16:09 -0700
Subject: [PATCH] Publish releases automatically with native notes

---
 .goreleaser.yaml                      | 12 ++----------
 docs/ARCHITECTURE.md                  |  2 +-
 docs/development/CI.md                | 12 +++++++-----
 docs/development/RELEASE_CHECKLIST.md |  7 +++----
 4 files changed, 13 insertions(+), 20 deletions(-)

diff --git a/.goreleaser.yaml b/.goreleaser.yaml
index 54a0f7b..cdfa600 100644
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -90,25 +90,17 @@ snapshot:
   version_template: "{{ incpatch .Version }}-next"
 
 changelog:
-  sort: asc
-  filters:
-    exclude:
-      - "^docs:"
-      - "^test:"
-      - "^chore:"
+  use: github-native
 
 release:
   github:
     owner: bomly-dev
     name: bomly-cli
-  draft: true
+  draft: false
   prerelease: auto
-  replace_existing_draft: true
   header: |
     Bomly release {{ .Tag }}
 
-    This draft release was generated by GoReleaser from the tagged `bomly-cli` source tree.
-
     Included artifacts:
     - Full builtin `bomly` archives for Linux, macOS, and Windows.
     - Alternate `bomly-lite` archives for users who prefer external Syft and Grype binaries.
diff --git a/docs/ARCHITECTURE.md b/docs/ARCHITECTURE.md
index 24cc0d7..77d0c35 100644
--- a/docs/ARCHITECTURE.md
+++ b/docs/ARCHITECTURE.md
@@ -192,7 +192,7 @@ GitHub Actions handles validation, security analysis, smoke coverage, and releas
 
 - Pull requests run fast validation only.
 - Pushes to `main` run deeper quality checks and scheduled smoke coverage.
-- Semver tags run GoReleaser to publish draft GitHub Releases with cross-platform archives, `SHA256SUMS`, Linux packages, and package-manager manifests.
+- Semver tags run GoReleaser to publish GitHub Releases with GitHub-native release notes, cross-platform archives, `SHA256SUMS`, Linux packages, and package-manager manifests.
 - GoReleaser also opens package-manager manifest PRs for Homebrew, Scoop, and WinGet. Official distro repositories are intentionally out of scope until usage justifies the maintainer overhead.
 
 See [CI and Release Pipeline](development/CI.md) for workflow details and release mechanics.
diff --git a/docs/development/CI.md b/docs/development/CI.md
index 781d623..d23242b 100644
--- a/docs/development/CI.md
+++ b/docs/development/CI.md
@@ -14,7 +14,7 @@ Bomly uses GitHub Actions for validation, security analysis, smoke coverage, and
 | `Smoke`                | Merge queue, nightly schedule, manual dispatch | Slow end-to-end coverage against real repositories, SBOMs, and containers before merge, plus scheduled drift detection |
 | `Update Smoke Goldens` | Manual dispatch                                | Regenerate golden files on a chosen ref and open a PR when the changes are intentional                                 |
 | `Auto Version`         | Manual dispatch                                | Bump `cmd/bomly/main.go`, create a semver tag, and start the release workflow                                          |
-| `Release`              | Semver tags like `v1.2.3`, manual dispatch     | GoReleaser packaging, checksums, Linux packages, package-manager manifests, and draft GitHub release publication |
+| `Release`              | Semver tags like `v1.2.3`, manual dispatch     | GoReleaser packaging, checksums, Linux packages, package-manager manifests, and GitHub release publication |
 
 ## Required Checks
 
@@ -160,7 +160,7 @@ go build -tags "bomly_external_syft,bomly_external_grype" -o bin/bomly-lite ./cm
 
 Release packaging is driven by `.goreleaser.yaml`. The release workflow uses GoReleaser to create:
 
-- GitHub Release archives for `bomly` and `bomly-lite`.
+- A published GitHub Release with archives for `bomly` and `bomly-lite`.
 - `SHA256SUMS`.
 - Linux `.deb`, `.rpm`, `.apk`, and Arch Linux package artifacts for the full `bomly` binary.
 - Homebrew cask, Scoop, and WinGet manifest pull requests.
@@ -179,9 +179,11 @@ Release packaging is driven by `.goreleaser.yaml`. The release workflow uses GoR
    - `windows/amd64`
    - `windows/arm64`
 6. GoReleaser generates `SHA256SUMS` and Linux packages.
-7. GoReleaser creates a **draft release** in GitHub Releases and uploads archives, packages, and checksums.
+7. GoReleaser publishes the GitHub Release, using the configured GoReleaser header plus GitHub-native generated release notes, and uploads archives, packages, and checksums.
 8. GoReleaser opens or updates package-manager manifest PRs for Homebrew, Scoop, and WinGet.
-9. After the draft release is published, the `Notify landing page (release lifecycle)` workflow dispatches the landing-page docs and changelog sync with the published timestamp.
+9. After the release is published, the `Notify landing page (release lifecycle)` workflow dispatches the landing-page docs and changelog sync with the published timestamp.
+
+The manual approval point for a release is the `Auto Version` workflow that creates the release tag. The GitHub Release is intentionally published automatically after validation so package-manager manifest PRs can reference public release assets and checksums.
 
 Version bump rules are chosen explicitly when running `Auto Version`:
 
@@ -201,7 +203,7 @@ Archive naming follows this pattern:
 
 Linux package artifacts follow the same `bomly_<version>_<os>_<arch>` prefix with package-manager-specific extensions.
 
-See [Release Checklist](RELEASE_CHECKLIST.md) before publishing a draft release.
+See [Release Checklist](RELEASE_CHECKLIST.md) before running the release workflow.
 
 ## Install Script Hosting
 
diff --git a/docs/development/RELEASE_CHECKLIST.md b/docs/development/RELEASE_CHECKLIST.md
index a1ea17e..d4fd989 100644
--- a/docs/development/RELEASE_CHECKLIST.md
+++ b/docs/development/RELEASE_CHECKLIST.md
@@ -13,7 +13,7 @@ Use this checklist when publishing a tagged Bomly CLI release.
 
 - Run `Auto Version` from `main`, choosing `patch`, `minor`, or `major`.
 - Wait for `Release` to finish.
-- Review the draft GitHub release:
+- Review the published GitHub release:
   - `bomly` archives exist for Linux, macOS, and Windows on `amd64` and `arm64`.
   - `bomly-lite` archives exist for the same platforms.
   - `SHA256SUMS` exists.
@@ -23,7 +23,7 @@ Use this checklist when publishing a tagged Bomly CLI release.
 
 ## Verification
 
-Run the checks against the draft release tag before publishing. Replace `VERSION` in the examples below with the actual release tag, such as `v0.2.0`.
+Run the checks against the published release tag. Replace `VERSION` in the examples below with the actual release tag, such as `v0.2.0`.
 
 ```bash
 gh release download VERSION --pattern SHA256SUMS --pattern 'bomly_VERSION_linux_amd64.tar.gz'
@@ -51,7 +51,6 @@ scoop install bomly
 
 ## Publish and rollback
 
-- Publish the GitHub draft release after verification.
 - Merge package-manager PRs after their generated manifests pass review.
 - Confirm the landing-page docs sync PR opened.
-- If a release must be pulled, mark the GitHub release as draft again and close package-manager PRs that reference the bad tag.
+- If a release must be pulled, mark the GitHub release as a prerelease or delete it, close package-manager PRs that reference the bad tag, and tag a replacement patch release when appropriate.