feat: Update release pipelines (1.0) #169

New Issue

AtHeartEngineer · 2025-07-08T08:41:30-04:00

AtHeartEngineer commented

2025-07-08 08:41:30 -04:00

Originally created by @ItalyPaleAle on 5/17/2025

Various updates to the release pipeline to make builds fully reproducible, publish attestations, and speed-up container builds.

Create an additional Dockerfile-prebuilt which includes binaries pre-built in the pipeline, rather than re-building the binary for each arch (which can be very slow when running under emulation with QEMU)
Ensure the release pipeline builds binaries with CGo disabled
Pass the ldflag -buildid with the version. In addition to -trimpath (already present) makes builds fully reproducible
Publish provenance attestation for the binaries (attestation is published as a pipeline artifact) and container images (pushed to the container registry) using SLSA (see: https://github.com/actions/attest-build-provenance/)
- Provenance attestation allows users to check that the binary they are running is exactly the same that was built by the pipeline, and had not been tampered with. A very nice thing for a security-related app like this!
Run chmod +x on the .sh files so it doesn't need to be done when building containers (and they can run locally without issues)

*Originally created by @ItalyPaleAle on 5/17/2025* Various updates to the release pipeline to make builds fully reproducible, publish attestations, and speed-up container builds. 1. Create an additional `Dockerfile-prebuilt` which includes binaries pre-built in the pipeline, rather than re-building the binary for each arch (which can be very slow when running under emulation with QEMU) 2. Ensure the release pipeline builds binaries with CGo disabled 3. Pass the ldflag `-buildid` with the version. In addition to `-trimpath` (already present) makes builds fully reproducible 4. Publish provenance attestation for the binaries (attestation is published as a pipeline artifact) and container images (pushed to the container registry) using SLSA (see: https://github.com/actions/attest-build-provenance/) - Provenance attestation allows users to check that the binary they are running is exactly the same that was built by the pipeline, and had not been tampered with. A very nice thing for a security-related app like this! 5. Run `chmod +x` on the `.sh` files so it doesn't need to be done when building containers (and they can run locally without issues)

AtHeartEngineer closed this issue

2025-07-08 08:41:30 -04:00

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github/pocket-id#169