# Releasing This repository publishes versioned binaries to GitHub Releases when a tag is pushed. ## What gets published For each tag like `v1.2.3`, GitHub Actions builds release archives for: - `linux/amd64` - `linux/arm64` - `darwin/amd64` - `darwin/arm64` - `windows/amd64` - `windows/arm64` Each archive includes: - the `epusdt` binary - `src/.env.example` - `src/static/` Windows artifacts are published as `.zip`. Other platforms are published as `.tar.gz`. Each release also publishes: - a checksum file - a Sigstore keyless signature bundle for the checksum file - archive SBOM documents generated by Syft - a GitHub build provenance attestation for the checksum file ## How to cut a release 1. Make sure the release commit has already landed on the default branch. 2. Create an annotated tag: ```bash git tag -a v1.0.0 -m "release v1.0.0" ``` 3. Push the tag: ```bash git push origin v1.0.0 ``` 4. Wait for the `release` workflow to finish on GitHub. 5. Download the generated binaries from the GitHub Release page. ## Verify a release Verify the checksum signature with Cosign: ```bash cosign verify-blob \ --bundle epusdt_v1.0.0_checksums.txt.sigstore.json \ epusdt_v1.0.0_checksums.txt ``` Verify the GitHub build provenance attestation: ```bash gh attestation verify epusdt_v1.0.0_checksums.txt -R GMwalletApp/epusdt ``` ## Local validation Install `cosign` and `syft`, then run a snapshot build locally before pushing a tag: ```bash cd src go run github.com/goreleaser/goreleaser/v2@latest release --snapshot --clean ``` The resulting artifacts will be generated under `src/dist/`.