mirror of
https://github.com/GMWalletApp/epusdt.git
synced 2026-07-07 02:06:16 +00:00
1.6 KiB
1.6 KiB
Releasing
This repository publishes versioned binaries to GitHub Releases when a tag is pushed.
What gets published
For each tag like v1.2.3, GitHub Actions builds release archives for:
linux/amd64linux/arm64darwin/amd64darwin/arm64windows/amd64windows/arm64
Each archive includes:
- the
epusdtbinary src/.env.examplesrc/static/
Windows artifacts are published as .zip. Other platforms are published as .tar.gz.
Each release also publishes:
- a checksum file
- a Sigstore keyless signature bundle for the checksum file
- archive SBOM documents generated by Syft
- a GitHub build provenance attestation for the checksum file
How to cut a release
- Make sure the release commit has already landed on the default branch.
- Create an annotated tag:
git tag -a v1.0.0 -m "release v1.0.0"
- Push the tag:
git push origin v1.0.0
- Wait for the
releaseworkflow to finish on GitHub. - Download the generated binaries from the GitHub Release page.
Verify a release
Verify the checksum signature with Cosign:
cosign verify-blob \
--bundle epusdt_v1.0.0_checksums.txt.sigstore.json \
epusdt_v1.0.0_checksums.txt
Verify the GitHub build provenance attestation:
gh attestation verify epusdt_v1.0.0_checksums.txt -R GMwalletApp/epusdt
Local validation
Install cosign and syft, then run a snapshot build locally before pushing a tag:
cd src
go run github.com/goreleaser/goreleaser/v2@latest release --snapshot --clean
The resulting artifacts will be generated under src/dist/.