Files
epusdt/RELEASING.md
T

1.6 KiB

Releasing

This repository publishes versioned binaries to GitHub Releases when a tag is pushed.

What gets published

For each tag like v1.2.3, GitHub Actions builds release archives for:

  • linux/amd64
  • linux/arm64
  • darwin/amd64
  • darwin/arm64
  • windows/amd64
  • windows/arm64

Each archive includes:

  • the epusdt binary
  • src/.env.example
  • src/static/

Windows artifacts are published as .zip. Other platforms are published as .tar.gz.

Each release also publishes:

  • a checksum file
  • a Sigstore keyless signature bundle for the checksum file
  • archive SBOM documents generated by Syft
  • a GitHub build provenance attestation for the checksum file

How to cut a release

  1. Make sure the release commit has already landed on the default branch.
  2. Create an annotated tag:
git tag -a v1.0.0 -m "release v1.0.0"
  1. Push the tag:
git push origin v1.0.0
  1. Wait for the release workflow to finish on GitHub.
  2. Download the generated binaries from the GitHub Release page.

Verify a release

Verify the checksum signature with Cosign:

cosign verify-blob \
  --bundle epusdt_v1.0.0_checksums.txt.sigstore.json \
  epusdt_v1.0.0_checksums.txt

Verify the GitHub build provenance attestation:

gh attestation verify epusdt_v1.0.0_checksums.txt -R GMwalletApp/epusdt

Local validation

Install cosign and syft, then run a snapshot build locally before pushing a tag:

cd src
go run github.com/goreleaser/goreleaser/v2@latest release --snapshot --clean

The resulting artifacts will be generated under src/dist/.