refactor(ci): split release pipeline, add packaging and scanning #45

Merged

lerko merged 3 commits from refactor/split-release-workflows into main 2026-06-02 13:24:38 +00:00

Conversation 0 Commits 3 Files Changed 6

+168 -62

lerko commented 2026-06-02 01:42:55 +00:00

Owner

Copy Link

Copy Source

Summary

• Split monolithic release.yml into release-binaries.yml (tag-triggered) and release-docker.yml (tag + manual dispatch)
• Add DEB/RPM packaging via GoReleaser nfpm — uploaded as Gitea release assets
• Add Homebrew cask config (skip_upload until macOS builds exist)
• Replace GoReleaser built-in changelog with git-cliff for structured release notes
• Add sha-<commit> tags on Docker images for traceability
• Add Grype CVE scanning after Docker image push (fails on critical)
• Pin Dockerfile base images by digest for supply chain hardening
• Clean up .gitignore, add /dist

Deferred

• Homebrew tap push (needs macOS builds + tap repo creation)
• Cosign binary/image signing (separate PR)
• Binary SBOMs via Syft (separate PR)

Test plan

• goreleaser check passes clean
• goreleaser release --snapshot --clean generates .tar.gz, .deb, .rpm, and Cask formula
• dpkg-deb -I confirms correct DEB metadata
• git-cliff --current --strip header produces properly formatted release notes
• Tag a test release to verify full pipeline end-to-end

## Summary - Split monolithic `release.yml` into `release-binaries.yml` (tag-triggered) and `release-docker.yml` (tag + manual dispatch) - Add DEB/RPM packaging via GoReleaser nfpm — uploaded as Gitea release assets - Add Homebrew cask config (skip_upload until macOS builds exist) - Replace GoReleaser built-in changelog with git-cliff for structured release notes - Add `sha-<commit>` tags on Docker images for traceability - Add Grype CVE scanning after Docker image push (fails on critical) - Pin Dockerfile base images by digest for supply chain hardening - Clean up .gitignore, add `/dist` ## Deferred - Homebrew tap push (needs macOS builds + tap repo creation) - Cosign binary/image signing (separate PR) - Binary SBOMs via Syft (separate PR) ## Test plan - [x] `goreleaser check` passes clean - [x] `goreleaser release --snapshot --clean` generates .tar.gz, .deb, .rpm, and Cask formula - [x] `dpkg-deb -I` confirms correct DEB metadata - [x] `git-cliff --current --strip header` produces properly formatted release notes - [ ] Tag a test release to verify full pipeline end-to-end

lerko added 3 commits 2026-06-02 01:42:55 +00:00

refactor(ci): split release pipeline, add nfpm/homebrew/git-cliff ... 50eb43971c

Split monolithic release.yml into independent workflows:
- release-binaries.yml: tag-triggered, GoReleaser + git-cliff notes
- release-docker.yml: tag-triggered + manual dispatch, SHA tags

Add DEB/RPM packaging via nfpm in GoReleaser. Add Homebrew cask
config (skip_upload until macOS builds exist). Replace GoReleaser
built-in changelog with git-cliff for structured release notes.

ci(docker): add Grype CVE scanning after image push ... 3a169b2bcd

Scans published image for Alpine and dependency CVEs.
Fails on critical severity, reports all others in table output.

build(docker): pin base images by digest ... 9b5cc37ad4

Prevents silently pulling a compromised or broken upstream image.
Digests must be updated manually when bumping Alpine/Go versions.

lerko merged commit aaee3f7ebf into main 2026-06-02 13:24:38 +00:00

lerko deleted branch refactor/split-release-workflows 2026-06-02 13:24:38 +00:00

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

Clear labels

bug

Something isn't working

distribution

Packaging, publishing, branding

feature

New functionality

polish

UX/visual refinement

refactor

Code quality, no behavior change

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

lerko (Tyler Koenig)

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: lerkolabs/uptop#45