Skip to content

ci: add tag-driven release workflow#5

Open
fheikens wants to merge 1 commit intomainfrom
ci/release-workflow
Open

ci: add tag-driven release workflow#5
fheikens wants to merge 1 commit intomainfrom
ci/release-workflow

Conversation

@fheikens
Copy link
Copy Markdown
Contributor

@fheikens fheikens commented Mar 24, 2026

Summary

Adds a complete release workflow (.github/workflows/release.yml) triggered on v* tag pushes. Implements all six gates from the Elevarq release protocol.

Release pipeline

v* tag push
  → validate (CHANGELOG check)
  → test (Go tests, boundary tests)
  → lint (hadolint)
  → security-scan (Trivy fs + config + image, gitleaks)
  → publish (GHCR push, cosign sign, SBOM)
  → build-binaries (cross-compile linux/darwin x amd64/arm64)
  → release (GitHub Release with binaries, checksums, SBOM)

Gates enforced

Gate Tool Blocks release?
A. Correctness Go tests, boundary tests Yes
B. Lint hadolint Yes
C. Security Trivy (CRITICAL/HIGH), gitleaks Yes
D. Supply chain Pinned actions, version injection, GHCR Yes
E. Artifact cosign signing, SBOM, cross-compiled binaries Yes
F. Hygiene CHANGELOG validation, release notes Yes

Release artifacts

  • Container image: ghcr.io/elevarq/arq-signals:<version>
  • Go binaries: arq-signals + arqctl for linux/darwin x amd64/arm64
  • SHA256 checksums
  • SBOM (SPDX JSON)
  • Cosign signature (keyless, GitHub OIDC)

How to release

# 1. Update CHANGELOG.md, CITATION.cff
# 2. Commit and push to main
# 3. Tag and push
git tag -a v0.3.0 -m "Release v0.3.0"
git push origin v0.3.0

🤖 Generated with Claude Code

@fheikens @claude
ci: add tag-driven release workflow
653e833 
Adds .github/workflows/release.yml triggered on v* tag pushes.

Release gates enforced:
  A. Correctness — Go tests, boundary tests, CHANGELOG validation
  B. Lint — hadolint (Dockerfile)
  C. Security — Trivy (fs + config + image), gitleaks; CRITICAL/HIGH
     findings block the release
  D. Supply chain — pinned actions, GHCR push, version injection via
     build-args (VERSION, COMMIT, DATE)
  E. Artifact — cosign keyless signing (GitHub OIDC), SBOM (SPDX JSON),
     cross-compiled Go binaries (linux/darwin x amd64/arm64) with
     SHA256 checksums
  F. Release hygiene — changelog extraction, GitHub Release with
     binaries, SBOM, and cosign verification instructions

Image published to ghcr.io/elevarq/arq-signals with semver tags.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@fheikens