Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Release and Distribution

Use readiness before a tag:

scripts/release/readiness.sh
scripts/release/preflight.sh
scripts/release/cut_release_tag.sh v0.1.0
git push origin v0.1.0

The preflight gate validates repository config, Rust checks, advisory policy, release build, package archives, SBOM, checksums, and asset verification. Checksum generation refuses empty artifact directories, so a release cannot publish an empty SHA256SUMS by accident. Deployment validation keeps systemd, Kubernetes/OpenShift, FreeBSD, NixOS, and deployment docs aligned around private non-root service defaults. Container validation keeps Dockerfile, Compose, GHCR workflow, smoke test, and docs aligned around non-root runtime, gateway port, data directory, BuildKit cache use, and SBOM/provenance publishing. Supply-chain validation keeps security policy, dependency policy, advisory workflows, SBOM generation, release/container attestations, and verification docs aligned. Installer validation keeps Unix and Windows binary installers aligned with supported release targets, checksum verification, docs, and CI smoke coverage. Package metadata drift for AUR, Scoop, Homebrew, nFPM, Nix, and local workspace dependency versions is checked in both the config gate and release preflight. Release target validation keeps the matrix, supported-platform docs, strict verifier, Scoop target, and Linux package target aligned. Release-notes validation keeps CHANGELOG, release-plz, tag flow, GitHub release notes, release docs, and bump-version coverage aligned. GitHub setup validation keeps publishing secrets, variables, and workflow permissions documented before package-manager workflows run. Package-manager publish validation keeps AUR, Scoop, and Homebrew dry-run guarded, secret checked, no-op safe, and aligned with their manifests. Cargo package file lists are also generated for the private workspace crates so missing includes and manifest drift are caught before tagging.

Strict readiness is for final release machines and requires no nested Git metadata plus the local toolchain used by distribution checks: container runtime, pwsh, workflow linting, Markdown linting, mdBook, link checking, and just.

Release artifacts include:

  • platform archives from .github/workflows/release.yml
  • Linux packages generated through nFPM
  • SHA256SUMS
  • CycloneDX SBOM
  • GitHub release asset attestations
  • GHCR image provenance and SBOM attestations

The full release process is maintained in the release runbook.