- Add scripts/build-release.sh: cross-compile linux+windows amd64 with ldflags injecting main.version and main.commit, write checksums-sha256.txt and release-manifest.json (full commit SHA). - Add scripts/release-check.sh: local mirror of CI (test, vet, build, --version substring check); falls back to Windows artifact when run on a Windows host where the Linux binary can't exec. - Wire main.version / main.commit -> cmd.SetVersionInfo. Default to "dev" / "" so local builds without ldflags still produce a sensible string. Output format: single line 'ctask <version> (<short-sha>)' or 'ctask <version>' / 'ctask dev'. - Add .gitea/workflows/release.yml: triggered on v* tags, runs-on ctask-release (golang:1.26-bookworm). Tag parsed from gitea.ref (not gitea.ref_name). Pure shell + Gitea API; no actions/checkout, no setup-go, no third-party release action. Installs jq at job start. RC tags are deletable+recreatable; final tags are immutable. Verify step downloads published assets, sha256sum -c's, and runs --version. - notes.md: log Phase 0/2/3 + version-injection completion.
This commit is contained in:
@@ -0,0 +1,73 @@
|
||||
#!/usr/bin/env bash
|
||||
# build-release.sh — produce the ctask release artifact set under dist/.
|
||||
#
|
||||
# This is the single recipe shared between local validation and CI: the
|
||||
# Gitea Actions workflow invokes this same script. Running it locally
|
||||
# produces byte-identical artifacts (given the same Go toolchain version
|
||||
# and commit) so the build is locally verifiable before tagging.
|
||||
#
|
||||
# Usage:
|
||||
# bash scripts/build-release.sh <version>
|
||||
#
|
||||
# <version> is the release tag verbatim, e.g. "v0.6.1-rc.1". It is
|
||||
# injected into the binary via -ldflags -X main.version. The current
|
||||
# git HEAD is injected as main.commit.
|
||||
#
|
||||
# Artifacts produced:
|
||||
# dist/ctask-linux-amd64
|
||||
# dist/ctask-windows-amd64.exe
|
||||
# dist/checksums-sha256.txt
|
||||
# dist/release-manifest.json
|
||||
set -euo pipefail
|
||||
|
||||
VERSION="${1:?Usage: build-release.sh <version>}"
|
||||
COMMIT="$(git rev-parse HEAD)"
|
||||
|
||||
# Wipe dist/ to guarantee no stale artifacts from earlier builds leak
|
||||
# into the manifest or checksum file.
|
||||
rm -rf dist
|
||||
mkdir -p dist
|
||||
|
||||
# CGO_ENABLED=0 forces a pure-Go static link so the Linux binary runs in
|
||||
# minimal containers (alpine, distroless, scratch). -s -w strip symbols
|
||||
# and DWARF for a smaller artifact.
|
||||
LDFLAGS="-s -w -X main.version=${VERSION} -X main.commit=${COMMIT}"
|
||||
|
||||
CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -ldflags "${LDFLAGS}" -o dist/ctask-linux-amd64 ./
|
||||
CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go build -ldflags "${LDFLAGS}" -o dist/ctask-windows-amd64.exe ./
|
||||
|
||||
cd dist
|
||||
# Deterministic ordering so a diff between local and CI checksums is
|
||||
# easy to read.
|
||||
sha256sum ctask-linux-amd64 ctask-windows-amd64.exe > checksums-sha256.txt
|
||||
|
||||
LINUX_SHA=$(awk '/ctask-linux-amd64$/{print $1}' checksums-sha256.txt)
|
||||
WINDOWS_SHA=$(awk '/ctask-windows-amd64\.exe$/{print $1}' checksums-sha256.txt)
|
||||
|
||||
cat > release-manifest.json <<MANIFEST
|
||||
{
|
||||
"project": "ctask",
|
||||
"version": "${VERSION}",
|
||||
"commit": "${COMMIT}",
|
||||
"artifacts": [
|
||||
{
|
||||
"name": "ctask-linux-amd64",
|
||||
"os": "linux",
|
||||
"arch": "amd64",
|
||||
"sha256": "${LINUX_SHA}"
|
||||
},
|
||||
{
|
||||
"name": "ctask-windows-amd64.exe",
|
||||
"os": "windows",
|
||||
"arch": "amd64",
|
||||
"sha256": "${WINDOWS_SHA}"
|
||||
}
|
||||
]
|
||||
}
|
||||
MANIFEST
|
||||
|
||||
echo "Build complete:"
|
||||
cat checksums-sha256.txt
|
||||
echo ""
|
||||
cat release-manifest.json
|
||||
echo ""
|
||||
@@ -0,0 +1,49 @@
|
||||
#!/usr/bin/env bash
|
||||
# release-check.sh — local mirror of the CI release pipeline.
|
||||
#
|
||||
# Runs the same gates the Gitea Actions workflow runs (tests, vet, build)
|
||||
# so a release is locally validated before any tag is pushed. The final
|
||||
# step prints the binary's --version so the operator can confirm the
|
||||
# build-time-injected version string matches the tag.
|
||||
#
|
||||
# Usage:
|
||||
# bash scripts/release-check.sh <version>
|
||||
#
|
||||
# Example:
|
||||
# bash scripts/release-check.sh v0.6.1-rc.1
|
||||
set -euo pipefail
|
||||
|
||||
VERSION="${1:?Usage: release-check.sh <version>}"
|
||||
|
||||
echo "=== Running tests ==="
|
||||
go test ./...
|
||||
|
||||
echo ""
|
||||
echo "=== Running go vet ==="
|
||||
go vet ./...
|
||||
|
||||
echo ""
|
||||
echo "=== Building release artifacts ==="
|
||||
bash "$(dirname "$0")/build-release.sh" "${VERSION}"
|
||||
|
||||
echo ""
|
||||
echo "=== Verifying version output ==="
|
||||
REPORTED="$(./dist/ctask-linux-amd64 --version 2>/dev/null || true)"
|
||||
if [ -z "${REPORTED}" ]; then
|
||||
# Linux binary won't run natively on Windows — fall back to the
|
||||
# Windows artifact so this script remains useful on the workstation.
|
||||
REPORTED="$(./dist/ctask-windows-amd64.exe --version)"
|
||||
echo "Binary reports (windows-amd64): ${REPORTED}"
|
||||
else
|
||||
echo "Binary reports (linux-amd64): ${REPORTED}"
|
||||
fi
|
||||
|
||||
# Soft-assert the version is present in the reported string. The CI
|
||||
# workflow's Verify-download step performs the same check.
|
||||
if ! echo "${REPORTED}" | grep -qF "${VERSION}"; then
|
||||
echo "ERROR: --version output does not contain ${VERSION}" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo ""
|
||||
echo "release-check OK for ${VERSION}"
|
||||
Reference in New Issue
Block a user