#!/usr/bin/env bash # build-release.sh — produce the ctask release artifact set under dist/. # # This is the single recipe shared between local validation and CI: the # Gitea Actions workflow invokes this same script. Running it locally # produces byte-identical artifacts (given the same Go toolchain version # and commit) so the build is locally verifiable before tagging. # # Usage: # bash scripts/build-release.sh # # is the release tag verbatim, e.g. "v0.6.1-rc.1". It is # injected into the binary via -ldflags -X main.version. The current # git HEAD is injected as main.commit. # # Artifacts produced: # dist/ctask-linux-amd64 # dist/ctask-windows-amd64.exe # dist/checksums-sha256.txt # dist/release-manifest.json set -euo pipefail VERSION="${1:?Usage: build-release.sh }" COMMIT="$(git rev-parse HEAD)" # Wipe dist/ to guarantee no stale artifacts from earlier builds leak # into the manifest or checksum file. rm -rf dist mkdir -p dist # CGO_ENABLED=0 forces a pure-Go static link so the Linux binary runs in # minimal containers (alpine, distroless, scratch). -s -w strip symbols # and DWARF for a smaller artifact. LDFLAGS="-s -w -X main.version=${VERSION} -X main.commit=${COMMIT}" CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -ldflags "${LDFLAGS}" -o dist/ctask-linux-amd64 ./ CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go build -ldflags "${LDFLAGS}" -o dist/ctask-windows-amd64.exe ./ cd dist # Deterministic ordering so a diff between local and CI checksums is # easy to read. sha256sum ctask-linux-amd64 ctask-windows-amd64.exe > checksums-sha256.txt LINUX_SHA=$(awk '/ctask-linux-amd64$/{print $1}' checksums-sha256.txt) WINDOWS_SHA=$(awk '/ctask-windows-amd64\.exe$/{print $1}' checksums-sha256.txt) cat > release-manifest.json <