chore(release): publish binary-only release artifacts #220

New issue

Closed

opened 2026-05-16 13:53:04 -07:00 by jwilger · 0 comments

jwilger commented 2026-05-16 13:53:04 -07:00

Owner

Copy link

Goal

Simplify release automation so official releases publish the Linux auto-review binary artifact and provenance files only, with no Docker image promotion.

Implements the binary-only release artifact portion of ADR-0018.

Scope

• Update .forgejo/workflows/release-prepare.yml to remove release-candidate Docker image wording.
• Update .forgejo/workflows/release-publish.yml to remove:
  • release-candidate image digest lookup
  • image promotion to version/latest tags
  • Docker image release-note lines
  • image-only trusted tool setup
• Keep binary artifact publication:
  • auto-review-$VERSION-linux-x86_64.tar.gz
  • SHA256SUMS
  • SHA256SUMS.sig
  • signing public key
  • allowed-signers
  • SBOM
  • provenance
• Keep token-bearing publish guardrails, but simplify them around binary publication only.
• Build the release artifact through the Nix production packaging path so embedded OCI rootfs/runtime support is included.
• Update release, quickstart, deployment, operations, and threat-model docs affected by the final release shape.

Acceptance Criteria

• Release PRs describe binary release candidates only.
• Final release publication creates Forgejo Release assets for the binary archive and verification/provenance files.
• Final release publication does not inspect, copy, tag, or mention Docker images.
• Release artifacts still include the embedded OCI runtime/rootfs support required by auto-review gateway.
• Docs and threat model match the binary-only release workflow.

Verification

• Focused release artifact build succeeds.
• nix build .#packages.x86_64-linux.ar-cli-portable-release-root or equivalent succeeds.
• just ci

Dependencies

Blocked by #218 and #219.

## Goal Simplify release automation so official releases publish the Linux `auto-review` binary artifact and provenance files only, with no Docker image promotion. Implements the binary-only release artifact portion of ADR-0018. ## Scope - Update `.forgejo/workflows/release-prepare.yml` to remove release-candidate Docker image wording. - Update `.forgejo/workflows/release-publish.yml` to remove: - release-candidate image digest lookup - image promotion to version/latest tags - Docker image release-note lines - image-only trusted tool setup - Keep binary artifact publication: - `auto-review-$VERSION-linux-x86_64.tar.gz` - `SHA256SUMS` - `SHA256SUMS.sig` - signing public key - `allowed-signers` - SBOM - provenance - Keep token-bearing publish guardrails, but simplify them around binary publication only. - Build the release artifact through the Nix production packaging path so embedded OCI rootfs/runtime support is included. - Update release, quickstart, deployment, operations, and threat-model docs affected by the final release shape. ## Acceptance Criteria - Release PRs describe binary release candidates only. - Final release publication creates Forgejo Release assets for the binary archive and verification/provenance files. - Final release publication does not inspect, copy, tag, or mention Docker images. - Release artifacts still include the embedded OCI runtime/rootfs support required by `auto-review gateway`. - Docs and threat model match the binary-only release workflow. ## Verification - Focused release artifact build succeeds. - `nix build .#packages.x86_64-linux.ar-cli-portable-release-root` or equivalent succeeds. - `just ci` ## Dependencies Blocked by #218 and #219.

jwilger added the

enhancement

label 2026-05-16 13:53:16 -07:00

jwilger added this to the 1.0 milestone 2026-05-16 13:54:04 -07:00

jwilger added a new dependency 2026-05-16 13:54:42 -07:00

#218 chore(ci): run PR checks as parallel just-based Forgejo jobs

jwilger added a new dependency 2026-05-16 13:54:42 -07:00

#219 refactor(release): remove official Docker image build outputs

jwilger referenced this issue from a pull request that will close it, 2026-05-18 10:00:11 -07:00

fix(release): enforce binary-only release artifacts #246

jwilger closed this issue 2026-05-18 10:09:59 -07:00

jwilger referenced this issue from a commit 2026-05-18 10:10:00 -07:00

fix(release): enforce binary-only release artifacts (#246)

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

issue-287-release-metadata-and-nl-corrections

issue-277-pr-metadata-controls

release/v0.15.0

issue-28-cost-per-review

release/v0.14.2

config-issue-command

issue-248-opencode-plugin-tests

fix-agent-variant-effort

issue-220-binary-only-release-artifacts

fix/release-prepare-json-isolation

fix/release-prepare-skip-checks

issue-219-remove-official-docker-image

issue-226-rgr-cycle-guard

issue-217-retain-nix-boundary

bdd-tdd-guardrails

opencode-migration

add-some-tools

chore/pi-safe-branch-switch

fix/issue-207-spawnsync-guardrails

docs-threat-model-formatting

issue-149-oci-env-errors

pi-safe-tools-review

process-pilens-deferred-format-guardrail

issue-150-threat-model-release-scope

fix-release-publish-install-tools

pi-migration

update-release-image-promotion

issue-15-pr-metadata-check

release/v0.8.4

issue-134-docs-test-guidance

issue-176-pr-discussion-history

fix-release-publish-release-upload

fix-linux-artifact-build

issue-121-linux-binary-provenance

issue-135-nixos-deployment

issue-120-single-binary-docs-tests

issue-122-runtime-isolation-posture

issue-119-unified-docker-binary

issue-117-oci-gateway-launcher

issue-118-embedded-oci-rootfs

issue-117-embedded-youki-oci-launcher

issue-116-unified-auto-review-cli

release/v0.2.1

issue-115-single-binary-exploration

release-pr-supersede-hybrid-bump

fix-release-prep-run-on-release-fixes

fix-release-prep-package-verify

issue-14-incremental-walkthrough

fix-release-publish-dispatch-input-type

fix-release-publish-rerun

fix-release-publish-detached-head

release-plz-2026-05-05T18-58-15Z

fix-release-plz-push-auth

fix-release-plz-git-identity

fix-release-plz-repo-url

semantic-release-bump

fix-release-changelog-duplication

fix-release-workflow-loop

release-generated-changelog

fix-release-prepare-stages-lockfile

fix-release-prepare-lockfile

fix-release-tests-after-prepare

fix-release-prep-explicit-token

fix-release-prep-token-fallback

fix-release-prep-token-env

fix-release-prep-auth

fix-release-prepare-trigger

issue-66-release-pr-workflow

issue-43-ci-review-action

issue-43-forgejo-ci-review-action

issue-46-sandbox-rescope

issue-51-ci-linter-advisories

repo-maintenance

issue-45-remove-bundled-linters

issue-10-mandatory-sandbox

v1.3.0

v1.0.2

v1.0.1

v1.0.0

v0.14.1

v0.14.0

v0.8.0

0.8.0-rc.329

0.8.0-rc.325

0.7.0-rc.318

0.6.0-rc.305

0.5.0-rc.299

0.4.0-rc.293

0.4.0-rc.289

0.3.0-rc.279

0.3.0-rc.273

0.3.0-rc.269

0.3.0-rc.263

0.3.0-rc.259

0.3.0-rc.255

0.3.0-rc.251

0.3.0-rc.247

0.3.0-rc.242

0.2.1-rc.238

v0.2.0

0.2.0-rc.232

v0.1.3

Labels

Clear labels   

bug

  

discussion

  

enhancement

  

bug

Something is not working

  

duplicate

This issue or pull request already exists

  

enhancement

New feature

  

help wanted

Need some help

  

invalid

Something is wrong

  

question

More information is needed

  

wontfix

This won't be fixed

No labels

bug

discussion

enhancement

bug

duplicate

enhancement

help wanted

invalid

question

wontfix

Milestone

Clear milestone

No items

No milestone

1.0

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Depends on

#218 chore(ci): run PR checks as parallel just-based Forgejo jobs

Slipstream/auto_review

#219 refactor(release): remove official Docker image build outputs

Slipstream/auto_review

Reference

Slipstream/auto_review#220

No description provided.