Automated pipeline for monitoring, building, and releasing packages.
Daily at 00:00 UTC via .github/workflows/monitor-releases.yml
- Parse recipe YAML files from
recipes/ - Fetch latest version from source (
github_release,github_tag,rss,url) - Compare with current release
- Trigger builds for new versions
Rate limiting: Exponential backoff (1s→32s), auto-retry on errors.
Parallel builds across 4 platforms:
darwin-x86_64 # macOS Intel
darwin-arm64 # macOS Apple Silicon
linux-amd64 # Linux x86_64
linux-arm64 # Linux ARM64Steps: Download → Extract → Build → Package → Sign (macOS) → Upload
Integrated into build workflows:
- Scan binaries for CVEs (Trivy, Grype, OSV-Scanner)
- Generate SBOM (Syft)
- Fail on critical vulnerabilities
Runs after all builds complete:
- SHA256 checksum verification
- Binary integrity check
- Platform coverage validation
- Version consistency check
Publishes after successful validation:
package-{version}-darwin-x86_64.tar.gz
package-{version}-darwin-arm64.tar.gz
package-{version}-linux-amd64.tar.gz
package-{version}-linux-arm64.tar.gz
checksums.txt
sbom.jsonname: example
version_source:
type: github_release
repository: owner/repo
download_url: "https://example.com/{version}/app-{version}{suffix}"
platforms:
darwin-x86_64:
suffix: "-darwin-x86_64.tar.gz"
binary_path: "bin/app"
# ... other platformsSee CONTRIBUTING.md for details.
Parallel Execution: Monitor and build packages concurrently Caching: Go modules, Docker layers, recipe parsing Security: Pinned dependencies, code signing, reproducible builds Error Handling: Auto-retry, exponential backoff, isolated failures Monitoring: Build metrics, alerts, structured logs