fix(release): simplify to single-runner linux-only build (#135)

v0.3.0 release run (#25779202189) failed at the publish job with:

    error: git is in a dirty state
    │ Please check in your pipeline what can be changing the following files:
    │ ?? prebuilt/

Root cause: the workflow ran a build matrix (linux/amd64, linux/arm64,
darwin/arm64), uploaded each result as an actions artifact, then the
publish job downloaded them into `prebuilt/` — but goreleaser's
release subcommand refuses to run when the working tree has untracked
files. Worse: `goreleaser release --clean` rebuilds everything from
source ANYWAY, ignoring the downloaded artifacts, so the matrix was
wasted effort.

The original matrix was over-engineering for CGO. linux→linux
cross-compile to arm64 works cleanly with gcc-aarch64-linux-gnu (both
kuzudb and go-sqlite3 build).

Simpler design that actually ships v0.3.0:
- Single ubuntu-latest runner.
- Two `builds:` entries in .goreleaser.yml, one per arch, each with
  the right CC pinned for the cross-compile.
- darwin/arm64 deferred to a follow-up workflow that uses a macos
  runner and attaches binaries to the same draft Release.

Linux is the priority shape — most codeiq use is in CI / dev
containers / Linux servers. Darwin lands later without forcing v0.3.0
to wait.

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: aksOps

.github/workflows/release-go.yml

@@ -2,12 +2,16 @@ name: release-go
 
 # Tag-triggered release pipeline for the codeiq Go binary.
 #
-# Trigger: push a tag matching `v*.*.*` (e.g. `git tag v1.0.0 && git push --tags`).
-# Cross-OS build via per-runner matrix (CGO + native kuzudb/sqlite means
-# we can't cross-compile cleanly from a single host).
+# Trigger: push a tag matching `v*.*.*` (e.g. `git tag v0.3.0 && git push --tags`).
 #
-# Phase 5 of the Java→Go port. Replaces release-java.yml (kept around
-# until Phase 6 cutover for any emergency Java release).
+# v0.3.0 scope: linux/amd64 + linux/arm64 only. Single ubuntu-latest
+# runner builds both via the linux→linux cross-compile with
+# gcc-aarch64-linux-gnu (CGO permits this cross — both kuzu and
+# go-sqlite3 build cleanly).
+#
+# darwin/arm64 deferred — needs a macos runner and separate matrix.
+# Follow-up: add a `release-darwin.yml` that attaches darwin binaries
+# to the same draft Release.
 
 on:
   push:
@@ -16,7 +20,7 @@ on:
   workflow_dispatch:
     inputs:
       tag:
-        description: 'Tag to release (e.g. v1.0.0). Must already exist.'
+        description: 'Tag to release (e.g. v0.3.0). Must already exist.'
         required: true
 
 permissions:
@@ -26,63 +30,8 @@ permissions:
   attestations: write
 
 jobs:
-  # Per-target release. Runs the same .goreleaser.yml on each runner;
-  # archives are merged in the publish job below.
-  build:
-    name: build (${{ matrix.os }} / ${{ matrix.goarch }})
-    runs-on: ${{ matrix.runner }}
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: linux
-            goarch: amd64
-            runner: ubuntu-latest
-          - os: linux
-            goarch: arm64
-            runner: ubuntu-24.04-arm
-          - os: darwin
-            goarch: arm64
-            runner: macos-14
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          fetch-depth: 0
-      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
-        with:
-          go-version: '1.25.10'
-          cache: true
-          cache-dependency-path: go/go.sum
-      - name: Install build deps (linux)
-        if: runner.os == 'Linux'
-        run: sudo apt-get update -y && sudo apt-get install -y build-essential
-      - name: Install Syft (SBOM)
-        uses: anchore/sbom-action/download-syft@e22c389904149dbc22b58101806040fa8d37a610 # v0.24.0
-      - name: Install Cosign (signing)
-        uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2
-      - uses: goreleaser/goreleaser-action@1a80836c5c9d9e5755a25cb59ec6f45a3b5f41a8 # v7.2.1
-        with:
-          distribution: goreleaser
-          version: '~> v2'
-          # Single-target build per runner; combined publish runs in a
-          # separate job that consumes all three artifact bundles.
-          args: build --single-target --clean --snapshot
-        env:
-          GOOS: ${{ matrix.os }}
-          GOARCH: ${{ matrix.goarch }}
-      - name: Upload binary artifact
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
-        with:
-          name: codeiq-${{ matrix.os }}-${{ matrix.goarch }}
-          path: dist/codeiq_*/codeiq*
-          retention-days: 1
-
-  # Combined publish: pulls the three binaries built above, packages
-  # them with SBOMs, signs the checksum manifest via Sigstore keyless,
-  # and uploads the GitHub Release. Runs on linux only.
   release:
-    name: publish release
-    needs: build
+    name: release
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -94,24 +43,17 @@ jobs:
           cache: true
           cache-dependency-path: go/go.sum
       - name: Install build deps
-        run: sudo apt-get update -y && sudo apt-get install -y build-essential
+        run: |
+          sudo apt-get update -y
+          sudo apt-get install -y build-essential gcc-aarch64-linux-gnu
       - name: Install Syft (SBOM)
         uses: anchore/sbom-action/download-syft@e22c389904149dbc22b58101806040fa8d37a610 # v0.24.0
       - name: Install Cosign (signing)
         uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2
-      - name: Download pre-built binaries
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
-        with:
-          pattern: codeiq-*
-          path: prebuilt
       - uses: goreleaser/goreleaser-action@1a80836c5c9d9e5755a25cb59ec6f45a3b5f41a8 # v7.2.1
         with:
           distribution: goreleaser
           version: '~> v2'
-          # Full release: archives + SBOMs + cosign sigs + GitHub Release
-          # draft + (optional) Homebrew tap. The owning org sets
-          # HOMEBREW_TAP_GITHUB_TOKEN to publish to homebrew-codeiq;
-          # forks leave it unset and the brew step skips silently.
           args: release --clean
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.goreleaser.yml

@@ -24,12 +24,33 @@ before:
     - sh -c "cd go && go test ./... -count=1"
 
 builds:
-  - id: codeiq
+  # linux/amd64 — native build on the ubuntu-latest runner.
+  - id: codeiq-linux-amd64
+    main: ./cmd/codeiq
+    dir: go
+    binary: codeiq
+    env:
+      - CGO_ENABLED=1
+      - CC=gcc
+    flags:
+      - -trimpath
+    ldflags:
+      - -s -w
+      - -X 'github.com/randomcodespace/codeiq/go/internal/buildinfo.Version={{.Version}}'
+      - -X 'github.com/randomcodespace/codeiq/go/internal/buildinfo.Commit={{.ShortCommit}}'
+      - -X 'github.com/randomcodespace/codeiq/go/internal/buildinfo.Date={{.Date}}'
+      - -X 'github.com/randomcodespace/codeiq/go/internal/buildinfo.Dirty={{.IsGitDirty}}'
+    goos: [linux]
+    goarch: [amd64]
+  # linux/arm64 — cross-compile from the ubuntu-latest runner using
+  # gcc-aarch64-linux-gnu installed in the release workflow.
+  - id: codeiq-linux-arm64
     main: ./cmd/codeiq
     dir: go
     binary: codeiq
     env:
       - CGO_ENABLED=1
+      - CC=aarch64-linux-gnu-gcc
     flags:
       - -trimpath
     ldflags:
@@ -38,20 +59,10 @@ builds:
       - -X 'github.com/randomcodespace/codeiq/go/internal/buildinfo.Commit={{.ShortCommit}}'
       - -X 'github.com/randomcodespace/codeiq/go/internal/buildinfo.Date={{.Date}}'
       - -X 'github.com/randomcodespace/codeiq/go/internal/buildinfo.Dirty={{.IsGitDirty}}'
-    # CGO + kuzudb makes cross-arch fragile from a single host; the
-    # release workflow runs this config once per (OS, arch) runner.
-    goos:
-      - linux
-      - darwin
-    goarch:
-      - amd64
-      - arm64
-    ignore:
-      # darwin/amd64 needs a darwin runner — skip when this config is
-      # consumed on a linux runner. The release workflow re-runs the
-      # darwin builds on macOS runners.
-      - goos: darwin
-        goarch: amd64
+    goos: [linux]
+    goarch: [arm64]
+  # darwin/arm64 deferred — needs a macos runner. Follow-up:
+  # release-darwin.yml attaches macOS binaries to the same draft Release.
 
 archives:
   - id: codeiq