Release Pipeline With Per-Database Variant Builds#

Lead Section#

DBSurveyor's release pipeline is an automated, cross-platform build system that produces per-database variant builds for six target platforms from a single Ubuntu-based GitHub Actions runner. The pipeline leverages GoReleaser v2 with cargo-zigbuild to cross-compile Rust binaries for Linux, macOS, and Windows platforms without requiring platform-specific build infrastructure.

The release process generates seven distinct binaries: one postprocessor (dbsurveyor) and six collector variants (dbsurveyor-collect) built with specific database driver feature combinations. The collector variants include: all (all database drivers), postgresql, mysql, sqlite, mongodb, and mssql. Each variant includes compression and encryption support in addition to its database driver(s).

Distribution occurs through GitHub Releases with platform-specific archives (tar.gz for Unix, zip for Windows) named according to the pattern dbsurveyor_<variant>_<Os>_<Arch> and automated Homebrew tap publishing. The pipeline includes checksum generation, Cosign keyless signing, Syft SBOM generation, and native Linux package formats (deb/rpm/apk) for the all-features variant.

Architecture Overview#

Pipeline Components#

The release pipeline consists of three primary components:

1. Build Orchestration: GoReleaser v2 with native Rust builder support
2. Cross-Compilation: cargo-zigbuild version 0.19.8 with Zig 0.13.0
3. CI/CD Automation: GitHub Actions workflow triggered by semver tags
4. Security: Cosign keyless signing and Syft SBOM generation

Build Strategy#

DBSurveyor implements a multi-variant build strategy to provide users with optimized binaries for their specific database requirements. GoReleaser produces seven distinct build IDs:

1. Postprocessor (dbsurveyor): Single build with --all-features to support all output formats and encryption
2. Collector Variants (dbsurveyor-collect): Six variants with targeted feature flags:
   • collect-all: --all-features (all database drivers)
   • collect-postgresql: --features=postgresql,compression,encryption
   • collect-mysql: --features=mysql,compression,encryption
   • collect-sqlite: --features=sqlite,compression,encryption
   • collect-mongodb: --features=mongodb,compression,encryption
   • collect-mssql: --features=mssql,compression,encryption

Database driver features map to:

• PostgreSQL support (via sqlx/postgres)
• MySQL support (via sqlx/mysql)
• SQLite support (via sqlx/sqlite)
• MongoDB support (via mongodb crate)
• SQL Server support (via tiberius)

This strategy balances convenience (all-features variant) with optimization (single-database variants with smaller binary sizes).

Supported Platforms#

The pipeline targets six Rust platforms, covering the major operating systems and architectures:

All platforms are cross-compiled from a single ubuntu-latest GitHub Actions runner using cargo-zigbuild, which provides a unified cross-compilation environment via the Zig toolchain.

The postprocessor and per-driver collector variants (postgresql, mysql, sqlite, mongodb) build for all six platforms. The collect-all and collect-mssql variants exclude x86_64-unknown-linux-musl (5 platforms each) because the mssql feature uses tiberius with native-tls, which links system OpenSSL and cannot statically link against musl. This produces 40 total binaries per release: 6 (postprocessor) + 24 (4 per-driver variants × 6 platforms) + 10 (2 mssql-containing variants × 5 platforms).

Release Process#

Triggering Releases#

Releases are initiated by pushing a semver tag matching the pattern v*.*.*:

git tag v0.1.0
git push origin v0.1.0

The tag triggers the GitHub Actions release workflow, which builds all variants and publishes the release automatically.

Build Phase#

The release workflow runs on ubuntu-latest and performs the following steps:

1. Rust Toolchain Setup: Installs Rust 1.93.1
2. Zig Toolchain: Installs Zig 0.13.0 for cross-compilation infrastructure
3. cargo-zigbuild: Installs cargo-zigbuild 0.19.8, which wraps Zig as a Rust linker
4. Cosign: Installs Cosign for keyless signing
5. Syft: Installs Syft for SBOM generation
6. GoReleaser Execution: Runs GoReleaser to build and package all artifacts

GoReleaser invokes cargo-zigbuild for each build ID and platform target, producing 40 binaries (1 postprocessor × 6 platforms + 4 per-driver variants × 6 platforms + 2 mssql-containing variants × 5 platforms).

Packaging Phase#

GoReleaser packages the binaries into platform-specific variant archives. Each variant archive contains:

Archive Contents:

• dbsurveyor binary (postprocessor)
• dbsurveyor-collect binary (variant-specific collector)
• LICENSE file
• README.md file

Archive Naming: Archives follow the pattern dbsurveyor_<variant>_<os>_<arch>.<ext>, for example:

• dbsurveyor_all_Linux_x86_64.tar.gz
• dbsurveyor_postgresql_Darwin_arm64.tar.gz
• dbsurveyor_mysql_Windows_x86_64.zip

Each release produces 34 variant archives: 4 per-driver variants × 6 platforms + 2 mssql-containing variants × 5 platforms (excluding x86_64-unknown-linux-musl).

Distribution Phase#

The pipeline distributes artifacts through multiple channels:

1. GitHub Releases: GoReleaser creates a GitHub Release and uploads all variant archives plus checksums, signatures, and SBOMs
2. Homebrew Tap: A Homebrew cask for the all-features variant is published to the EvilBit-Labs/homebrew-tap repository
3. Linux Packages: Debian (.deb), RPM (.rpm), and Alpine (.apk) packages for the all-features variant

The GitHub Release includes installation instructions in the release notes with platform-specific download and verification steps, plus a variant comparison table.

Artifact Verification#

Checksum Verification#

GoReleaser generates a checksums file (e.g., dbsurveyor_<VERSION>_checksums.txt) containing SHA-256 hashes for all archives. Users can verify downloads using:

sha256sum -c dbsurveyor_<VERSION>_checksums.txt

Signature Verification#

The checksum file is signed with Cosign using keyless OIDC signing via GitHub Actions. Users can verify the signature:

cosign verify-blob \
  --certificate-identity-regexp="https://github.com/EvilBit-Labs/dbsurveyor/.*" \
  --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
  --certificate dbsurveyor_<VERSION>_checksums.txt.pem \
  --signature dbsurveyor_<VERSION>_checksums.txt.sig \
  dbsurveyor_<VERSION>_checksums.txt

SBOM (Software Bill of Materials)#

Syft generates an SBOM for each archive, enabling supply chain transparency and vulnerability tracking. SBOMs are uploaded as release artifacts with the .sbom extension.

Pipeline Configuration#

Required Secrets#

Two GitHub secrets are required for the release pipeline:

1. GITHUB_TOKEN: Automatically provided by GitHub Actions; grants permissions to create releases and upload artifacts
2. HOMEBREW_TAP_TOKEN: Personal Access Token with write access to the EvilBit-Labs/homebrew-tap repository

Permissions#

The workflow requires specific permissions:

• contents: write - Create releases and upload assets
• id-token: write - Generate OIDC tokens for Cosign keyless signing

Operational Procedures#

Pre-Release Checklist#

Before triggering a release, the following checks must pass:

• All CI checks passing on the main branch
• Security audit clean (cargo audit)
• Changelog/release notes prepared
• Version bumped in workspace Cargo.toml

Post-Release Verification#

After a release completes, verify:

• All 34 variant archives are present on the GitHub Release page
• Checksums file is present and correct
• Cosign signature and certificate are present (.sig and .pem files)
• SBOMs are present for each archive
• Linux packages (.deb, .rpm, .apk) are present for the all-features variant
• Homebrew formula is updated in the tap repository
• Homebrew installation works on a clean machine: brew install EvilBit-Labs/tap/dbsurveyor

Common Issues#

Common troubleshooting scenarios:

Historical Context#

Migration from cargo-dist#

On February 11, 2026, DBSurveyor replaced cargo-dist with GoReleaser in response to reliability issues. The migration:

• Reduced the release workflow from 344 lines to 47 lines (initial GoReleaser implementation)
• Eliminated the need for multiple GitHub Actions jobs
• Switched from MSVC to GNU Windows targets (required by cargo-zigbuild)
• Provided full control over the release pipeline configuration

The previous cargo-dist configuration also targeted six platforms, with the primary difference being the use of x86_64-pc-windows-msvc instead of x86_64-pc-windows-gnu.

Implementation of Per-Database Variants#

The current GoReleaser configuration implements per-database variant builds as originally planned in TASK-020. Each collector variant is built with specific feature flags (--no-default-features --features=<driver>,compression,encryption) to produce optimized binaries containing only the required database driver.

Relevant Code Files#

The following files define and implement the release pipeline:

Related Topics#

• Cargo Feature Flags: DBSurveyor uses Cargo feature flags for optional database driver support. The release pipeline builds both an all-features variant and six single-database variants using --no-default-features with specific feature combinations.
• Cross-Compilation with Zig: The pipeline leverages Zig's cross-compilation capabilities through cargo-zigbuild to simplify multi-platform builds without requiring platform-specific toolchains.
• GoReleaser for Rust Projects: While GoReleaser is primarily a Go release tool, version 2.0 added native Rust support, making it viable for Rust cross-compilation workflows with multiple build variants.
• Cosign Keyless Signing: The pipeline uses Cosign with OIDC (OpenID Connect) keyless signing via GitHub Actions, eliminating the need to manage signing keys while still providing cryptographic verification.
• Supply Chain Security: The combination of checksums, Cosign signatures, and Syft SBOMs provides comprehensive supply chain transparency and artifact verification.