-
Notifications
You must be signed in to change notification settings - Fork 0
Go Release Packaging
CAVRA now includes a release packaging workflow for the Go enforcement-plane runtime.
.github/workflows/go-release.yml- Linux, macOS, and Windows builds for
amd64andarm64. -
checksums.txt. - SPDX-style SBOM:
cavra-runtime.sbom.spdx.json. - SLSA provenance:
cavra-runtime.provenance.intoto.json. - Managed endpoint deployment manifest:
cavra-runtime.endpoint-deployment.json. - Managed endpoint rollout evidence:
managed-endpoint-rollout-evidence.json,managed-endpoint-rollout-evidence.md, andchecksums.txt. - Release evidence:
release-evidence.jsonandrelease-evidence.md. - Detached Ed25519 signature JSON files when
CAVRA_GO_RELEASE_SIGNING_KEYis configured. - Required signing for real release events and non-dry-run manual packaging.
- Dry-run mode for validation before production releases.
- GitHub Release asset attachment for signed production packages.
- CLI verification with
cavra release verify-go-package.
gh workflow run go-release.yml --repo Huzefaaa2/cavra \
-f version=dry-run \
-f dry_run=trueFor production releases, configure CAVRA_GO_RELEASE_SIGNING_KEY with an Ed25519 private key PEM and publish a GitHub release. The workflow attaches cavra-go-runtime-<version>.zip to the release.
Verify a signed package:
cavra release verify-go-package go/cavra-runtime/dist/go-runtime-v0.1.0Inspect managed endpoint deployment guidance:
jq '.deployment_targets[] | {id, surface, platform, installer_target}' \
go/cavra-runtime/dist/go-runtime-v0.1.0/cavra-runtime.endpoint-deployment.jsonThe endpoint deployment manifest maps signed runtime binaries to approved CI runner and developer workstation channels. Package verification requires the manifest and validates its binary references, rollout controls, and installer smoke-test guidance before approval.
Capture rollout evidence:
cavra release capture-rollout \
go/cavra-runtime/dist/go-runtime-v0.1.0 \
--deployment-id github-actions-linux-amd64-runner \
--change-record CHG-123The rollout command verifies the signed package, selects approved deployment targets, and writes change-record evidence for endpoint rollout.
Verify and index rollout evidence:
cavra release verify-rollout \
.cavra/release/rollout \
--metadata-json .cavra/evidence/metadata.json \
--sqlite .cavra/evidence/metadata.dbThe verification command checks rollout checksums, source package checksums, package verification status, selected targets, and rollout controls before indexing metadata by rollout ID.
Verify an unsigned dry-run package:
cavra release verify-go-package go/cavra-runtime/dist/go-runtime-dry-run --allow-unsigned- As a release manager, I can publish Go binaries with release evidence, provenance, and GitHub keyless attestations.
- As a security engineer, I can validate checksums, SBOM metadata, SLSA provenance, detached signatures, and
gh attestation verifyresults. - As an enterprise architect, I can verify an air-gapped runtime zip before restricted-network transfer.
- As an endpoint engineering owner, I can approve deployment channels for CI runners and developer workstations before rollout.
- As an endpoint engineering owner, I can capture rollout status and change-record evidence for approved endpoint channels.
- As an endpoint engineering owner, I can verify rollout evidence and index it for audit retrieval.
- As an auditor, I can run a local verifier before approving runtime distribution.
Signed Go release packaging gives regulated teams an auditable path from source commit to binary artifact before CAVRA is distributed to local developer machines, CI runners, or restricted environments. Release attachment, SLSA provenance, signed installer metadata, managed endpoint deployment manifests, rollout evidence capture, rollout evidence verification and indexing, installer smoke validation, GitHub OIDC-backed keyless attestations, offline trust bootstrap metadata, air-gapped zip verification, release-candidate upgrade validation, and CLI verification reduce manual release-review steps.
Add rollout evidence search filters and console/API views for managed endpoint deployments.
Before the agent acts, CAVRA asks: who is acting, what will change, what policy applies, and what evidence will prove it?
| Start | Build | Operate | Assure |
|---|---|---|---|
| Quick Start | CLI | Enterprise Guide | AISPM |
| Reader Paths | Policy Syntax | Deployments | Evidence |
| Community | GUI | Troubleshooting | Conclusion |
- Foreword And Reader Paths
- Why CAVRA Exists
- Runtime Authority Model
- Architecture
- Editions
- Install And Deploy
- Community Guide
- Enterprise Guide
- CLI Reference
- GUI And Sandbox
- AISPM Guide
- Policy And Evidence
- Operations And Integrations
- Labs And Use Cases
- Appendices And FAQ
- Policy Language Reference
- Troubleshooting Playbook
- Conclusion