Skip to main content

What anodizer builds

Artifacts the `anodizer release` pipeline produces: binaries, archives, packages, installers, containers, and signing material.

What anodizer builds

Output formats and the builds[] / archives[] / dockers_v2[] / signs[] keys that drive them. Native binaries for 6 targets ship on every release (linux amd64/arm64, darwin amd64/arm64, windows amd64/arm64), built with cargo + cargo-zigbuild + cross.

Live configuration

Build / archive / nfpm / dockers_v2 / sign blocks from cfgd/.anodizer.yaml (snapshot 2026-05-24) — every key referenced in the tables below is wired here.

defaults:
  targets:
    - x86_64-unknown-linux-gnu
    - aarch64-unknown-linux-gnu
    - x86_64-apple-darwin
    - aarch64-apple-darwin
    - x86_64-pc-windows-msvc
  cross: auto

# Per-crate (one workspace shown):
builds:
  - binary: cfgd
    mod_timestamp: "{{ CommitTimestamp }}"

archives:
  - name_template: "{{ ProjectName }}-{{ Version }}-{{ Os }}-{{ Arch }}"
    formats: [tar.gz]
    format_overrides:
      - { os: windows, formats: [zip] }
    files: [LICENSE, README.md]

universal_binaries:
  - { name_template: "{{ ProjectName }}", replace: false }

checksum:
  name_template: "{{ ArtifactName }}.sha256"
  algorithm: sha256
  split: true

# Top-level:
upx:
  - id: default
    enabled: true
    args: ["--best", "--lzma"]
    targets: [x86_64-unknown-linux-gnu, aarch64-unknown-linux-gnu,
              x86_64-apple-darwin, x86_64-pc-windows-msvc]

nfpms:
  - id: cfgd
    formats: [deb, rpm, apk]
    maintainer: "TJ Smith <tj@jarvispro.io>"
    contents:
      - { src: LICENSE,   dst: /usr/share/doc/cfgd/LICENSE }
      - { src: README.md, dst: /usr/share/doc/cfgd/README.md }

# dockers_v2: pushes a multi-arch image index in one step (no separate manifest).
dockers_v2:
  - id: cfgd
    dockerfile: Dockerfile.agent.release
    images: ["ghcr.io/tj-smith47/cfgd"]
    tags: ["{{ Version }}", "v{{ Version }}", "latest"]
    sbom: true

signs:
  - { id: cosign-checksum, artifacts: checksum, cmd: cosign }
  - { id: cosign-source,   artifacts: source,   cmd: cosign }
docker_signs:
  - { id: cosign-images, artifacts: manifests, cmd: cosign }
binary_signs:
  - { id: cosign-bin,    artifacts: binary,    cmd: cosign }

sboms:
  - { id: default, cmd: syft, artifacts: archive, documents: ["{{ .ProjectName }}-{{ .Version }}.cdx.json"] }

Build

KeyStatusNotes
builds[].targets → per-target os / arch✅ Verifiedv0.1.1 assets cover 6 targets (*-linux-amd64.tar.gz to *-windows-arm64.zip)
universal_binaries[]✅ Verifiedcfgd v0.3.5 ships cfgd-0.3.5-darwin-all.tar.gz via lipo
upx[]✅ Verifiedanodizer-0.1.1-linux-amd64.tar.gz (UPX-packed)
builds[].overrides✅ Verifiedcfgd .anodizer.yaml (format_overrides for windows zip)
builds[].hooks.pre / post✅ Verifiedanodizer .anodizer.yaml (archive hooks.before / hooks.after)
builds[].mod_timestamp✅ Verifiedanodizer .anodizer.yaml (metadata.mod_timestamp: "{{ CommitTimestamp }}")
builds[].builder: prebuilt (no-compile)🤝 Help wantedcrates/stage-build/src/run.rs imports a pre-built binary; crates/stage-build/src/tests.rs covers unit paths; no production .anodizer.yaml uses builder: prebuilt yet
report_sizes✅ Verifiedanodizer .anodizer.yaml (report_sizes: true)

Archives and checksums

FormatStatusNotes
tar.gz✅ Verifiedanodizer-0.1.1-linux-amd64.tar.gz
zip✅ Verifiedanodizer-0.1.1-windows-amd64.zip
tar.xz, tar.zst, tgz✅ Verifiedanodizer-0.12.3-linux-amd64-extra.tar.xz, anodizer-0.12.3-linux-amd64-extra.tar.zst, anodizer-0.12.3-windows-amd64-extra.tgz (second archives[] entry with formats: [tar.xz, tar.zst] + tgz override)
source.format✅ Verifiedanodizer-0.1.1-source.tar.gz
makeselfs[]✅ Verifiedanodizer-0.1.1-linux-amd64-installer.run (4 platforms)
KeyStatusNotes
checksum.algorithm✅ Verifiedsha256 default. anodizer-0.1.1-checksums.txt. Full list: sha1/224/256/384/512, sha3-*, blake2s/2b, blake3, crc32, md5
checksum.split✅ Verifiedcfgd .anodizer.yaml (checksum.split: true per crate)

Linux packages

FormatStatusNotes
.deb✅ Verifiedanodizer_0.1.1_linux_amd64.deb (amd64 + arm64)
.rpm✅ Verifiedanodizer_0.1.1_linux_amd64.rpm (amd64 + arm64)
.apk✅ Verifiedanodizer_0.1.1_linux_amd64.apk
.src.rpm✅ Verifiedanodizer-0.1.1-1.src.rpm
.snap✅ Verifiedsnapcraft.io/anodizer, latest/stable channel
archlinux, ipk, termux.deb🤝 Help wantednFPM dispatch covered; not shipped live
KeyStatusNotes
nfpms[].scripts✅ Verifiedcrates/core/src/config/nfpm.rs (preinstall / postinstall / preremove / postremove fields)
nfpms[].contents✅ Verifiedcfgd .anodizer.yaml (contents: ships LICENSE + README.md to /usr/share/doc/cfgd/)
NFPM_PASSPHRASE env chain✅ Verifiedcrates/stage-nfpm/src/builders.rs (three-level lookup chain)

macOS and Windows installers (built on Linux CI)

These formats are assembled on an ordinary Linux runner — no macOS or Windows host in the build matrix. Anodizer's own dogfood config wires all five (anodizer .anodizer.yaml, app_bundles: / dmgs: / pkgs: / msis: / nsis: blocks), built unsigned in CI. Code-signing and notarization still require the platform's own credentials; the bundles themselves do not. As of v0.12.3 all five ship as live release assets (amd64 + arm64). The .AppImage row below is the sole remaining 🟡 In progress format — its block is wired and CI-built, but no public release asset has landed yet.

FormatStatusBuilt on Linux via
.app bundle✅ Verifiedanodizer_amd64.dmg ships the bundle (in-process directory + Info.plist assembly, no external tool); app_bundles:. See app-bundle docs
.dmg✅ Verifiedanodizer_amd64.dmg + anodizer_arm64.dmg via genisoimage / mkisofs; dmgs:. See dmg docs
.pkg✅ Verifiedanodizer_amd64.pkg + anodizer_arm64.pkg via flat XAR toolchain (xar + mkbom), byte-reproducible TOC; pkgs:. See pkg docs
.msi✅ Verifiedanodizer_amd64.msi + anodizer_arm64.msi via wixl (msitools); msis:. See msi docs
.exe (NSIS)✅ Verifiedanodizer_x64-setup.exe + anodizer_arm64-setup.exe via makensis; nsis:. See nsis docs
.AppImage🟡 In progresslinuxdeploy with optional zsync update metadata; appimages:. See appimage docs
KeyStatusNotes
notarize.macos🤝 Help wantedCross-platform (rcodesign). Implementation requires sign.certificate (P12 file), sign.password, and notarize.{issuer_id, key, key_id}, i.e. an Apple Developer Program membership. Not dogfoodable on Linux runners without a paid Apple account
notarize.macos_native🤝 Help wantedNeeds Apple Developer cert on a macOS runner

Container images

KeyStatusNotes
dockers_v2[]✅ Verifiedghcr.io/tj-smith47/cfgd (cfgd-agent, cfgd-operator, cfgd-csi); cfgd .anodizer.yaml (dockers_v2: per crate)
docker_manifests[]✅ Verifiedghcr.io/tj-smith47/cfgd:v0.3.5 (multi-arch linux/amd64+arm64). dockers_v2 already pushes a multi-arch index, so cfgd's docker_manifests[] entries are bypassed at runtime (docker: skipping manifest ... already pushed as multi-arch by docker_v2) — retained only for the niche case of stitching together images not built by dockers_v2 in the same run
dockers_v2[].build_args / labels / annotations✅ Verifiedcfgd .anodizer.yaml (build_args.VERSION + org.opencontainers.image.* annotations)
dockers_v2[].sbom: true✅ Verifiedcfgd .anodizer.yaml (sbom: true on all three dockers_v2 images)
docker_digest.name_template✅ Verifiedcfgd .anodizer.yaml (docker_digest.name_template: "cfgd_{{ .Tag }}.digest")
dockers_v2[].use: buildx✅ Verifiedcrates/stage-docker/src/detect.rs (buildx is the default backend)
dockers_v2[].use: podman / docker_manifests[].use: docker / podman🤝 Help wantedLinux-only backend selectors. No live release exercises the non-buildx path
docker_hub.description🤝 Help wantedWe use ghcr; needs a Docker Hub-anchored release

Signing

KeyStatusNotes
signs[] (cosign)✅ Verifiedcfgd v0.3.5 cosign bundle. Cosign keyless for binaries and checksums
signs[] (gpg)✅ Verifiedanodizer-0.1.1-checksums.txt.sig
signs[].artifacts✅ Verifiedcfgd .anodizer.yaml (signs: declares artifacts: checksum and artifacts: source slots)
docker_signs[]✅ Verifiedcfgd .anodizer.yaml (docker_signs: with cosign over artifacts: manifests)
binary_signs[]✅ Verifiedanodizer .anodizer.yaml (binary_signs: block with cosign sign-blob)
sboms[]✅ VerifiedCycloneDX via syft. anodizer-0.1.1.cdx.json
${artifact} / ${document} substitution✅ Verifiedcrates/stage-sbom/src/lib.rs ($artifact, $artifactID, $document, $document<N> substitution)