Tag → 7 platforms → 7 channels → all signed.

One signed tag. Seven platform binaries (incl. iOS xcframework + Android jniLibs tarball, #1068). Seven package channels. All in <15 minutes of CI wallclock. Procurement-ready operational maturity from day 1.

Stats

The release pipeline by the numbers.

v0.6.3-rc1 ran the full pipeline at 19:32 UTC on 2026-04-26. Every step succeeded.

5
Platform binaries
5
Distribution channels
3
Operating systems
~10
min wallclock
100%
Signed (Cosign + GPG)
SBOM
Published per release
The Pipeline

Tag a release. Watch the matrix go.

Pushing a tag matching v* runs the full CI check matrix in .github/workflows/ci.yml. Publishing is a separate, operator-gated step at v0.7.0: .github/workflows/release.yml runs via workflow_dispatch against the already-pushed annotated tag, preflight-verifies it, and builds + publishes only from that verified SHA — so a release that fails checks never publishes.

git tag -sv0.6.3-rc1 Check (ubuntu) Check (macos) Check (windows) Code Coveragecargo llvm-cov x86_64-unknown-linux-gnu aarch64-unknown-linux-gnu x86_64-apple-darwin aarch64-apple-darwin x86_64-pc-windows-msvc tar.gz / .deb / .rpm .zip (windows) SBOM (Cargo.toml) SHA256 manifest GitHub Release artifacts crates.io publish Homebrew formula bump Fedora COPR build Docker → GHCR ▸ trigger ▸ check (must pass) ▸ build matrix · 7 platforms (5 desktop + 2 mobile #1068) ▸ package + sign ▸ publish · 7 channels (+ iOS xcframework, Android jniLibs)
Platform Targets

7 binaries. Every mainstream OS + arch.

Each tag produces seven precompiled binaries at v0.7.0: 5 desktop (Linux x64/arm64, macOS x64/arm64, Windows x64) plus 2 mobile (iOS xcframework + Android jniLibs tarball — added via #1068). ARM64 first-class on Linux + macOS. No 32-bit, no big-endian, no exotic targets — by design.

Linux x64
x86_64-unknown-linux-gnu
tar.gz · deb · rpm
  • glibc 2.31+
  • Tested Ubuntu 22.04, 24.04
  • RHEL 9, Fedora 38+
Linux ARM64
aarch64-unknown-linux-gnu
tar.gz · deb · rpm
  • glibc 2.31+
  • Tested AWS Graviton
  • Raspberry Pi 5 verified
macOS x64
x86_64-apple-darwin
tar.gz
  • macOS 12 Monterey+
  • Homebrew bottle
macOS ARM
aarch64-apple-darwin
tar.gz
  • Apple Silicon native
  • M1/M2/M3/M4 tested
  • Reference hardware
Windows x64
x86_64-pc-windows-msvc
.zip
  • Win 10, 11, Server 2019+
  • MSVC toolchain
  • WSL2 also works (Linux x64)
Distribution Channels

Install how your team installs everything else.

Each channel is auto-updated from the signed tag. No manual republishing. No lag between releases. Your existing package-update pipeline picks ai-memory up automatically.

🍺 Homebrew
macOS · Linux · auto-updates via tap
brew tap alphaonedev/tap
brew install ai-memory
📦 APT (Debian/Ubuntu)
amd64 · arm64 · signed .deb
curl -sL https://github.com/alphaonedev/ai-memory-mcp/...
sudo apt install ./ai-memory_VERSION_amd64.deb
🎩 Fedora COPR
amd64 · arm64 · signed .rpm
sudo dnf copr enable alpha-one-ai/ai-memory
sudo dnf install ai-memory
🐳 Docker (GHCR)
multi-arch · alpine + distroless variants
docker pull ghcr.io/alphaonedev/ai-memory:latest
docker run -p 9077:9077 ghcr.io/alphaonedev/ai-memory
🦀 crates.io
build from source · cargo install
cargo install ai-memory --locked
# or with sqlcipher feature:
cargo install ai-memory --features sqlcipher
📱 iOS xcframework
#1068 · device + sim arm64 + sim x86_64 slices
gh release download --pattern ai-memory-ios.xcframework.tar.gz
🤖 Android jniLibs
#1068 · 4 ABIs in jniLibs/<abi>/ layout
gh release download --pattern ai-memory-android.tar.gz
CI Gates

4 workflows. Every PR. Every push. Every tag.

No release ever ships without all four CI gates green. Coverage uses cargo-llvm-cov (matches the local canonical command). Bench enforces the PERFORMANCE.md p95 budgets with a 10% tolerance.

.github/workflows/ci.yml · pull_request, push, tag

CI (3 platforms)

  • cargo fmt --check — formatting must be exact
  • cargo clippy -- -D warnings -D clippy::all -D clippy::pedantic — pedantic linting
  • cargo test — test suite on all platforms (impact-scoped on PRs via scripts/ci-test-impact.sh; full suite otherwise)
  • cargo audit — dependency vulnerability check (Linux only)
  • cargo build --release — release-mode compile must succeed
.github/workflows/ci.yml · coverage job

Code Coverage (cargo-llvm-cov)

  • Runs on every PR + push to main / develop / release/**
  • cargo llvm-cov --features sal --no-fail-fast --html
  • JSON artifact uploaded for trend analysis
  • HTML report uploaded for inspection
  • v0.6.3 measurement: 93.08% line coverage (gate ≥92%) — see canonical evidence
.github/workflows/bench.yml · pull_request, push to release/**

Bench (Performance budgets)

  • Runs on every PR against main / develop / release/**
  • ai-memory bench on Ubuntu reference hardware
  • Compares each operation's measured p95 to PERFORMANCE.md target
  • Build fails if any p95 exceeds budget by >10%
  • Workflow summary shows the table; JSON artifact retained
.github/workflows/ci.yml · release matrix

Release (7-platform fan-out, v0.7.0 + #1068)

  • Triggers on tags matching v* via workflow_dispatch (operator-gated)
  • Depends on check passing first — broken tags don't ship
  • Builds 5 server platform targets in parallel (Linux x64/arm64, macOS x64/arm64, Windows x64)
  • Plus 2 mobile artifacts (#1068): iOS xcframework (3 slices) + Android jniLibs tarball (4 ABIs)
  • Packages tar.gz / .deb / .rpm / .zip + ai-memory-ios.xcframework.tar.gz + ai-memory-android.tar.gz
  • Publishes to GitHub Releases, then fans out to crates.io / Homebrew / .deb / COPR / GHCR
  • Pre-release tags (containing -) skip Homebrew + crates.io (RC binaries only)
Security Posture

What procurement asks. What we already do.

Every release ships with cryptographic guarantees, not promises. The pipeline produces auditable artifacts that survive procurement review.

SSH-signed commits

Every commit signed with the alphaonedev id_ed25519 key. Tampered history fails verification immediately.

Signed tags

git tag -s v* only. Unsigned tags are never published. Procurement can verify the chain from tag to binary.

SBOM per release

Cargo.toml + Cargo.lock are the complete dependency manifest. cargo audit runs in CI on every release.

Reproducible builds

Pinned Rust toolchain. --locked on every cargo invocation. Same source produces the same binary.

SHA256 release manifests

Every release artifact includes its SHA256. Homebrew formula auto-bumps with verified hashes. Restore command verifies sha256 before swap.

Public-source audit

Apache 2.0. Single repo. ~295K lines of Rust under src/ (tests included) at v0.7.0. The entire codebase is open to security-team audit.