Tag → 5 platforms → 5 channels → all signed.

One signed tag. Five platform binaries. Five package channels. All in <10 minutes of CI wallclock. Procurement-ready operational maturity from day 1.

Stats

The release pipeline by the numbers.

v0.6.3-rc1 ran the full pipeline at 19:32 UTC on 2026-04-26. Every step succeeded.

5
Platform binaries
5
Distribution channels
3
Operating systems
~10
min wallclock
100%
Signed (Cosign + GPG)
SBOM
Published per release
The Pipeline

Tag a release. Watch the matrix go.

Every tag matching v* triggers the full release matrix in .github/workflows/ci.yml. The release job depends on check passing first — so a tagged release that fails any platform's check (fmt, clippy, tests) never publishes.

git tag -sv0.6.3-rc1 Check (ubuntu) Check (macos) Check (windows) Code Coveragecargo llvm-cov x86_64-unknown-linux-gnu aarch64-unknown-linux-gnu x86_64-apple-darwin aarch64-apple-darwin x86_64-pc-windows-msvc tar.gz / .deb / .rpm .zip (windows) SBOM (Cargo.toml) SHA256 manifest GitHub Release artifacts crates.io publish Homebrew formula bump Fedora COPR build Docker → GHCR ▸ trigger ▸ check (must pass) ▸ build matrix · 5 platforms ▸ package + sign ▸ publish · 5 channels
Platform Targets

5 binaries. Every mainstream OS + arch.

Each tag produces five precompiled binaries. macOS Universal coming in v0.7. ARM64 first-class on Linux + macOS. No 32-bit, no big-endian, no exotic targets — by design.

Linux x64
x86_64-unknown-linux-gnu
tar.gz · deb · rpm
  • glibc 2.31+
  • Tested Ubuntu 22.04, 24.04
  • RHEL 9, Fedora 38+
Linux ARM64
aarch64-unknown-linux-gnu
tar.gz · deb · rpm
  • glibc 2.31+
  • Tested AWS Graviton
  • Raspberry Pi 5 verified
macOS x64
x86_64-apple-darwin
tar.gz
  • macOS 12 Monterey+
  • Codesigned (notarized v0.7)
  • Homebrew bottle
macOS ARM
aarch64-apple-darwin
tar.gz
  • Apple Silicon native
  • M1/M2/M3/M4 tested
  • Reference hardware
Windows x64
x86_64-pc-windows-msvc
.zip
  • Win 10, 11, Server 2019+
  • MSVC toolchain
  • WSL2 also works (Linux x64)
Distribution Channels

Install how your team installs everything else.

Each channel is auto-updated from the signed tag. No manual republishing. No lag between releases. Your existing package-update pipeline picks ai-memory up automatically.

🍺 Homebrew
macOS · Linux · auto-updates via tap
brew tap alphaonedev/tap
brew install ai-memory
📦 APT (Debian/Ubuntu)
amd64 · arm64 · signed .deb
curl -sL https://github.com/alphaonedev/ai-memory-mcp/...
sudo apt install ./ai-memory_VERSION_amd64.deb
🎩 Fedora COPR
amd64 · arm64 · signed .rpm
sudo dnf copr enable alpha-one-ai/ai-memory
sudo dnf install ai-memory
🐳 Docker (GHCR)
multi-arch · alpine + distroless variants
docker pull ghcr.io/alphaonedev/ai-memory:0.6.3
docker run -p 9077:9077 ghcr.io/alphaonedev/ai-memory
🦀 crates.io
build from source · cargo install
cargo install ai-memory --locked
# or with sqlcipher feature:
cargo install ai-memory --features sqlcipher
CI Gates

4 workflows. Every PR. Every push. Every tag.

No release ever ships without all four CI gates green. Coverage uses cargo-llvm-cov (matches the local canonical command). Bench enforces the PERFORMANCE.md p95 budgets with a 10% tolerance.

.github/workflows/ci.yml · pull_request, push, tag

CI (3 platforms)

  • cargo fmt --check — formatting must be exact
  • cargo clippy -- -D warnings -D clippy::all -D clippy::pedantic — pedantic linting
  • cargo test --all-features — full test suite, all platforms
  • cargo audit — dependency vulnerability check (Linux only)
  • cargo build --release — release-mode compile must succeed
.github/workflows/ci.yml · coverage job

Code Coverage (cargo-llvm-cov)

  • Runs on every PR + push to main / develop / release/**
  • cargo llvm-cov --features sal --no-fail-fast --html
  • JSON artifact uploaded for trend analysis
  • HTML report uploaded for inspection
  • v0.6.3 measurement: 93.08% line coverage (gate ≥92%) — see canonical evidence
.github/workflows/bench.yml · pull_request, push to release/**

Bench (Performance budgets)

  • Runs on every PR against main / develop / release/**
  • ai-memory bench on Ubuntu reference hardware
  • Compares each operation's measured p95 to PERFORMANCE.md target
  • Build fails if any p95 exceeds budget by >10%
  • Workflow summary shows the table; JSON artifact retained
.github/workflows/ci.yml · release matrix

Release (5-platform fan-out)

  • Triggers on tags matching v*
  • Depends on check passing first — broken tags don't ship
  • Builds 5 platform targets in parallel
  • Packages tar.gz / .deb / .rpm / .zip
  • Publishes to GitHub Releases, then fans out to crates.io / Homebrew / PPA / COPR / GHCR
  • Pre-release tags (containing -) skip Homebrew + crates.io (RC binaries only)
Security Posture

What procurement asks. What we already do.

Every release ships with cryptographic guarantees, not promises. The pipeline produces auditable artifacts that survive procurement review.

SSH-signed commits

Every commit signed with the alphaonedev id_ed25519 key. Tampered history fails verification immediately.

Signed tags

git tag -s v* only. Unsigned tags are never published. Procurement can verify the chain from tag to binary.

SBOM per release

Cargo.toml + Cargo.lock are the complete dependency manifest. cargo audit runs in CI on every release.

Reproducible builds

Pinned Rust toolchain. --locked on every cargo invocation. Same source produces the same binary.

SHA256 release manifests

Every release artifact includes its SHA256. Homebrew formula auto-bumps with verified hashes. Restore command verifies sha256 before swap.

Public-source audit

Apache 2.0. Single repo. ~30K lines of Rust. A security team can audit the entire codebase in a week.