From 7a2a6517f2a09cec7bba873696724455134b5734 Mon Sep 17 00:00:00 2001
From: Earl Warren <contact@earl-warren.org>
Date: Wed, 14 Jun 2023 13:32:20 +0200
Subject: [PATCH] [CI] Forgejo Actions based release process

Refs: https://codeberg.org/forgejo/website/pulls/230
(cherry picked from commit 87d56bf6c73d726dae8aafbc7e147969f1899931)

[CI] Forgejo Actions based release process (squash)

base64 -w0 to avoid wrapping when the doer name is long as it creates
a broken config.json

(cherry picked from commit 9efdc27e49bdfb3e62401baf27b224385f9f3e5e)

[CI] Forgejo Actions based release process (squash) generate .xz files and sources

Generate .xz files
Check .sha256
Generate the source tarbal

(cherry picked from commit 7afec520c4b1032d7e67a05a41e4e2913bcd9312)

[CI] Forgejo Actions based release process (squash) release notes

(cherry picked from commit d8f4f4807b28297b318d2f555a76d0efef762cf7)

[CI] Forgejo Actions based release process (squash) publish and sign release

(cherry picked from commit a52778c74785fe57cdee3b64b4c6c8a326471532)
(cherry picked from commit cf2ec6274094ac7aebda71d54c64581f528df00a)

[CI] Forgejo Actions based release process (squash) version

use Actions environment variables in Makefile (#25319) (#25318)

uses Actions variable to determine the version. But Forgejo builds
happen in a container where they are not available. Do not use them.

Also verify the version of the binary is as expected for sanity check.

(cherry picked from commit 6decf111a132a869f9e5c6f4d20e368b8f74309f)
(cherry picked from commit 206d0b3886b2d56b585bf552e53d952b35f07284)

[CI] read STORED_VERSION_FILE if available

(cherry picked from commit af74085ebf51c91a51db865a66667fca511838d5)

[CI] backward compatible executable compilation

Add a new static-executable target to use in Dockerfiles and restore
the $(EXECUTABLE) target to what it was before to for backward
compatibility.

The release process now builds static executables instead of
dynamically linked ones which makes them more portable. It changes the
requirements at compile time and is not backward compatible. In
particular it may break packaging that rely on the target that
currently creates a dynamically linked executable.

(cherry picked from commit 84d02a174a4398b1f8ee62e08db5483a9859650f)
(cherry picked from commit 854be47328cc0283119dfb78f9ba0b8306c85f75)

[CI] Forgejo Actions based release process (squash) doc / ca / verbosity

- Document workflow
- Increase verbosity if VERBOSE=true
- Download the Certificate Authority if behind the VPN

(cherry picked from commit 168d5d586904835762d213b2b8815b458a38c78f)
(cherry picked from commit 8756c9a72a40830441124256b7382f900a1052f8)
(cherry picked from commit 2dad7ef20f3bf9ebe2425e2e28b66a4ca21c6786)

[CI] Forgejo Actions based release process (squash) add assets sources-tarbal

Refs: https://codeberg.org/forgejo/forgejo/issues/1115
(cherry picked from commit 5531d01f1981df665f5b8f642e9241e8ea4f4578)

[CI] Forgejo Actions based release process (squash) add assets sources-tarbal

bindata.go is a file, not a directory

Refs: https://codeberg.org/forgejo/forgejo/issues/1115
(cherry picked from commit bd88a4477817be34ea86ebb2f460b9fe8ab5f1b7)
(cherry picked from commit b408085138c578dfaacafbd4b7719ca926456855)

[CI] Forgejo Actions based release process (squash) public/assets moved

(cherry picked from commit d8c921d5a643ed05f2935348531996fe4d08c654)
(cherry picked from commit f29e50b1a09b1a22fc2dbdb77e9a1def1196175b)

[CI] Fix release notes link

- Use substitution to replace all dots with dashes.
- Resolves https://codeberg.org/forgejo/forgejo/issues/1163

(cherry picked from commit 96783728f53a072915cace392aa269adfe9a5c73)
(cherry picked from commit c8d8bf8996beb650cd86cafb110e85e1e05917a0)

[CI] pin go v1.20 for testing

Refs: https://codeberg.org/forgejo/forgejo/issues/1228
(cherry picked from commit fd4b5a013ee0f31453b623d12001a8b810cd7ebc)
(cherry picked from commit 00bb15f57f2ae5a11abc8b044ed99dc949e812a7)

Conflicts:
	Dockerfile
	Dockerfile.rootless
	see https://codeberg.org/forgejo/forgejo/pulls/1303
(cherry picked from commit 6e2be54a6d95412ce770d4bab1a39c77591f44dc)
(cherry picked from commit 346c418b4a8c0e1f8c9aace44b00373a4bf76732)
(cherry picked from commit 49061f8422cb6aa9ddc14edb507f50477624eb7a)
(cherry picked from commit 8229d59b7e1ba61959de6ecd95d9dd49bc2436dc)
(cherry picked from commit 70d45d919309d8127551c8ad44538a730b795638)

[CI] Forgejo Actions based release process (squash) need node 18

(cherry picked from commit 722b1f45902ecca3179a92700a2f5c1080422a04)
(cherry picked from commit a91d786169fb4694aed4af68792437a0a67de3fa)

[CI] Forgejo Actions based release process (squash) fix indentation

(cherry picked from commit fbdf9d6abb88fd5def3d0ced488a4dd72655d433)
(cherry picked from commit 2deff90a13397339796ac5a94d63b0d8cd9760a9)
(cherry picked from commit 5710a27fda58093f0db1605585e730c314b933f5)

[CI] Forgejo Actions based release process (squash) FQIN for docker

Refs: https://codeberg.org/forgejo/forgejo/issues/1600
(cherry picked from commit f63d38deb6a9933ce996a61a099f4b79e9171581)

[CI] Forgejo Actions based release process (squash) use forgejo-curl.sh

(cherry picked from commit c0c3ef506fa500cb9626034c5e00913b3c31e08c)
(cherry picked from commit 933ca7ec5dcab55c8593dee4a6cd13281502c41e)

Conflicts:
	Dockerfile
	Dockerfile.rootless
	https://codeberg.org/forgejo/forgejo/pulls/1691
(cherry picked from commit 1068e48805de9d7464b41f32e1c5567d3747239a)

[CI] Forgejo Actions based release process (squash) size optimization

(cherry picked from commit 3c653ff7428dbf898a5131b5c817ce3b13ec0591)
(cherry picked from commit 398567fc0cf9edd0be49541339800af985e8b1b6)
(cherry picked from commit e585db9a970e7a84eaff06758a094a297ae6fc48)
(cherry picked from commit 17e91c96e3259b0d8fa87294470339779d62aa71)

[CI] Forgejo Actions based release process (squash) gitea to forgejo

(cherry picked from commit 9c06a318b867ea8c60dd194ca393bac3b718b07b)
(cherry picked from commit 95859da3b40306c1e07277230c2f401ef8b82a13)
(cherry picked from commit e3a5f6c1ed4e5452f3664aa8d398805c3b9c0a51)
(cherry picked from commit 7b9b259c75e0b2b805a2239ecf7c85a3f0dbd648)
(cherry picked from commit c4a152c8dc4ab5d20c72f9f7d60ce6eee3be5cda)
(cherry picked from commit b00bf599efa97a18adac134a1402418785c5bae2)
(cherry picked from commit a7836ee2ee2638091f0f9ff5543548ae0bb94060)
(cherry picked from commit 3ea7dcbd5b196b6fc9115d49d50678a1a5940c0b)
(cherry picked from commit 454d705e830ade3a41a33341b82d4c8aff584dcd)
(cherry picked from commit 35e06c3009f4a1942222dc35cc0993a623164b25)
(cherry picked from commit 904468a38ffdfb8157dc4eaf92b3ba10c3a957db)
(cherry picked from commit 890e86815a5a33b2930150a7460cd96b4360ac88)
(cherry picked from commit bf9f94c63d8c15ce62881ccadc28681848b7ebd7)
(cherry picked from commit d025d061d14929aaabbfc4603099e32cb888ac3b)
(cherry picked from commit 32f209a8e1b2ee109f7ae8b150d4390318c0ff2a)
(cherry picked from commit 38ef6802fca7301f4cb03769e8d6dae1e256933f)
(cherry picked from commit 8a19bbd2a8160b7d3d5a1ea083507b4311070ab6)
(cherry picked from commit f352dee786d2541fbe360fe8f859d3182c632240)
(cherry picked from commit b53d9fc090b58848876b4f97e8ed03face85a63b)
(cherry picked from commit 3dae21f4c87c82b75515d3db43c1bbd4d9f3f1ac)
(cherry picked from commit 8b59e016c7a1eb3f6d0077d8e6f205b8bcefe402)
(cherry picked from commit 6f54ea6a0eb0f9c4360237f78eb76c55678547e2)
(cherry picked from commit ed8d90de6bb9513a2dcdc70aac446bbcaf0855c9)
(cherry picked from commit 26ffd3fcace55279091fe95074a65dd1c4b7758a)
(cherry picked from commit 287b3bbfb5a66e64d3490a282153bfd2393b7afa)
(cherry picked from commit ab81378d0c88def332f43843eeac23ef768bb143)
(cherry picked from commit f6bbe7e875e707fcbadf7434818edb897467a5ef)
(cherry picked from commit 8968f34edf064e6bffc3cc7054307c6303256acd)
(cherry picked from commit d3d914bba2bec4f50f9d71d347b510771df99656)
(cherry picked from commit 4e4006a990dd22c23ffd6e9b7e3af6aac1855d52)
(cherry picked from commit edb333569b38e38f94dbb769d793b53cdf39b96f)
(cherry picked from commit 6c1a4baa15aebd1b27b742097181b1ca4afbd31c)
(cherry picked from commit 51bda3bfc734eccee198d4ccb377520d7f16ccb3)
(cherry picked from commit 6f5f318b8f1f9086ef981c181a97ebbcbe6e11be)
(cherry picked from commit e128da23624c90f2817ccb3f15c5df9704f2c597)
(cherry picked from commit 3e6735ff23ae6c6a6963629cf4bc5d8acd26f905)
(cherry picked from commit 938c4441259e0ef1714d6e411bd49df15f048103)
(cherry picked from commit 67f92dc9ab4ae8263c2f69e6729b3f1198943401)
(cherry picked from commit ee31df71fb70c2938fcf82b5c9a518a54bd4c078)
(cherry picked from commit 386f232191561867c7888ec94374f8f9505c4ff9)
(cherry picked from commit 745785cd7f90cf2665f11fb9bed960a16e238fa4)
(cherry picked from commit efa8564e762b5369a77a10422bd1f6dd1433c62b)

Conflicts:
	Dockerfile
	Dockerfile.rootless
	https://codeberg.org/forgejo/forgejo/pulls/2029
(cherry picked from commit f3dfb143216501411f2e2f522bcce64debfdc07d)
(cherry picked from commit 5a0346ee95f2f30e8955ad886500e9f1c6508c18)
---
 .forgejo/actions/build-release/action.yml     | 154 ++++++++++++++
 .forgejo/actions/publish-release/action.yml   | 110 ++++++++++
 .forgejo/testdata/build-release/Dockerfile    |   3 +
 .forgejo/testdata/build-release/Makefile      |   5 +
 .../build-release/modules/public/bindata.go   |   0
 .../public/assets/css/placeholder             |   0
 .../public/assets/fonts/placeholder           |   0
 .../public/assets/js/placeholder              |   0
 .../workflows/build-release-integration.yml   |  99 +++++++++
 .forgejo/workflows/build-release.yml          | 190 ++++++++++++++++++
 .forgejo/workflows/publish-release.yml        |  60 ++++++
 Dockerfile                                    |  43 ++--
 Dockerfile.rootless                           |  48 +++--
 Makefile                                      |  33 +--
 14 files changed, 689 insertions(+), 56 deletions(-)
 create mode 100644 .forgejo/actions/build-release/action.yml
 create mode 100644 .forgejo/actions/publish-release/action.yml
 create mode 100644 .forgejo/testdata/build-release/Dockerfile
 create mode 100644 .forgejo/testdata/build-release/Makefile
 create mode 100644 .forgejo/testdata/build-release/modules/public/bindata.go
 create mode 100644 .forgejo/testdata/build-release/public/assets/css/placeholder
 create mode 100644 .forgejo/testdata/build-release/public/assets/fonts/placeholder
 create mode 100644 .forgejo/testdata/build-release/public/assets/js/placeholder
 create mode 100644 .forgejo/workflows/build-release-integration.yml
 create mode 100644 .forgejo/workflows/build-release.yml
 create mode 100644 .forgejo/workflows/publish-release.yml

diff --git a/.forgejo/actions/build-release/action.yml b/.forgejo/actions/build-release/action.yml
new file mode 100644
index 0000000000..01fdfdedfc
--- /dev/null
+++ b/.forgejo/actions/build-release/action.yml
@@ -0,0 +1,154 @@
+name: 'Build release'
+author: 'Forgejo authors'
+description: |
+  Build release
+
+inputs:
+  forgejo:
+    description: 'URL of the Forgejo instance where the release is uploaded'
+    required: true
+  owner:
+    description: 'User or organization where the release is uploaded, relative to the Forgejo instance'
+    required: true
+  repository:
+    description: 'Repository where the release is uploaded, relative to the owner'
+    required: true
+  doer:
+    description: 'Name of the user authoring the release'
+    required: true
+  tag-version:
+    description: 'Version of the release derived from the tag withint the leading v'
+    required: true
+  suffix:
+    description: 'Suffix to add to the image tag'
+  token:
+    description: 'token'
+    required: true
+  dockerfile:
+    description: 'path to the dockerfile'
+    default: 'Dockerfile'
+  platforms:
+    description: 'Coma separated list of platforms'
+    default: 'linux/amd64,linux/arm64'
+  release-notes:
+    description: 'Full text of the release notes'
+    default: 'Release notes placeholder'
+  binary-name:
+    description: 'Name of the binary'
+  binary-path:
+    description: 'Path of the binary within the container to extract into binary-name'
+  verbose:
+    description: 'Increase the verbosity level'
+    default: 'false'
+
+runs:
+  using: "composite"
+  steps:
+    - run: echo "${{ github.action_path }}" >> $GITHUB_PATH
+      shell: bash
+
+    - name: Install dependencies
+      run: |
+        apt-get install -y -qq xz-utils
+
+    - name: set -x if verbose is required
+      id: verbose
+      run: |
+        if ${{ inputs.verbose }} ; then
+          echo "shell=set -x" >> "$GITHUB_OUTPUT"
+        fi
+
+    - name: Create the insecure and buildx-config variables for the container registry
+      id: registry
+      run: |
+        ${{ steps.verbose.outputs.shell }}
+        url="${{ inputs.forgejo }}"
+        hostport=${url##http*://}
+        hostport=${hostport%%/}
+        echo "host-port=${hostport}" >> "$GITHUB_OUTPUT"
+        if ! [[ $url =~ ^http:// ]] ; then
+           exit 0
+        fi
+        cat >> "$GITHUB_OUTPUT" <<EOF
+        insecure=true
+        buildx-config<<ENDVAR
+        [registry."${hostport}"]
+          http = true
+        ENDVAR
+        EOF
+
+    - name: Allow docker pull/push to forgejo
+      if: ${{ steps.registry.outputs.insecure }}
+      run: |-
+        mkdir -p /etc/docker
+        cat > /etc/docker/daemon.json <<EOF
+          {
+            "insecure-registries" : ["${{ steps.registry.outputs.host-port }}"],
+            "bip": "172.26.0.1/16"
+          }
+        EOF
+
+    - name: Install docker
+      run: |
+        echo deb http://deb.debian.org/debian bullseye-backports main | tee /etc/apt/sources.list.d/backports.list && apt-get -qq update
+        DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends -qq -y -t bullseye-backports docker.io
+
+    - uses: https://github.com/docker/setup-buildx-action@v2
+      with:
+        config-inline: |
+         ${{ steps.registry.outputs.buildx-config }}
+
+    - name: Login to the container registry
+      run: |
+        BASE64_AUTH=`echo -n "${{ inputs.doer }}:${{ inputs.token }}" | base64 -w0`
+        mkdir -p ~/.docker
+        echo "{\"auths\": {\"$CI_REGISTRY\": {\"auth\": \"$BASE64_AUTH\"}}}" > ~/.docker/config.json
+      env:
+        CI_REGISTRY: "${{ steps.registry.outputs.host-port }}"
+
+    - name: Build the container image for each architecture
+      uses: https://github.com/docker/build-push-action@v4
+      # workaround until https://github.com/docker/build-push-action/commit/d8823bfaed2a82c6f5d4799a2f8e86173c461aba is in @v4 or @v5 is released
+      env:
+        ACTIONS_RUNTIME_TOKEN: ''
+      with:
+        context: .
+        push: true
+        file: ${{ inputs.dockerfile }}
+        platforms: ${{ inputs.platforms }}
+        tags: ${{ steps.registry.outputs.host-port }}/${{ inputs.owner }}/${{ inputs.repository }}:${{ inputs.tag-version }}${{ inputs.suffix }}
+
+    - name: Extract the binary from the container images into the release directory
+      if: inputs.binary-name != ''
+      run: |
+        ${{ steps.verbose.outputs.shell }}
+        mkdir -p release
+        cd release
+        for platform in $(echo ${{ inputs.platforms }} | tr ',' ' '); do
+          arch=$(echo $platform | sed -e 's|linux/||g' -e 's|arm/v6|arm-6|g')
+          docker create --platform $platform --name forgejo-$arch ${{ steps.registry.outputs.host-port }}/${{ inputs.owner }}/${{ inputs.repository }}:${{ inputs.tag-version }}${{ inputs.suffix }}
+          binary="${{ inputs.binary-name }}-${{ inputs.tag-version }}-linux"
+          docker cp forgejo-$arch:${{ inputs.binary-path }} $binary-$arch
+          chmod +x $binary-$arch
+          # the displayed version has a + instead of the first -, deal with it
+          pattern=$(echo "${{ inputs.tag-version }}" | tr - .)
+          if ! ./$binary-$arch --version | grep "$pattern" ; then
+            echo "ERROR: expected version pattern $pattern not found in the output of $binary-$arch --version"
+            ./$binary-$arch --version
+            exit 1
+          fi
+          xz --keep -9 $binary-$arch
+          shasum -a 256 $binary-$arch > $binary-$arch.sha256
+          shasum -a 256 $binary-$arch.xz > $binary-$arch.xz.sha256
+          docker rm forgejo-$arch
+        done
+
+    - name: publish release
+      if: inputs.binary-name != ''
+      uses: https://code.forgejo.org/actions/forgejo-release@v1
+      with:
+        direction: upload
+        release-dir: release
+        release-notes: "${{ inputs.release-notes }}"
+        token: ${{ inputs.token }}
+        verbose: ${{ steps.verbose.outputs.value }}
diff --git a/.forgejo/actions/publish-release/action.yml b/.forgejo/actions/publish-release/action.yml
new file mode 100644
index 0000000000..42b6097ee0
--- /dev/null
+++ b/.forgejo/actions/publish-release/action.yml
@@ -0,0 +1,110 @@
+name: 'Publish release'
+author: 'Forgejo authors'
+description: |
+  Publish release
+
+inputs:
+  forgejo:
+    description: 'URL of the Forgejo instance where the release is uploaded (e.g. https://codeberg.org)'
+    required: true
+  from-owner:
+    description: 'the owner from which a release is to be copied (e.g forgejo-integration)'
+    required: true
+  to-owner:
+    description: 'the owner to which a release is to be copied (e.g. forgejo-experimental). It has be an organization in which doer has the required permissions. Or be the same as the doer'
+    required: true
+  repo:
+    description: 'the repository from which a release is to be copied relative to from-owner and to-owner'
+    default: 'forgejo'
+  ref-name:
+    description: 'ref_name of the tag of the release to be copied (e.g. github.ref_name)'
+    required: true
+  doer:
+    description: 'Name of the user authoring the release (e.g. release-team). The user must be authorized to create packages in to-owner and releases in to-owner/repo'
+    required: true
+  token:
+    description: 'application token created on forgejo by the doer, with a scope allowing it to create packages in to-owner and releases in to-owner/repo'
+    required: true
+  gpg-private-key:
+    description: 'GPG Private Key to sign the release artifacts'
+  gpg-passphrase:
+    description: 'Passphrase of the GPG Private Key'
+  verbose:
+    description: 'Increase the verbosity level'
+    default: 'false'
+
+runs:
+  using: "composite"
+  steps:
+    - id: hostport
+      run: |
+         url="${{ inputs.forgejo }}"
+         hostport=${url##http*://}
+         hostport=${hostport%%/}
+         echo "value=$hostport" >> "$GITHUB_OUTPUT"    
+
+    - id: tag-version
+      run: |
+        version="${{ inputs.ref-name }}"
+        version=${version##*v}
+        echo "value=$version" >> "$GITHUB_OUTPUT"
+
+    - name: Create the release notes
+      id: release-notes
+      run: |
+          anchor=${{ steps.tag-version.outputs.value }}
+          anchor=${anchor//./-}
+          cat >> "$GITHUB_OUTPUT" <<EOF
+          value<<ENDVAR
+          See https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#$anchor
+          ENDVAR
+          EOF
+
+    - name: apt-get install docker.io
+      run: |
+        DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends -qq -y docker.io
+
+    - name: download release
+      uses: https://code.forgejo.org/actions/forgejo-release@v1
+      with:
+        url: ${{ inputs.forgejo }}
+        repo: ${{ inputs.from-owner }}/${{ inputs.repo }}
+        direction: download
+        release-dir: release
+        download-retry: 60
+        token: ${{ inputs.token }}
+        verbose: ${{ inputs.verbose }}
+
+    - name: upload release
+      uses: https://code.forgejo.org/actions/forgejo-release@v1
+      with:
+        url: ${{ inputs.forgejo }}
+        repo: ${{ inputs.to-owner }}/${{ inputs.repo }}
+        direction: upload
+        release-dir: release
+        release-notes: ${{ steps.release-notes.outputs.value }}
+        token: ${{ inputs.token }}
+        gpg-private-key: ${{ inputs.gpg-private-key }}
+        gpg-passphrase: ${{ inputs.gpg-passphrase }}
+        verbose: ${{ inputs.verbose }}
+
+    - name: login to the registry
+      uses: https://github.com/docker/login-action@v2
+      with:
+          registry: ${{ steps.hostport.outputs.value }}
+          username: ${{ inputs.doer }}
+          password: ${{ inputs.token }}
+
+    - uses: https://code.forgejo.org/forgejo/forgejo-container-image@v1
+      env:
+        VERIFY: 'false'
+      with:
+        url: https://${{ steps.hostport.outputs.value }}
+        destination-owner: ${{ inputs.to-owner }}
+        owner: ${{ inputs.from-owner }}
+        suffixes: '-rootless'
+        project: ${{ inputs.repo }}
+        tag: ${{ steps.tag-version.outputs.value }}
+        doer: ${{ inputs.doer }}
+        token: ${{ inputs.token }}
+        verbose: ${{ inputs.verbose }}
diff --git a/.forgejo/testdata/build-release/Dockerfile b/.forgejo/testdata/build-release/Dockerfile
new file mode 100644
index 0000000000..4b6933845c
--- /dev/null
+++ b/.forgejo/testdata/build-release/Dockerfile
@@ -0,0 +1,3 @@
+FROM public.ecr.aws/docker/library/alpine:3.18
+RUN mkdir -p /app/gitea
+RUN ( echo '#!/bin/sh' ; echo "echo forgejo v1.2.3" ) > /app/gitea/gitea ; chmod +x /app/gitea/gitea
diff --git a/.forgejo/testdata/build-release/Makefile b/.forgejo/testdata/build-release/Makefile
new file mode 100644
index 0000000000..406acd06d2
--- /dev/null
+++ b/.forgejo/testdata/build-release/Makefile
@@ -0,0 +1,5 @@
+VERSION ?= $(shell cat VERSION 2>/dev/null)
+sources-tarbal:
+	mkdir -p dist/release
+	echo $(VERSION) > VERSION
+	sources=forgejo-src-$(VERSION).tar.gz ; tar --transform 's|^./|forgejo-src-$(VERSION)/|' -czf dist/release/forgejo-src-$(VERSION).tar.gz . ; cd dist/release ; shasum -a 256 $$sources > $$sources.sha256
diff --git a/.forgejo/testdata/build-release/modules/public/bindata.go b/.forgejo/testdata/build-release/modules/public/bindata.go
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/.forgejo/testdata/build-release/public/assets/css/placeholder b/.forgejo/testdata/build-release/public/assets/css/placeholder
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/.forgejo/testdata/build-release/public/assets/fonts/placeholder b/.forgejo/testdata/build-release/public/assets/fonts/placeholder
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/.forgejo/testdata/build-release/public/assets/js/placeholder b/.forgejo/testdata/build-release/public/assets/js/placeholder
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/.forgejo/workflows/build-release-integration.yml b/.forgejo/workflows/build-release-integration.yml
new file mode 100644
index 0000000000..2920729d33
--- /dev/null
+++ b/.forgejo/workflows/build-release-integration.yml
@@ -0,0 +1,99 @@
+name: Integration tests for the release process
+
+on:
+  push:
+    paths:
+      - Makefile
+      - Dockerfile
+      - Dockerfile.rootless
+      - docker/**
+      - .forgejo/actions/build-release/action.yml
+      - .forgejo/workflows/build-release.yml
+      - .forgejo/workflows/build-release-integration.yml
+
+jobs:
+  release-simulation:
+    runs-on: self-hosted
+    if: secrets.ROLE != 'forgejo-integration' && secrets.ROLE != 'forgejo-experimental' && secrets.ROLE != 'forgejo-release'
+    steps:
+      - uses: actions/checkout@v3
+
+      - id: forgejo
+        uses: https://code.forgejo.org/actions/setup-forgejo@v1
+        with:
+          user: root
+          password: admin1234
+          image-version: 1.19
+          lxc-ip-prefix: 10.0.9
+
+      - name: publish the forgejo release
+        run: |
+          set -x
+
+          version=1.2.3
+          cat > /etc/docker/daemon.json <<EOF
+            {
+              "insecure-registries" : ["${{ steps.forgejo.outputs.host-port }}"]
+            }
+          EOF
+          systemctl restart docker
+
+          apt-get install -qq -y xz-utils
+
+          dir=$(mktemp -d)
+          trap "rm -fr $dir" EXIT
+
+          url=http://root:admin1234@${{ steps.forgejo.outputs.host-port }}
+          export FORGEJO_RUNNER_LOGS="${{ steps.forgejo.outputs.runner-logs }}"
+
+          #
+          # Create a new project with a fake forgejo and the release workflow only
+          #
+          cp -a .forgejo/testdata/build-release/* $dir
+          mkdir -p $dir/.forgejo/workflows
+          cp .forgejo/workflows/build-release.yml $dir/.forgejo/workflows
+          cp -a .forgejo/actions $dir/.forgejo/actions
+          cp $dir/Dockerfile $dir/Dockerfile.rootless
+
+          forgejo-test-helper.sh push $dir $url root forgejo
+          sha=$(forgejo-test-helper.sh branch_tip $url root/forgejo main)
+
+          #
+          # Push a tag to trigger the release workflow and wait for it to complete
+          #
+          forgejo-curl.sh api_json --data-raw '{"tag_name": "v'$version'", "target": "'$sha'"}' $url/api/v1/repos/root/forgejo/tags
+          LOOPS=180 forgejo-test-helper.sh wait_success "$url" root/forgejo $sha
+
+          #
+          # uncomment to see the logs even when everything is reported to be working ok
+          #
+          #cat $FORGEJO_RUNNER_LOGS
+
+          #
+          # Minimal sanity checks. e2e test is for the setup-forgejo
+          # action and the infrastructure playbook. Since the binary
+          # is a script shell it does not test the sanity of the cross
+          # build, only the sanity of the naming of the binaries.
+          #
+          for arch in amd64 arm64 arm-6 ; do
+            binary=forgejo-$version-linux-$arch
+            for suffix in '' '.xz' ; do
+              curl --fail -L -sS $url/root/forgejo/releases/download/v$version/$binary$suffix > $binary$suffix
+              if test "$suffix" = .xz ; then
+                 unxz --keep $binary$suffix
+              fi
+              chmod +x $binary
+              ./$binary --version | grep $version
+              curl --fail -L -sS $url/root/forgejo/releases/download/v$version/$binary$suffix.sha256 > $binary$suffix.sha256
+              shasum -a 256 --check $binary$suffix.sha256
+              rm $binary$suffix
+            done
+          done
+
+          sources=forgejo-src-$version.tar.gz
+          curl --fail -L -sS $url/root/forgejo/releases/download/v$version/$sources > $sources
+          curl --fail -L -sS $url/root/forgejo/releases/download/v$version/$sources.sha256 > $sources.sha256
+          shasum -a 256 --check $sources.sha256
+
+          docker pull ${{ steps.forgejo.outputs.host-port }}/root/forgejo:$version
+          docker pull ${{ steps.forgejo.outputs.host-port }}/root/forgejo:$version-rootless
diff --git a/.forgejo/workflows/build-release.yml b/.forgejo/workflows/build-release.yml
new file mode 100644
index 0000000000..e080504261
--- /dev/null
+++ b/.forgejo/workflows/build-release.yml
@@ -0,0 +1,190 @@
+name: Build release
+
+on:
+  push:
+    tags: 'v*'
+
+jobs:
+  release:
+    runs-on: self-hosted
+    # root is used for testing, allow it
+    if: secrets.ROLE == 'forgejo-integration' || github.repository_owner == 'root'
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Increase the verbosity when there are no secrets
+        id: verbose
+        run: |
+          if test -z "${{ secrets.TOKEN }}"; then
+            value=true
+          else
+            value=false
+          fi
+          echo "value=$value" >> "$GITHUB_OUTPUT"
+
+      - name: Sanitize the name of the repository
+        id: repository
+        run: |
+          set -x # comment out
+          repository="${{ github.repository }}"
+          echo "value=${repository##*/}" >> "$GITHUB_OUTPUT"
+
+      - name: When in a test environment, create a token
+        id: token
+        if: ${{ secrets.TOKEN == '' }}
+        run: |
+          apt-get -qq install -y jq
+          url="${{ env.GITHUB_SERVER_URL }}"
+          hostport=${url##http*://}
+          hostport=${hostport%%/}
+          doer=root
+          api=http://$doer:admin1234@$hostport/api/v1/users/$doer/tokens
+          curl -sS -X DELETE $api/release
+          token=$(curl -sS -X POST -H 'Content-Type: application/json' --data-raw '{"name": "release", "scopes": ["all"]}' $api | jq --raw-output .sha1)
+          echo "value=${token}" >> "$GITHUB_OUTPUT"
+
+      - uses: https://code.forgejo.org/actions/setup-node@v3
+        with:
+          node-version: 18
+
+      - uses: https://code.forgejo.org/actions/setup-go@v4
+        with:
+          go-version: ">=1.20"
+          check-latest: true
+
+      - name: Create the version from ref_name
+        id: tag-version
+        run: |
+          version="${{ github.ref_name }}"
+          version=${version##*v}
+          echo "value=$version" >> "$GITHUB_OUTPUT"
+
+      - name: Create the release notes
+        id: release-notes
+        run: |
+          cat >> "$GITHUB_OUTPUT" <<EOF
+          value<<ENDVAR
+          See https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#${{ steps.tag-version.outputs.value }}
+          ENDVAR
+          EOF
+
+      - name: Build sources
+        run: |
+          set -x
+          apt-get -qq install -y make
+          version=${{ steps.tag-version.outputs.value }}
+          #
+          # Make sure all files are owned by the current user.
+          # When run as root `npx webpack` will assume the identity
+          # of the owner of the current working directory and may
+          # fail to create files if some sub-directories are not owned
+          # by the same user.
+          #
+          #   Binaries:
+          #   Node: 18.17.0 - /usr/local/node-v18.17.0-linux-x64/bin/node
+          #   npm: 9.6.7 - /usr/local/node-v18.17.0-linux-x64/bin/npm
+          # Packages:
+          #   add-asset-webpack-plugin: 2.0.1 => 2.0.1
+          #   css-loader: 6.8.1 => 6.8.1
+          #   esbuild-loader: 3.0.1 => 3.0.1
+          #   license-checker-webpack-plugin: 0.2.1 => 0.2.1
+          #   monaco-editor-webpack-plugin: 7.0.1 => 7.0.1
+          #   vue-loader: 17.2.2 => 17.2.2
+          #   webpack: 5.87.0 => 5.87.0
+          #   webpack-cli: 5.1.4 => 5.1.4
+          #
+          chown -R $(id -u) .
+          make VERSION=$version TAGS=bindata sources-tarbal
+          mv dist/release release
+
+          (
+            tmp=$(mktemp -d)
+            tar --directory $tmp -zxvf release/*$version*.tar.gz
+            cd $tmp/*
+            #
+            # Verify `make frontend` files are available
+            #
+            test -d public/assets/css
+            test -d public/assets/fonts
+            test -d public/assets/js
+            #
+            # Verify `make generate` files are available
+            #
+            test -f modules/public/bindata.go
+            #
+            # Sanity check to verify that the source tarbal knows the
+            # version and is able to rebuild itself from it.
+            #
+            # When in sources the version is determined with git.
+            # When in the tarbal the version is determined from a VERSION file.
+            #
+            make sources-tarbal
+            tarbal=$(echo dist/release/*$version*.tar.gz)
+            if ! test -f $tarbal ; then
+              echo $tarbal does not exist
+              find dist release
+              exit 1
+            fi
+          )
+
+      - name: build container & release (when TOKEN secret is not set)
+        if: ${{ secrets.TOKEN == '' }}
+        uses: ./.forgejo/actions/build-release
+        with:
+          forgejo: "${{ env.GITHUB_SERVER_URL }}"
+          owner: "${{ env.GITHUB_REPOSITORY_OWNER }}"
+          repository: "${{ steps.repository.outputs.value }}"
+          doer: root
+          tag-version: "${{ steps.tag-version.outputs.value }}"
+          token: ${{ steps.token.outputs.value }}
+          platforms: linux/amd64,linux/arm64,linux/arm/v6
+          release-notes: "${{ steps.release-notes.outputs.value }}"
+          binary-name: forgejo
+          binary-path: /app/gitea/gitea
+          verbose: ${{ steps.verbose.outputs.value }}
+
+      - name: build rootless container (when TOKEN secret is not set)
+        if: ${{ secrets.TOKEN == '' }}
+        uses: ./.forgejo/actions/build-release
+        with:
+          forgejo: "${{ env.GITHUB_SERVER_URL }}"
+          owner: "${{ env.GITHUB_REPOSITORY_OWNER }}"
+          repository: "${{ steps.repository.outputs.value }}"
+          doer: root
+          tag-version: "${{ steps.tag-version.outputs.value }}"
+          token: ${{ steps.token.outputs.value }}
+          platforms: linux/amd64,linux/arm64,linux/arm/v6
+          suffix: -rootless
+          dockerfile: Dockerfile.rootless
+          verbose: ${{ steps.verbose.outputs.value }}
+
+      - name: build container & release (when TOKEN secret is set)
+        if: ${{ secrets.TOKEN != '' }}
+        uses: ./.forgejo/actions/build-release
+        with:
+          forgejo: "${{ env.GITHUB_SERVER_URL }}"
+          owner: "${{ env.GITHUB_REPOSITORY_OWNER }}"
+          repository: "${{ steps.repository.outputs.value }}"
+          doer: "${{ secrets.DOER }}"
+          tag-version: "${{ steps.tag-version.outputs.value }}"
+          token: "${{ secrets.TOKEN }}"
+          platforms: linux/amd64,linux/arm64,linux/arm/v6
+          release-notes: "${{ steps.release-notes.outputs.value }}"
+          binary-name: forgejo
+          binary-path: /app/gitea/gitea
+          verbose: ${{ steps.verbose.outputs.value }}
+
+      - name: build rootless container (when TOKEN secret is set)
+        if: ${{ secrets.TOKEN != '' }}
+        uses: ./.forgejo/actions/build-release
+        with:
+          forgejo: "${{ env.GITHUB_SERVER_URL }}"
+          owner: "${{ env.GITHUB_REPOSITORY_OWNER }}"
+          repository: "${{ steps.repository.outputs.value }}"
+          doer: "${{ secrets.DOER }}"
+          tag-version: "${{ steps.tag-version.outputs.value }}"
+          token: "${{ secrets.TOKEN }}"
+          platforms: linux/amd64,linux/arm64,linux/arm/v6
+          suffix: -rootless
+          dockerfile: Dockerfile.rootless
+          verbose: ${{ steps.verbose.outputs.value }}
diff --git a/.forgejo/workflows/publish-release.yml b/.forgejo/workflows/publish-release.yml
new file mode 100644
index 0000000000..c76e78cc12
--- /dev/null
+++ b/.forgejo/workflows/publish-release.yml
@@ -0,0 +1,60 @@
+# SPDX-License-Identifier: MIT
+#
+# See also https://forgejo.org/docs/next/developer/RELEASE/#release-process
+#
+# https://codeberg.org/forgejo-experimental/forgejo
+#
+#  Copies a release from codeberg.org/forgejo-integration to codeberg.org/forgejo-experimental
+#
+#  ROLE: forgejo-experimental
+#  FORGEJO: https://codeberg.org
+#  FROM_OWNER: forgejo-integration
+#  TO_OWNER: forgejo-experimental
+#  DOER: forgejo-experimental-ci
+#  TOKEN: <generated from codeberg.org/forgejo-experimental-ci>
+#
+# https://forgejo.octopuce.forgejo.org/forgejo/forgejo
+#
+#  Copies & sign a release from codeberg.org/forgejo-integration to codeberg.org/forgejo
+#
+#  ROLE: forgejo-release
+#  FORGEJO: https://codeberg.org
+#  FROM_OWNER: forgejo-integration
+#  TO_OWNER: forgejo
+#  DOER: release-team
+#  TOKEN: <generated from codeberg.org/release-team>
+#  GPG_PRIVATE_KEY: <XYZ>
+#  GPG_PASSPHRASE: <ABC>
+#
+name: Pubish release
+
+on: 
+  push:
+    tags: 'v*'
+
+jobs:
+  publish:
+    runs-on: self-hosted
+    if: secrets.DOER != '' && secrets.FORGEJO != '' && secrets.TO_OWNER != '' && secrets.FROM_OWNER != '' && secrets.TOKEN != ''
+    steps:
+      - name: install the certificate authority
+        if: secrets.ROLE == 'forgejo-release'
+        run: |
+          apt-get install -qq -y wget
+          wget --no-check-certificate -O /usr/local/share/ca-certificates/enough.crt https://forgejo.octopuce.forgejo.org/forgejo/enough/raw/branch/main/certs/2023-05-13/ca.crt
+          update-ca-certificates --fresh
+
+      - uses: actions/checkout@v3
+
+      - name: copy & sign binaries and container images from one owner to another
+        uses: ./.forgejo/actions/publish-release
+        with:
+          forgejo: ${{ secrets.FORGEJO }}
+          from-owner: ${{ secrets.FROM_OWNER }}
+          to-owner: ${{ secrets.TO_OWNER }}
+          ref-name: ${{ github.ref_name }}
+          doer: ${{ secrets.DOER }}
+          token: ${{ secrets.TOKEN }}
+          gpg-private-key: ${{ secrets.GPG_PRIVATE_KEY }}
+          gpg-passphrase: ${{ secrets.GPG_PASSPHRASE }}
+          verbose: ${{ secrets.VERBOSE }}
diff --git a/Dockerfile b/Dockerfile
index 67c5398917..98d1d707b5 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,5 +1,6 @@
-# Build stage
-FROM docker.io/library/golang:1.21-alpine3.19 AS build-env
+FROM --platform=$BUILDPLATFORM docker.io/tonistiigi/xx AS xx
+
+FROM --platform=$BUILDPLATFORM docker.io/library/golang:1.21-alpine3.19 as build-env
 
 ARG GOPROXY
 ENV GOPROXY ${GOPROXY:-direct}
@@ -9,24 +10,33 @@ ARG TAGS="sqlite sqlite_unlock_notify"
 ENV TAGS "bindata timetzdata $TAGS"
 ARG CGO_EXTRA_CFLAGS
 
-# Build deps
-RUN apk --no-cache add \
-    build-base \
-    git \
-    nodejs \
-    npm \
-    && rm -rf /var/cache/apk/*
+#
+# Transparently cross compile for the target platform
+#
+COPY --from=xx / /
+ARG TARGETPLATFORM
+RUN apk --no-cache add clang lld
+RUN xx-apk --no-cache add gcc musl-dev
+ENV CGO_ENABLED=1
+RUN xx-go --wrap
+#
+# for go generate and binfmt to find
+# without it the generate phase will fail with
+# #19 25.04 modules/public/public_bindata.go:8: running "go": exit status 1
+# #19 25.39 aarch64-binfmt-P: Could not open '/lib/ld-musl-aarch64.so.1': No such file or directory
+# why exactly is it needed? where is binfmt involved?
+#
+RUN cp /*-alpine-linux-musl*/lib/ld-musl-*.so.1 /lib || true
+
+RUN apk --no-cache add build-base git nodejs npm
 
-# Setup repo
 COPY . ${GOPATH}/src/code.gitea.io/gitea
 WORKDIR ${GOPATH}/src/code.gitea.io/gitea
 
-# Checkout version if set
-RUN if [ -n "${GITEA_VERSION}" ]; then git checkout "${GITEA_VERSION}"; fi \
- && make clean-all build
-
-# Begin env-to-ini build
-RUN go build contrib/environment-to-ini/environment-to-ini.go
+RUN make clean-all
+RUN make frontend
+RUN go build contrib/environment-to-ini/environment-to-ini.go && xx-verify environment-to-ini
+RUN make go-check generate-backend static-executable && xx-verify gitea
 
 # Copy local files
 COPY docker/root /tmp/local
@@ -81,6 +91,7 @@ ENTRYPOINT ["/usr/bin/entrypoint"]
 CMD ["/bin/s6-svscan", "/etc/s6"]
 
 COPY --from=build-env /tmp/local /
+RUN cd /usr/local/bin ; ln -s gitea forgejo
 COPY --from=build-env /go/src/code.gitea.io/gitea/gitea /app/gitea/gitea
 COPY --from=build-env /go/src/code.gitea.io/gitea/environment-to-ini /usr/local/bin/environment-to-ini
 COPY --from=build-env /go/src/code.gitea.io/gitea/contrib/autocompletion/bash_autocomplete /etc/profile.d/gitea_bash_autocomplete.sh
diff --git a/Dockerfile.rootless b/Dockerfile.rootless
index a41c27b3e2..0c09df61a9 100644
--- a/Dockerfile.rootless
+++ b/Dockerfile.rootless
@@ -1,5 +1,6 @@
-# Build stage
-FROM docker.io/library/golang:1.21-alpine3.19 AS build-env
+FROM --platform=$BUILDPLATFORM docker.io/tonistiigi/xx AS xx
+
+FROM --platform=$BUILDPLATFORM docker.io/library/golang:1.21-alpine3.19 as build-env
 
 ARG GOPROXY
 ENV GOPROXY ${GOPROXY:-direct}
@@ -9,24 +10,33 @@ ARG TAGS="sqlite sqlite_unlock_notify"
 ENV TAGS "bindata timetzdata $TAGS"
 ARG CGO_EXTRA_CFLAGS
 
-#Build deps
-RUN apk --no-cache add \
-    build-base \
-    git \
-    nodejs \
-    npm \
-    && rm -rf /var/cache/apk/*
+#
+# Transparently cross compile for the target platform
+#
+COPY --from=xx / /
+ARG TARGETPLATFORM
+RUN apk --no-cache add clang lld
+RUN xx-apk --no-cache add gcc musl-dev
+ENV CGO_ENABLED=1
+RUN xx-go --wrap
+#
+# for go generate and binfmt to find
+# without it the generate phase will fail with
+# #19 25.04 modules/public/public_bindata.go:8: running "go": exit status 1
+# #19 25.39 aarch64-binfmt-P: Could not open '/lib/ld-musl-aarch64.so.1': No such file or directory
+# why exactly is it needed? where is binfmt involved?
+#
+RUN cp /*-alpine-linux-musl*/lib/ld-musl-*.so.1 /lib || true
+
+RUN apk --no-cache add build-base git nodejs npm
 
-# Setup repo
 COPY . ${GOPATH}/src/code.gitea.io/gitea
 WORKDIR ${GOPATH}/src/code.gitea.io/gitea
 
-# Checkout version if set
-RUN if [ -n "${GITEA_VERSION}" ]; then git checkout "${GITEA_VERSION}"; fi \
- && make clean-all build
-
-# Begin env-to-ini build
-RUN go build contrib/environment-to-ini/environment-to-ini.go
+RUN make clean-all
+RUN make frontend
+RUN go build contrib/environment-to-ini/environment-to-ini.go && xx-verify environment-to-ini
+RUN make go-check generate-backend static-executable && xx-verify gitea
 
 # Copy local files
 COPY docker/rootless /tmp/local
@@ -69,18 +79,19 @@ RUN mkdir -p /var/lib/gitea /etc/gitea
 RUN chown git:git /var/lib/gitea /etc/gitea
 
 COPY --from=build-env /tmp/local /
+RUN cd /usr/local/bin ; ln -s gitea forgejo
 COPY --from=build-env --chown=root:root /go/src/code.gitea.io/gitea/gitea /app/gitea/gitea
 COPY --from=build-env --chown=root:root /go/src/code.gitea.io/gitea/environment-to-ini /usr/local/bin/environment-to-ini
 COPY --from=build-env /go/src/code.gitea.io/gitea/contrib/autocompletion/bash_autocomplete /etc/profile.d/gitea_bash_autocomplete.sh
 
-# git:git
+#git:git
 USER 1000:1000
 ENV GITEA_WORK_DIR /var/lib/gitea
 ENV GITEA_CUSTOM /var/lib/gitea/custom
 ENV GITEA_TEMP /tmp/gitea
 ENV TMPDIR /tmp/gitea
 
-# TODO add to docs the ability to define the ini to load (useful to test and revert a config)
+#TODO add to docs the ability to define the ini to load (useful to test and revert a config)
 ENV GITEA_APP_INI /etc/gitea/app.ini
 ENV HOME "/var/lib/gitea/git"
 VOLUME ["/var/lib/gitea", "/etc/gitea"]
@@ -88,3 +99,4 @@ WORKDIR /var/lib/gitea
 
 ENTRYPOINT ["/usr/bin/dumb-init", "--", "/usr/local/bin/docker-entrypoint.sh"]
 CMD []
+
diff --git a/Makefile b/Makefile
index ce67c0bcf0..48bbc5cbcc 100644
--- a/Makefile
+++ b/Makefile
@@ -83,31 +83,14 @@ endif
 STORED_VERSION_FILE := VERSION
 HUGO_VERSION ?= 0.111.3
 
-GITHUB_REF_TYPE ?= branch
-GITHUB_REF_NAME ?= $(shell git rev-parse --abbrev-ref HEAD)
 
-ifneq ($(GITHUB_REF_TYPE),branch)
-	VERSION ?= $(subst v,,$(GITHUB_REF_NAME))
-	GITEA_VERSION ?= $(VERSION)
+STORED_VERSION=$(shell cat $(STORED_VERSION_FILE) 2>/dev/null)
+ifneq ($(STORED_VERSION),)
+  GITEA_VERSION ?= $(STORED_VERSION)
 else
-	ifneq ($(GITHUB_REF_NAME),)
-		VERSION ?= $(subst release/v,,$(GITHUB_REF_NAME))
-	else
-		VERSION ?= main
-	endif
-
-	STORED_VERSION=$(shell cat $(STORED_VERSION_FILE) 2>/dev/null)
-	ifneq ($(STORED_VERSION),)
-		GITEA_VERSION ?= $(STORED_VERSION)
-	else
-		GITEA_VERSION ?= $(shell git describe --tags --always | sed 's/-/+/' | sed 's/^v//')
-	endif
-endif
-
-# if version = "main" then update version to "nightly"
-ifeq ($(VERSION),main)
-	VERSION := main-nightly
+  GITEA_VERSION ?= $(shell git describe --tags --always | sed 's/-/+/' | sed 's/^v//')
 endif
+VERSION = ${GITEA_VERSION}
 
 LDFLAGS := $(LDFLAGS) -X "main.MakeVersion=$(MAKE_VERSION)" -X "main.Version=$(GITEA_VERSION)" -X "main.Tags=$(TAGS)"
 
@@ -788,9 +771,15 @@ security-check:
 $(EXECUTABLE): $(GO_SOURCES) $(TAGS_PREREQ)
 	CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) build $(GOFLAGS) $(EXTRA_GOFLAGS) -tags '$(TAGS)' -ldflags '-s -w $(LDFLAGS)' -o $@
 
+static-executable: $(GO_SOURCES) $(TAGS_PREREQ)
+	CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) build $(GOFLAGS) $(EXTRA_GOFLAGS) -tags 'netgo osusergo $(TAGS)' -ldflags '-s -w -linkmode external -extldflags "-static" $(LDFLAGS)' -o $(EXECUTABLE)
+
 .PHONY: release
 release: frontend generate release-windows release-linux release-darwin release-freebsd release-copy release-compress vendor release-sources release-docs release-check
 
+# just the sources, with all assets builtin and frontend resources generated
+sources-tarbal: frontend generate vendor release-sources release-check
+
 $(DIST_DIRS):
 	mkdir -p $(DIST_DIRS)