Shippo

Shippo is a polyglot release orchestrator for Rust, Go, Node, and Python. It builds, packages, signs, and publishes GitHub Releases with deterministic artifacts, SBOMs (CycloneDX by default), and manifest-driven verification.

Quickstart

cargo install --path crates/shippo
shippo init
shippo plan
shippo build
shippo package
shippo release --dry-run

Example configs

• Rust: see tests/fixtures/rust-hello/.shippo.toml (generate via shippo init).
• Monorepo: use [[packages]] entries per project.

Command overview

• shippo init – detect projects and scaffold .shippo.toml.
• shippo plan – render build plan (--json available).
• shippo build – run language-specific builders for configured targets.
• shippo package – create archives, SBOMs, SHA256SUMS, manifest.json, signatures, and provenance.
• shippo release – build + package + publish a GitHub Release (draft by default, --dry-run to skip publish).
• shippo verify – validate manifest, checksums, signatures, and SBOM presence.

Features

• Native builders for Rust (cargo), Go (go build with ldflags), Node (frontend builds or CLI binaries via pkg/nexe), and Python (wheel or PyInstaller).
• SBOM generation (CycloneDX) with fallback lockfile-derived metadata.
• Signing support: cosign keyless (preferred in CI) or GPG; verification via manifest references.
• Deterministic packaging: archive naming templates, manifest.json, SHA256SUMS, and provenance.json.
• GitHub Release publishing with changelog generation and asset uploads.

CI usage

See .github/workflows/ci.yml and docs/github-actions.md for recommended workflows. release.yml dogfoods Shippo to publish tagged releases.

Documentation

• docs/config.md – full configuration reference.
• docs/signing.md – cosign keyless & GPG guidance.
• docs/sbom.md – SBOM generation and fallback behavior.
• docs/github-actions.md – CI examples.
• docs/troubleshooting.md – common issues and fixes.