CoreTrace · SizzleUnrlsd · Feb 26, 2026 · Feb 26, 2026 · Feb 26, 2026 · Feb 26, 2026
diff --git a/.github/workflows/publish-docker.yml b/.github/workflows/publish-docker.yml
@@ -29,6 +29,9 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
 
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
@@ -99,7 +102,7 @@ jobs:
           file: ./Dockerfile
           push: true
           tags: ${{ steps.tags.outputs.runtime_tags }}
-          platforms: linux/amd64
+          platforms: linux/amd64,linux/arm64
           cache-from: type=gha
           cache-to: type=gha,mode=max
 
@@ -110,7 +113,7 @@ jobs:
           file: ./Dockerfile.ci
           push: true
           tags: ${{ steps.tags.outputs.ci_tags }}
-          platforms: linux/amd64
+          platforms: linux/amd64,linux/arm64
           build-args: |
             CORETRACE_RUNTIME_IMAGE=${{ steps.images.outputs.runtime }}:${{ steps.tags.outputs.version }}
             VERSION=${{ steps.tags.outputs.version }}

diff --git a/.github/workflows/release-binaries.yml b/.github/workflows/release-binaries.yml
@@ -0,0 +1,120 @@
+name: Build Release Binaries
+
+on:
+  pull_request:
+    branches:
+      - "**"
+  push:
+    branches:
+      - "main"
+    tags:
+      - "v*"
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  build-linux-binaries:
+    name: Build Linux binary (${{ matrix.arch }})
+    runs-on: ubuntu-24.04
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - platform: linux/amd64
+            arch: amd64
+          - platform: linux/arm64
+            arch: arm64
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Resolve artifact version
+        id: version
+        shell: bash
+        run: |
+          set -euo pipefail
+          short_sha="$(git rev-parse --short=12 HEAD)"
+          if [[ "${GITHUB_REF_TYPE}" == "tag" ]]; then
+            version="${GITHUB_REF_NAME}"
+          else
+            version="sha-${short_sha}"
+          fi
+          echo "value=${version}" >> "${GITHUB_OUTPUT}"
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build packaged binary with Buildx
+        shell: bash
+        run: |
+          set -euo pipefail
+          out_dir="dist/${{ matrix.arch }}"
+          mkdir -p "${out_dir}"
+          docker buildx build \
+            --platform "${{ matrix.platform }}" \
+            --file Dockerfile.release-binaries \
+            --target artifacts \
+            --build-arg VERSION="${{ steps.version.outputs.value }}" \
+            --output "type=local,dest=${out_dir}" \
+            .
+          ls -la "${out_dir}"
+
+      - name: Validate artifact files
+        shell: bash
+        run: |
+          set -euo pipefail
+          artifact_dir="dist/${{ matrix.arch }}"
+          archive="${artifact_dir}/coretrace-stack-analyzer-${{ steps.version.outputs.value }}-linux-${{ matrix.arch }}.tar.gz"
+          checksum="${archive}.sha256"
+          test -f "${archive}" || { echo "missing archive: ${archive}"; exit 1; }
+          test -f "${checksum}" || { echo "missing checksum: ${checksum}"; exit 1; }
+          (
+            cd "${artifact_dir}"
+            sha256sum -c "$(basename "${checksum}")"
+          )
+
+      - name: Upload workflow artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: coretrace-stack-analyzer-${{ steps.version.outputs.value }}-linux-${{ matrix.arch }}
+          path: |
+            dist/${{ matrix.arch }}/*.tar.gz
+            dist/${{ matrix.arch }}/*.sha256
+          if-no-files-found: error
+
+  publish-release-assets:
+    name: Attach binaries to GitHub Release
+    runs-on: ubuntu-24.04
+    needs: build-linux-binaries
+    if: startsWith(github.ref, 'refs/tags/v')
+    permissions:
+      contents: write
+
+    steps:
+      - name: Download build artifacts
+        uses: actions/download-artifact@v4
+        with:
+          pattern: coretrace-stack-analyzer-*-linux-*
+          path: dist
+          merge-multiple: true
+
+      - name: Show release files
+        shell: bash
+        run: |
+          set -euo pipefail
+          ls -la dist
+
+      - name: Publish release assets
+        uses: softprops/action-gh-release@v2
+        with:
+          files: |
+            dist/*.tar.gz
+            dist/*.sha256
+          fail_on_unmatched_files: true
+          generate_release_notes: true
diff --git a/Dockerfile.release-binaries b/Dockerfile.release-binaries
@@ -0,0 +1,67 @@
+# syntax=docker/dockerfile:1.7
+
+FROM ubuntu:24.04 AS base
+
+ARG DEBIAN_FRONTEND=noninteractive
+ARG LLVM_VERSION=20
+
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    ca-certificates \
+    curl \
+    gnupg \
+    lsb-release \
+    software-properties-common \
+    build-essential \
+    cmake \
+    ninja-build \
+    python3 \
+    git \
+    tar \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN curl -fsSL https://apt.llvm.org/llvm.sh -o /tmp/llvm.sh \
+    && chmod +x /tmp/llvm.sh \
+    && /tmp/llvm.sh ${LLVM_VERSION} \
+    && rm -f /tmp/llvm.sh \
+    && apt-get update \
+    && apt-get install -y --no-install-recommends libclang-${LLVM_VERSION}-dev \
+    && rm -rf /var/lib/apt/lists/*
+
+WORKDIR /repo
+
+FROM base AS builder
+
+COPY . /repo
+
+RUN cmake -S . -B build -G Ninja \
+        -DCMAKE_BUILD_TYPE=Release \
+        -DLLVM_DIR=/usr/lib/llvm-${LLVM_VERSION}/lib/cmake/llvm \
+        -DClang_DIR=/usr/lib/llvm-${LLVM_VERSION}/lib/cmake/clang \
+        -DCLANG_LINK_CLANG_DYLIB=ON \
+        -DLLVM_LINK_LLVM_DYLIB=ON \
+        -DUSE_SHARED_LIB=OFF \
+    && cmake --build build -j"$(nproc)" \
+    && ./build/stack_usage_analyzer --help >/dev/null
+
+FROM builder AS packager
+
+ARG VERSION=dev
+ARG TARGETARCH
+
+RUN set -eux; \
+    case "${TARGETARCH}" in \
+      amd64) arch_label="amd64" ;; \
+      arm64) arch_label="arm64" ;; \
+      *) echo "unsupported TARGETARCH: ${TARGETARCH}" >&2; exit 1 ;; \
+    esac; \
+    package_name="coretrace-stack-analyzer-${VERSION}-linux-${arch_label}"; \
+    mkdir -p "/out/${package_name}"; \
+    install -m 0755 /repo/build/stack_usage_analyzer "/out/${package_name}/stack_usage_analyzer"; \
+    install -m 0644 /repo/README.md "/out/${package_name}/README.md"; \
+    tar -C /out -czf "/out/${package_name}.tar.gz" "${package_name}"; \
+    (cd /out && sha256sum "${package_name}.tar.gz" > "${package_name}.tar.gz.sha256"); \
+    rm -rf "/out/${package_name}"
+
+FROM scratch AS artifacts
+
+COPY --from=packager /out/ /