Summary
The release CI workflow writes built binaries to one directory and then attempts to copy from a different one, so no files are staged into ./release/. The published release contains the binary names in the title (e.g. KeyCredentialHound-linux-amd64) but zero attached assets.
Location
- File(s):
.github/workflows/release.yaml, .github/workflows/commit.yaml
- Lines:
release.yaml "Build Binary" step (writes to ../build/...) and "Prepare Release Assets" step (copies from ./build/...); commit.yaml has the same mkdir/OUTPUT_PATH mismatch but does not publish anywhere.
Category
functional
Severity
high
Impact: every release tag fails to produce downloadable binaries. The README links a "release version" badge, but the v1.0.0 release on the public GitHub UI has 0 assets attached, breaking the documented ./KeyCredentialHound install workflow for users who do not build from source.
Reproduction / Evidence
Verified by code analysis and remote inspection:
-
release.yaml Build Binary step:
run: |
mkdir -p bin
OUTPUT_PATH="../build/${{ matrix.binaryname }}-${{ matrix.os }}-${{ matrix.arch }}"
go build -ldflags="-s -w" -o $OUTPUT_PATH${{ matrix.os == 'windows' && '.exe' || '' }}mkdir -p bin creates ./bin (unused). go build -o ../build/... writes the binary one level above the workspace.
-
Prepare Release Assets step:
run: |
mkdir -p ./release/
cp ./build/${{ matrix.binaryname }}-* ./release/Copies from ./build/ (does not exist — the binary is in ../build/). The glob does not match, so either the step fails or it copies nothing depending on shell glob options.
-
Upload step then uploads ./release/${{ matrix.binaryname }}-* which is empty.
-
Remote evidence:
$ gh release view v1.0.0 --json assets --jq '.assets | length'
0
Expected Behavior
Each matrix entry produces a binary that is uploaded to the GitHub release for the tag.
Actual Behavior
The release page exists but contains no attached binaries.
Root Cause
Inconsistent path handling between the build and packaging steps: the build writes to ../build/ (parent of workspace) while packaging reads from ./build/ (inside workspace). The unrelated mkdir -p bin further obscures the intent.
Summary
The release CI workflow writes built binaries to one directory and then attempts to copy from a different one, so no files are staged into
./release/. The published release contains the binary names in the title (e.g.KeyCredentialHound-linux-amd64) but zero attached assets.Location
.github/workflows/release.yaml,.github/workflows/commit.yamlrelease.yaml"Build Binary" step (writes to../build/...) and "Prepare Release Assets" step (copies from./build/...);commit.yamlhas the samemkdir/OUTPUT_PATHmismatch but does not publish anywhere.Category
functionalSeverity
highImpact: every release tag fails to produce downloadable binaries. The README links a "release version" badge, but the v1.0.0 release on the public GitHub UI has 0 assets attached, breaking the documented
./KeyCredentialHoundinstall workflow for users who do not build from source.Reproduction / Evidence
Verified by code analysis and remote inspection:
release.yamlBuild Binary step:mkdir -p bincreates./bin(unused).go build -o ../build/...writes the binary one level above the workspace.Prepare Release Assets step:
Copies from
./build/(does not exist — the binary is in../build/). The glob does not match, so either the step fails or it copies nothing depending on shell glob options.Upload step then uploads
./release/${{ matrix.binaryname }}-*which is empty.Remote evidence:
Expected Behavior
Each matrix entry produces a binary that is uploaded to the GitHub release for the tag.
Actual Behavior
The release page exists but contains no attached binaries.
Root Cause
Inconsistent path handling between the build and packaging steps: the build writes to
../build/(parent of workspace) while packaging reads from./build/(inside workspace). The unrelatedmkdir -p binfurther obscures the intent.