Add release and image workflows, stop pushing images from CI

Add a release workflow triggered on v* tags that builds bbox
binaries (linux/amd64, linux/arm64, darwin/arm64) and creates
a GitHub Release with tarballs and SHA-256 checksums.

Add a dedicated images workflow for building and pushing guest
container images to GHCR on a weekly schedule, manual dispatch,
or when images/** changes on main.

Remove image push logic from CI — it now only validates that
images build successfully. Document all three workflows in
CLAUDE.md.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: JAORMX

.github/workflows/ci.yaml

@@ -109,9 +109,6 @@ jobs:
   images:
     name: Build Images
     runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      packages: write
     steps:
       - name: Checkout repository
         uses: actions/checkout@v6
@@ -122,15 +119,7 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v4
 
-      - name: Log in to GHCR
-        uses: docker/login-action@v4
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
       - name: Build images
         uses: docker/bake-action@v7
         with:
           files: docker-bake.hcl
-          push: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}

.github/workflows/images.yaml

@@ -0,0 +1,44 @@
+# SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.
+# SPDX-License-Identifier: Apache-2.0
+
+name: Images
+
+on:
+  schedule:
+    - cron: "0 6 * * 1" # Every Monday at 06:00 UTC
+  workflow_dispatch:
+  push:
+    branches: [main]
+    paths:
+      - "images/**"
+
+permissions:
+  contents: read
+  packages: write
+
+jobs:
+  images:
+    name: Build and Push Images
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v4
+
+      - name: Log in to GHCR
+        uses: docker/login-action@v4
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push images
+        uses: docker/bake-action@v7
+        with:
+          files: docker-bake.hcl
+          push: true

.github/workflows/release.yaml

@@ -0,0 +1,97 @@
+# SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.
+# SPDX-License-Identifier: Apache-2.0
+
+name: Release
+
+on:
+  push:
+    tags:
+      - "v*"
+
+permissions:
+  contents: write
+  packages: write
+
+env:
+  GOPRIVATE: github.com/stacklok/*
+  GH_TOKEN: ${{ secrets.GO_MODULE_TOKEN || github.token }}
+
+jobs:
+  build:
+    name: Build (${{ matrix.os }}-${{ matrix.arch }})
+    runs-on: ${{ matrix.runner }}
+    strategy:
+      matrix:
+        include:
+          - os: linux
+            arch: amd64
+            runner: ubuntu-latest
+          - os: linux
+            arch: arm64
+            runner: ubuntu-24.04-arm
+          - os: darwin
+            arch: arm64
+            runner: macos-15
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+
+      - name: Set up Go
+        uses: actions/setup-go@v6
+        with:
+          go-version-file: go.mod
+          cache: true
+
+      - name: Configure Git for private modules
+        run: |
+          git config --global url."https://${{ github.actor }}:${{ secrets.GO_MODULE_TOKEN }}@github.com/".insteadOf "https://github.com/"
+
+      - name: Install Task
+        uses: go-task/setup-task@v1
+
+      - name: Build bbox
+        run: task build
+
+      - name: Verify version
+        run: |
+          echo "Binary reports: $(./bin/bbox --version)"
+          echo "Expected tag: ${{ github.ref_name }}"
+
+      - name: Package binary
+        run: |
+          mkdir -p dist
+          tar -czf dist/bbox-${{ matrix.os }}-${{ matrix.arch }}.tar.gz -C bin bbox
+
+      - name: Upload artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: bbox-${{ matrix.os }}-${{ matrix.arch }}
+          path: dist/bbox-${{ matrix.os }}-${{ matrix.arch }}.tar.gz
+
+  release:
+    name: Create Release
+    runs-on: ubuntu-latest
+    needs: [build]
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+
+      - name: Download all artifacts
+        uses: actions/download-artifact@v4
+        with:
+          merge-multiple: true
+
+      - name: Generate checksums
+        run: sha256sum bbox-*.tar.gz > sha256sums.txt
+
+      - name: Create GitHub Release
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          if gh release view "${{ github.ref_name }}" >/dev/null 2>&1; then
+            gh release upload "${{ github.ref_name }}" --clobber \
+              bbox-*.tar.gz sha256sums.txt
+          else
+            gh release create "${{ github.ref_name }}" --generate-notes \
+              bbox-*.tar.gz sha256sums.txt
+          fi

CLAUDE.md

@@ -117,6 +117,22 @@ review:
 
 Execution order: create snapshot → start VM → terminal → stop VM → diff → review → flush → cleanup.
 
+## CI/CD
+
+Three GitHub Actions workflows:
+
+- **CI** (`.github/workflows/ci.yaml`) — Runs on pushes to `main` and PRs. Jobs: test, lint, build (matrix: ubuntu + macOS). Also validates image builds (build-only, no push).
+- **Images** (`.github/workflows/images.yaml`) — Dedicated image build and push. Triggers: weekly schedule (Monday 06:00 UTC), manual dispatch, and pushes to `main` that touch `images/**`. Pushes all guest images (base, claude-code, codex, opencode) as `:latest` to GHCR.
+- **Release** (`.github/workflows/release.yaml`) — Triggered by `v*` tag pushes. Builds `bbox` binaries natively on linux/amd64, linux/arm64, and darwin/arm64 using `task build` (embeds bbox-init + propolis runtime). Packages tarballs, generates SHA-256 checksums, and creates a GitHub Release with auto-generated notes.
+
+To cut a release:
+```bash
+git tag v0.0.X
+git push origin v0.0.X
+```
+
+Image tagging is `:latest` only — images are not versioned with release tags. They are rebuilt weekly and on any change to `images/`.
+
 ## Things That Will Bite You
 
 - **propolis is a tagged dependency**: `go.mod` depends on `github.com/stacklok/propolis` as a versioned module. `build` downloads pre-built propolis runtime artifacts and embeds them — no local checkout or system libkrun needed. Use `build-dev-system` to build propolis-runner from source (requires `libkrun-devel`).