Shippo is a polyglot release orchestrator for Rust, Go, Node, and Python. It builds, packages, signs, and publishes GitHub Releases with deterministic artifacts, SBOMs (CycloneDX by default), and manifest-driven verification.
cargo install --path crates/shippo
shippo init
shippo plan
shippo build
shippo package
shippo release --dry-run- Rust: see
tests/fixtures/rust-hello/.shippo.toml(generate viashippo init). - Monorepo: use
[[packages]]entries per project.
shippo init– detect projects and scaffold.shippo.toml.shippo plan– render build plan (--jsonavailable).shippo build– run language-specific builders for configured targets.shippo package– create archives, SBOMs,SHA256SUMS,manifest.json, signatures, and provenance.shippo release– build + package + publish a GitHub Release (draft by default,--dry-runto skip publish).shippo verify– validate manifest, checksums, signatures, and SBOM presence.
- Native builders for Rust (cargo), Go (
go buildwith ldflags), Node (frontend builds or CLI binaries viapkg/nexe), and Python (wheel or PyInstaller). - SBOM generation (CycloneDX) with fallback lockfile-derived metadata.
- Signing support: cosign keyless (preferred in CI) or GPG; verification via manifest references.
- Deterministic packaging: archive naming templates,
manifest.json,SHA256SUMS, andprovenance.json. - GitHub Release publishing with changelog generation and asset uploads.
See .github/workflows/ci.yml and docs/github-actions.md for recommended workflows. release.yml dogfoods Shippo to publish tagged releases.
docs/config.md– full configuration reference.docs/signing.md– cosign keyless & GPG guidance.docs/sbom.md– SBOM generation and fallback behavior.docs/github-actions.md– CI examples.docs/troubleshooting.md– common issues and fixes.