feat: add Windows builds to publish pipeline

[wolf31o2]

• Include windows-amd64 and windows-arm64 in build matrix
• Handle .exe extension for Windows binaries in upload and attestation
• Update cache path for Windows runners

---

Summary by cubic

Add Windows (amd64, arm64) to the publish pipeline and make release packaging and attestation Windows-aware.

• New Features
  • Build matrix includes windows-amd64 and windows-arm64.
  • Release tarballs include the .exe binary on Windows.
  • CI uses the Windows Go build cache path and sets attestation subject to the .exe on Windows.

^{Written for commit 3e7c1a7. Summary will update automatically on new commits.}

Summary by CodeRabbit

• Chores
  • Added Windows platform support to the release pipeline with Windows runners for amd64 and arm64.
  • Adjusted build behavior and cache resolution to handle Windows alongside macOS/Linux.
  • Adopted Windows-specific binary naming (.exe), updated release asset packaging and attest subject handling.
  • Ensured build and attest steps use an explicit shell where required for Windows.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

📝 Walkthrough

Walkthrough

This change updates .github/workflows/publish.yml to add Windows runners (windows-latest) for amd64 and arm64 to the build matrix; extend Go build cache path resolution to handle Windows via AppData; append .exe to Windows binary names and use that name when creating release tarballs, upload assets, and attest subject-paths; and set the shell to bash for the Windows-specific build and attest steps.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Verify Windows AppData-based Go build cache path logic is correct and does not clash with other runner caches.
• Confirm .exe naming is applied consistently across build, packaging, upload, and attest/provenance steps.
• Check conditionals to ensure macOS/Linux flows remain unchanged.
• Ensure bash is available on the Windows runners and that the shell selection is appropriate.

Possibly related PRs

• ci: enable go caching #1058: Modifies the .github/workflows/publish.yml workflow and addresses cross-OS Go build cache handling, strongly related to the Windows caching and workflow changes in this PR.

Pre-merge checks and finishing touches

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title clearly summarizes the main change: adding Windows builds to the publish pipeline, which directly aligns with the primary objective.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/publish-windows

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 0c4ddb3 and 3e7c1a7.

📒 Files selected for processing (1)

• .github/workflows/publish.yml (2 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/publish.yml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (6)

• GitHub Check: Analyze (go)
• GitHub Check: go-test (1.24.x, windows-latest)
• GitHub Check: go-test (1.25.x, windows-latest)
• GitHub Check: go-test (1.25.x, ubuntu-latest)
• GitHub Check: go-test (1.25.x, macos-latest)
• GitHub Check: nilaway

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 00c6b4b and 0b9211f.

📒 Files selected for processing (1)

• .github/workflows/publish.yml (4 hunks)

🧰 Additional context used

🪛 YAMLlint (1.37.1)

.github/workflows/publish.yml

[error] 119-119: syntax error: expected , but found ''

(syntax)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (9)

• GitHub Check: cubic · AI code reviewer
• GitHub Check: go-test (1.25.x, windows-latest)
• GitHub Check: go-test (1.24.x, ubuntu-latest)
• GitHub Check: go-test (1.24.x, macos-latest)
• GitHub Check: go-test (1.25.x, macos-latest)
• GitHub Check: go-test (1.24.x, windows-latest)
• GitHub Check: nilaway
• GitHub Check: lint
• GitHub Check: Analyze (go)

🔇 Additional comments (1)

.github/workflows/publish.yml (1)

95-95: I'll help you verify the Windows cache path escaping in the GitHub Actions workflow. Let me search for information about how GitHub Actions handles backslash escaping in YAML expressions.
<function_calls>

GitHub Actions Windows path backslash escaping YAML expressions

</function_calls>

I'll also examine the workflow file to understand the context better:
<function_calls>


#!/bin/bash

Check the workflow file around line 95

cat -n .github/workflows/publish.yml | sed -n '85,105p'


</function_calls>

[cubic-dev-ai]

2 issues found across 1 file

Prompt for AI agents (all 2 issues)

Check if these issues are valid — if so, understand the root cause of each and fix them.


<file name=".github/workflows/publish.yml">

<violation number="1" location=".github/workflows/publish.yml:105">
These new POSIX shell lines run under PowerShell on windows-latest (the default shell for Windows runners), so the Windows jobs will fail before archiving any artifact unless you explicitly run the step under bash or rewrite it for PowerShell.</violation>

<violation number="2" location=".github/workflows/publish.yml:119">
The `subject-path` value is wrapped in single quotes even though the contained expression uses single-quoted literals. YAML treats the inner quotes as the end of the scalar, so the workflow cannot be parsed. Use double quotes (or escape the inner quotes) around the expression.</violation>
</file>

_{Reply to cubic to teach it or ask questions. Re-run a review with @cubic-dev-ai review this PR}

[cubic-dev-ai]

The subject-path value is wrapped in single quotes even though the contained expression uses single-quoted literals. YAML treats the inner quotes as the end of the scalar, so the workflow cannot be parsed. Use double quotes (or escape the inner quotes) around the expression.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/publish.yml, line 119:

<comment>The `subject-path` value is wrapped in single quotes even though the contained expression uses single-quoted literals. YAML treats the inner quotes as the end of the scalar, so the workflow cannot be parsed. Use double quotes (or escape the inner quotes) around the expression.</comment>

<file context>
@@ -106,7 +116,7 @@ jobs:
         uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0 https://github.com/actions/attest-build-provenance/releases/tag/v3.0.0
         with:
-          subject-path: &#39;${{ env.APPLICATION_NAME }}&#39;
+          subject-path: &#39;${{ matrix.os == &#39;windows&#39; &amp;&amp; format(&#39;{0}.exe&#39;, env.APPLICATION_NAME) || env.APPLICATION_NAME }}&#39;
 
   build-images:
</file context>

Suggested change

	subject-path: '${{ matrix.os == 'windows' && format('{0}.exe', env.APPLICATION_NAME) || env.APPLICATION_NAME }}'
	subject-path: "${{ matrix.os == 'windows' && format('{0}.exe', env.APPLICATION_NAME) || env.APPLICATION_NAME }}"

[cubic-dev-ai]

These new POSIX shell lines run under PowerShell on windows-latest (the default shell for Windows runners), so the Windows jobs will fail before archiving any artifact unless you explicitly run the step under bash or rewrite it for PowerShell.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/publish.yml, line 105:

<comment>These new POSIX shell lines run under PowerShell on windows-latest (the default shell for Windows runners), so the Windows jobs will fail before archiving any artifact unless you explicitly run the step under bash or rewrite it for PowerShell.</comment>

<file context>
@@ -95,8 +101,12 @@ jobs:
         if: startsWith(github.ref, &#39;refs/tags/&#39;)
         run: |
+          _binary_name=${{ env.APPLICATION_NAME }}
+          if [ &quot;${{ matrix.os }}&quot; = &quot;windows&quot; ]; then
+            _binary_name=&quot;${{ env.APPLICATION_NAME }}.exe&quot;
+          fi
</file context>