From 0cec30c9bbda7a29d1601527203c0e4f4c51d057 Mon Sep 17 00:00:00 2001
From: Micheal Wilkinson <micheal.wilkinson@createfuture.com>
Date: Sat, 21 Mar 2026 23:02:29 +0000
Subject: [PATCH] chore(workflows): add container upx fallback

---
 .gitea/workflows/release.yml        | 34 ++++++++++++++++++++++++-----
 .gitea/workflows/update-release.yml | 34 ++++++++++++++++++++++++-----
 2 files changed, 58 insertions(+), 10 deletions(-)

diff --git a/.gitea/workflows/release.yml b/.gitea/workflows/release.yml
index add4f8a..8086775 100644
--- a/.gitea/workflows/release.yml
+++ b/.gitea/workflows/release.yml
@@ -251,25 +251,49 @@ jobs:
           set -euo pipefail
 
           upx_cmd=""
+          upx_runner=""
           if command -v upx >/dev/null 2>&1; then
             upx_cmd=upx
           elif command -v upx-ucl >/dev/null 2>&1; then
             upx_cmd=upx-ucl
+          elif command -v docker >/dev/null 2>&1; then
+            upx_runner=docker
+          elif command -v podman >/dev/null 2>&1; then
+            upx_runner=podman
           else
-            echo "UPX is not available on PATH; continuing without binary compression." >&2
+            echo "UPX is not available on PATH and no container runtime is available; continuing without binary compression." >&2
           fi
 
           mkdir -p dist
 
+          compress_with_upx() {
+            local file="$1"
+
+            if [[ -n "${upx_cmd}" ]]; then
+              "${upx_cmd}" --best --lzma "${file}"
+              return
+            fi
+
+            if [[ "${upx_runner}" == "docker" ]]; then
+              docker run --rm -v "$PWD/dist:/work" ghcr.io/upx/upx:4.2.4 --best --lzma "/work/$(basename "${file}")"
+              return
+            fi
+
+            if [[ "${upx_runner}" == "podman" ]]; then
+              podman run --rm -v "$PWD/dist:/work:Z" ghcr.io/upx/upx:4.2.4 --best --lzma "/work/$(basename "${file}")"
+              return
+            fi
+
+            return 0
+          }
+
           for target in linux/amd64 linux/arm64; do
             os="${target%/*}"
             arch="${target#*/}"
 
             bin="vociferate_${RELEASE_VERSION}_${os}_${arch}"
             GOOS="$os" GOARCH="$arch" go build -trimpath -ldflags="-s -w" -o "dist/${bin}" ./cmd/vociferate
-            if [[ -n "${upx_cmd}" ]]; then
-              "${upx_cmd}" --best --lzma "dist/${bin}"
-            fi
+            compress_with_upx "dist/${bin}"
           done
 
           (
@@ -349,7 +373,7 @@ jobs:
               echo "- Tag: ${TAG_NAME}"
               echo "- Release notes sourced from changelog entry ${RELEASE_VERSION}."
               echo "- Published assets: vociferate_${RELEASE_VERSION}_linux_amd64, vociferate_${RELEASE_VERSION}_linux_arm64, checksums.txt"
-              echo "- Release binaries are compressed with UPX when available, otherwise uploaded uncompressed."
+              echo "- Release binaries use local UPX when available, otherwise containerized UPX (Docker/Podman), otherwise uncompressed upload."
             } >> "$SUMMARY_FILE"
           else
             {
diff --git a/.gitea/workflows/update-release.yml b/.gitea/workflows/update-release.yml
index 053f31e..1ed40ad 100644
--- a/.gitea/workflows/update-release.yml
+++ b/.gitea/workflows/update-release.yml
@@ -173,25 +173,49 @@ jobs:
           set -euo pipefail
 
           upx_cmd=""
+          upx_runner=""
           if command -v upx >/dev/null 2>&1; then
             upx_cmd=upx
           elif command -v upx-ucl >/dev/null 2>&1; then
             upx_cmd=upx-ucl
+          elif command -v docker >/dev/null 2>&1; then
+            upx_runner=docker
+          elif command -v podman >/dev/null 2>&1; then
+            upx_runner=podman
           else
-            echo "UPX is not available on PATH; continuing without binary compression." >&2
+            echo "UPX is not available on PATH and no container runtime is available; continuing without binary compression." >&2
           fi
 
           mkdir -p dist
 
+          compress_with_upx() {
+            local file="$1"
+
+            if [[ -n "${upx_cmd}" ]]; then
+              "${upx_cmd}" --best --lzma "${file}"
+              return
+            fi
+
+            if [[ "${upx_runner}" == "docker" ]]; then
+              docker run --rm -v "$PWD/dist:/work" ghcr.io/upx/upx:4.2.4 --best --lzma "/work/$(basename "${file}")"
+              return
+            fi
+
+            if [[ "${upx_runner}" == "podman" ]]; then
+              podman run --rm -v "$PWD/dist:/work:Z" ghcr.io/upx/upx:4.2.4 --best --lzma "/work/$(basename "${file}")"
+              return
+            fi
+
+            return 0
+          }
+
           for target in linux/amd64 linux/arm64; do
             os="${target%/*}"
             arch="${target#*/}"
 
             bin="vociferate_${RELEASE_VERSION}_${os}_${arch}"
             GOOS="$os" GOARCH="$arch" go build -trimpath -ldflags="-s -w" -o "dist/${bin}" ./cmd/vociferate
-            if [[ -n "${upx_cmd}" ]]; then
-              "${upx_cmd}" --best --lzma "dist/${bin}"
-            fi
+            compress_with_upx "dist/${bin}"
           done
 
           (
@@ -271,7 +295,7 @@ jobs:
               echo "- Tag: ${TAG_NAME}"
               echo "- Release notes sourced from changelog entry ${RELEASE_VERSION}."
               echo "- Published assets: vociferate_${RELEASE_VERSION}_linux_amd64, vociferate_${RELEASE_VERSION}_linux_arm64, checksums.txt"
-              echo "- Release binaries are compressed with UPX when available, otherwise uploaded uncompressed."
+              echo "- Release binaries use local UPX when available, otherwise containerized UPX (Docker/Podman), otherwise uncompressed upload."
             } >> "$SUMMARY_FILE"
           else
             {