DanielLavrushin · remmody · Mar 3, 2026 · Mar 3, 2026 · Copilot · Mar 4, 2026
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -104,10 +104,45 @@ jobs:
           name: ui-build
           path: src/http/ui/dist
 
+      - name: Install UPX
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y upx-ucl
+
       - name: Build using Makefile
         run: |
           make linux-${{ matrix.arch }} VERSION="$VERSION"
 
+      - name: Compress with UPX
+        run: |
+          ARCH="${{ matrix.arch }}"
+          BINARY_PATH="out/linux-${ARCH}/${{ env.BINARY_NAME }}"
+
+          if [ -f "$BINARY_PATH" ]; then
+            echo "Compressing $BINARY_PATH with UPX..."
+            upx --ultra-brute --lzma "$BINARY_PATH" -o "${BINARY_PATH}.upx"
+
+            # Test compressed binary
+            if upx -t "${BINARY_PATH}.upx"; then
+              echo "UPX compression successful, replacing original binary"
+              mv "${BINARY_PATH}.upx" "$BINARY_PATH"
+            else
+              echo "UPX test failed, keeping original binary"
-            upx --ultra-brute --lzma "$BINARY_PATH" -o "${BINARY_PATH}.upx"
-            
-            # Test compressed binary
-            if upx -t "${BINARY_PATH}.upx"; then
-              echo "UPX compression successful, replacing original binary"
-              mv "${BINARY_PATH}.upx" "$BINARY_PATH"
-            else
-              echo "UPX test failed, keeping original binary"
+            if upx --ultra-brute --lzma "$BINARY_PATH" -o "${BINARY_PATH}.upx"; then
+              # Test compressed binary
+              if upx -t "${BINARY_PATH}.upx"; then
+                echo "UPX compression successful, replacing original binary"
+                mv "${BINARY_PATH}.upx" "$BINARY_PATH"
+              else
+                echo "UPX test failed, keeping original binary"
+                rm -f "${BINARY_PATH}.upx"
+              fi
+            else
+              echo "UPX compression failed (possibly unsupported arch/format), keeping original binary"
-            upx --ultra-brute --lzma "$BINARY_PATH" -o "${BINARY_PATH}.upx"
-            
-            # Test compressed binary
-            if upx -t "${BINARY_PATH}.upx"; then
-              echo "UPX compression successful, replacing original binary"
-              mv "${BINARY_PATH}.upx" "$BINARY_PATH"
-            else
-              echo "UPX test failed, keeping original binary"
+            if upx --ultra-brute --lzma "$BINARY_PATH" -o "${BINARY_PATH}.upx"; then
+              # Test compressed binary
+              if upx -t "${BINARY_PATH}.upx"; then
+                echo "UPX compression successful, replacing original binary"
+                mv "${BINARY_PATH}.upx" "$BINARY_PATH"
+              else
+                echo "UPX test failed, keeping original binary"
+                rm -f "${BINARY_PATH}.upx"
+              fi
+            else
+              echo "UPX compression failed (possibly unsupported arch/format), keeping original binary"
+              rm -f "${BINARY_PATH}.upx"
+            fi
+          else
+            echo "Binary not found at $BINARY_PATH"
+            exit 1
+          fi
+
+      - name: Repackage with compressed binary
+        run: |
+          ARCH="${{ matrix.arch }}"
+          cd out/linux-${ARCH}
+          tar -czf "../assets/${{ env.BINARY_NAME }}-linux-${ARCH}.tar.gz" "${{ env.BINARY_NAME }}"
+          cd ../assets
+          sha256sum "${{ env.BINARY_NAME }}-linux-${ARCH}.tar.gz" > "${{ env.BINARY_NAME }}-linux-${ARCH}.tar.gz.sha256"
+
       - name: Upload artifacts
         uses: actions/upload-artifact@v4
         with:

diff --git a/Dockerfile b/Dockerfile
@@ -33,21 +33,26 @@ RUN COMMIT=$(echo "docker" ) && \
     GOARM=${TARGETVARIANT#v} \
     CGO_ENABLED=0 GOOS=linux GOARCH=${TARGETARCH} go -C src build \
     -trimpath \
+    -buildvcs=false \
     -ldflags "-s -w -X main.Version=${VERSION} -X main.Commit=${COMMIT} -X main.Date=${DATE}" \
     -o /b4
 
+# Stage 2.5: UPX compression 
+FROM --platform=$TARGETPLATFORM alpine:3.23.3 AS upx-compressor
-FROM --platform=$TARGETPLATFORM alpine:3.23.3 AS upx-compressor
+FROM --platform=$BUILDPLATFORM alpine:3.23.3 AS upx-compressor
-FROM --platform=$TARGETPLATFORM alpine:3.23.3 AS upx-compressor
+FROM --platform=$BUILDPLATFORM alpine:3.23.3 AS upx-compressor
+
+RUN apk add --no-cache upx
+
+COPY --from=go-builder /b4 /b4
+RUN upx --ultra-brute --lzma /b4 -o /b4.upx && upx -t /b4.upx
-RUN apk add --no-cache upx
-
-COPY --from=go-builder /b4 /b4
-RUN upx --ultra-brute --lzma /b4 -o /b4.upx && upx -t /b4.upx
+ARG UPX_FLAGS="--best"
+RUN apk add --no-cache upx
+
+COPY --from=go-builder /b4 /b4
+RUN upx ${UPX_FLAGS} /b4 -o /b4.upx && upx -t /b4.upx
-RUN apk add --no-cache upx
-
-COPY --from=go-builder /b4 /b4
-RUN upx --ultra-brute --lzma /b4 -o /b4.upx && upx -t /b4.upx
+ARG UPX_FLAGS="--best"
+RUN apk add --no-cache upx
+
+COPY --from=go-builder /b4 /b4
+RUN upx ${UPX_FLAGS} /b4 -o /b4.upx && upx -t /b4.upx
+
 # Stage 3: Runtime image
 FROM alpine:3.23.3
 
 RUN apk add --no-cache \
-    iptables \
-    ip6tables \
-    nftables \
-    kmod \
-    iproute2 \
-    tzdata
-
-COPY --from=go-builder /b4 /usr/local/bin/b4
+    iptables ip6tables nftables kmod iproute2 tzdata \
+    && rm -rf /var/cache/apk/*
+
+COPY --from=upx-compressor /b4.upx /usr/local/bin/b4
 
 VOLUME /etc/b4
 EXPOSE 7000