go build . is a very common way to build and release binaries for go projects. But there are many settings one can pass to go to build better release binaries. This talk will give overview of compile time optimizations, give guidance on re-releasing, apply CGO hardening as recommended by OpenSSF, upgrading dependencies, ensuring binaries can be scanned for vulnerabilities, ensure codebase is compatible with popular go forks for FIPS compliance, and are easier to reproduce.

Relevant projects: - https://pkg.go.dev/cmd/go#hdr-Compile_packages_and_dependencies - https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.html - https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck - https://github.com/chainguard-dev/gobump - https://github.com/chainguard-dev/melange/blob/main/pkg/build/pipelines/go/build.yaml - https://github.com/wolfi-dev/os