polymech/zeroclaw
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs(release): map release-notes supply-chain flow

Browse Source
This commit is contained in:
Chummy 2026-02-25 12:33:10 +00:00 committed by Chum Yin
parent a28b213334
commit 0134a11697
3 changed files with 9 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
.github/workflows/main-branch-flow.md vendored
View File

@ -183,9 +183,11 @@ Workflow: `.github/workflows/pub-release.yml`
- trigger provenance is emitted as `release-trigger-guard` artifacts.
3. `build-release` builds matrix artifacts across Linux/macOS/Windows targets.
4. `verify-artifacts` runs `scripts/ci/release_artifact_guard.py` against `.github/release/release-artifact-contract.json` in verify-stage mode (archive contract required; manifest/SBOM/notice checks intentionally skipped) and uploads `release-artifact-guard-verify` evidence.
5. In publish mode, after manifest generation, workflow reruns `release_artifact_guard.py` in full-contract mode and emits `release-artifact-guard.publish.json` plus `audit-event-release-artifact-guard-publish.json`.
6. In publish mode, workflow generates SBOM (`CycloneDX` + `SPDX`), `SHA256SUMS`, keyless cosign signatures, and verifies GHCR release-tag availability.
7. In publish mode, workflow creates/updates the GitHub Release for the resolved tag and commit-ish.
5. In publish mode, workflow generates SBOM (`CycloneDX` + `SPDX`), `SHA256SUMS`, and a checksum provenance statement (`zeroclaw.sha256sums.intoto.json`) plus audit-event envelope.
6. In publish mode, after manifest generation, workflow reruns `release_artifact_guard.py` in full-contract mode and emits `release-artifact-guard.publish.json` plus `audit-event-release-artifact-guard-publish.json`.
7. In publish mode, workflow keyless-signs release artifacts and composes a supply-chain release-notes preface via `release_notes_with_supply_chain_refs.py`.
8. In publish mode, workflow verifies GHCR release-tag availability.
9. In publish mode, workflow creates/updates the GitHub Release for the resolved tag and commit-ish, combining generated supply-chain preface with GitHub auto-generated commit notes.
Pre-release path:

1
docs/ci-map.md
View File

@ -61,6 +61,7 @@ Merge-blocking checks should stay small and deterministic. Optional checks are u
- Purpose: build release artifacts in verification mode (manual/scheduled) and publish GitHub releases on tag push or manual publish mode
- Additional behavior: `release_trigger_guard.py` enforces stable-tag contract, annotated-tag requirement, actor authorization allowlist, and emits trigger-provenance audit artifacts
- Additional behavior: `release_artifact_guard.py` enforces `.github/release/release-artifact-contract.json` in verify/publish stages and emits auditable guard reports (`release-artifact-guard-verify`, `release-artifact-guard.publish.json`)
- Additional behavior: `release_notes_with_supply_chain_refs.py` composes release-note preface links for manifest/SBOM/provenance artifacts while GitHub auto-generates commit-window notes
- `.github/workflows/pub-prerelease.yml` (`Pub Pre-release`)
- Purpose: validate alpha/beta/rc/stable policy matrix integrity, enforce stage progression + monotonic stage numbering + tag/version integrity, publish transition audit trail and release-stage history, and optionally publish GitHub prerelease assets
- `.github/workflows/ci-canary-gate.yml` (`CI Canary Gate`)

3
docs/release-process.md
View File

@ -46,6 +46,7 @@ Publish-mode guardrails:
- Artifacts are verified before publish.
- Trigger provenance is recorded in `release-trigger-guard.json` and `audit-event-release-trigger-guard.json`.
- Multi-arch artifact contract is enforced by `.github/release/release-artifact-contract.json` through `release_artifact_guard.py`.
- Release notes include a generated supply-chain evidence preface (`release-notes-supply-chain.md`) plus GitHub-generated commit-window notes.
## Maintainer Procedure
@ -101,6 +102,8 @@ Expected publish outputs:
- GitHub Release notes + assets
- `release-artifact-guard.publish.json` + `release-artifact-guard.publish.md`
- `audit-event-release-artifact-guard-publish.json` proving publish-stage artifact contract completeness
- `zeroclaw.sha256sums.intoto.json` + `audit-event-release-sha256sums-provenance.json` for checksum provenance linkage
- `release-notes-supply-chain.md` / `release-notes-supply-chain.json` with release-asset references (manifest, SBOM, provenance, guard audit artifacts)
### 5) Post-release validation