Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
96 changes: 56 additions & 40 deletions PUBLIC_RELEASE_CHECKLIST.md
Original file line number Diff line number Diff line change
@@ -1,8 +1,12 @@
# Public release checklist

**Status: public release is BLOCKED.** Every unchecked item below is an
independent blocker. Do not publish a package or flip the repository
public until all of them are resolved and re-verified.
**Status: the source is PUBLIC.** The official repository at
`https://github.com/getaskclaw/fable-session` is public, and every
source-level public-beta gate below is resolved on the reviewed history
ending at merge commit `efff5724` (PR #1, the 0.3.0b1 release
candidate). The single remaining operational action is pushing the
`v0.3.0-beta.1` prerelease tag, and that happens only after this status
PR merges and protected-main CI passes on the merge commit.

## Resolved

Expand All @@ -17,12 +21,27 @@ public until all of them are resolved and re-verified.
carries the homepage/repository/issues URLs. The CI and release
workflows stay deliberately URL-free.
- [x] **Clean-history export and independent review: RESOLVED.** The
official private repository now holds exactly one independently
reviewed clean root commit (`4ead2832…`, the reviewed 0.2.0 tree,
produced as an orphan export). The full-history reference scan
reports zero hits on that history, and this checkout's `origin`
remote is a read-only local bundle of that same reviewed root —
release work builds on top of it, never beside it.
official repository holds exactly one independently reviewed clean
root commit (`4ead2832…`, the reviewed 0.2.0 tree, produced as an
orphan export) with only reviewed release work on top of it. The
full-history reference scan reports zero hits on every commit
reachable from merge commit `efff5724` — the exact history that
was published.
- [x] **Repository visibility: RESOLVED — public.** All code, history,
and test work (the 0.3.0b1 release candidate included) was
finished and re-verified on the release history first; the
repository was then made public as the deliberate final step.
Public `main` is exactly the reviewed history ending at merge
commit `efff5724`.
- [x] **Private vulnerability reporting: RESOLVED — enabled and
verified.** Enabled immediately after the visibility flip (it is a
public-repository setting and could not be switched on earlier);
the "Report a vulnerability" button is confirmed visible under the
repository's Security tab, so `SECURITY.md`'s reporting path has
been usable from the first public minute.
- [x] **Branch protection: RESOLVED.** `main` is protected: release
work lands only through pull requests with the CI gates required
to pass (PR #1 merged that way), never through direct pushes.

## Standing warning — the OLD history

Expand All @@ -35,42 +54,39 @@ of it may ever be published; `tests/full_history_readiness_check.py`
verifies exactly that property on the history that is actually being
published.

## Remaining blockers

- [ ] **Repository visibility: still private — flipping public is the
deliberate final step.** While the repository is private, finish
all remaining code, history, and test work (the 0.3.0b1 release
candidate included) and re-run every verification below on the
exact release commit. Only after everything passes is the
repository made public.
- [ ] **Enable and verify private vulnerability reporting — immediately
AFTER the repository becomes public.** GitHub private vulnerability
reporting is a setting for public repositories, so it cannot be
switched on while the repository is private and no step may claim
otherwise. The moment the repository goes public, enable the
setting and verify that the "Report a vulnerability" button appears
under the repository's Security tab, so `SECURITY.md`'s reporting
path is actually usable from the first public minute.

## Pre-publication verification (on the exact release commit)

- [ ] `python3 -m compileall -q src tests` passes.
- [ ] `python3 -m unittest discover -s tests` passes.
- [ ] `python3 tests/public_readiness_check.py` exits 0 on the exact tree
Every verification below ran on merge commit `efff5724` — locally on
this checkout and green in CI on public `main`; protected-main CI
re-runs the same gates on every pull request, this status PR included:

- [x] `python3 -m compileall -q src tests` passes.
- [x] `python3 -m unittest discover -s tests` passes (all unit tests,
including the offline real-Claude evidence contracts — unit tests
never call the Claude API; the tested real-host combination stays
documented in the README as Linux with Claude Code 2.1.208).
- [x] `python3 tests/public_readiness_check.py` exits 0 on the exact tree
being published.
- [ ] `python3 tests/full_history_readiness_check.py` exits 0 on the
- [x] `python3 tests/full_history_readiness_check.py` exits 0 on the
exact history being published (every tracked blob of every commit
reachable from the release commit).
- [ ] `python3 tests/offline_install_smoke.py` passes.
- [ ] `python3 -m build` produces the `0.3.0b1` wheel and sdist; the
- [x] `python3 tests/offline_install_smoke.py` passes.
- [x] `python3 -m build` produces the `0.3.0b1` wheel and sdist; the
wheel installs into a fresh environment and answers
`fable-session --version`.
- [ ] `git diff --check "$(git hash-object -t tree /dev/null)" HEAD`
`fable-session --version` (verified in CI on public `main`).
- [x] `git diff --check "$(git hash-object -t tree /dev/null)" HEAD`
reports no whitespace errors.
- [ ] The prerelease tag name is `v0.3.0-beta.1` (distribution version
`0.3.0b1`); `release.yml` enforces this fail-closed via

## Remaining operational action — the prerelease tag

- [ ] **Push the `v0.3.0-beta.1` prerelease tag (distribution version
`0.3.0b1`) — the sole remaining operational action.** Only after
this status PR merges and protected-main CI passes on the merge
commit. `release.yml` enforces the canonical tag fail-closed via
`tests/release_tag_check.py` (only the canonical tag for the
checked-out package version may release), re-runs these
gates, builds the artifacts, generates `SHA256SUMS`, attests build
provenance, and creates a GitHub prerelease. Package-index
publication stays out of scope for this prerelease.
checked-out package version may release), re-runs these gates,
builds the artifacts, generates `SHA256SUMS`, attests build
provenance, and creates the GitHub prerelease. Until that workflow
succeeds, no GitHub prerelease, release artifacts, or attestation
exist. Package-index publication stays out of scope for this
prerelease.
Loading
Loading