Audit release environment settings

[Fieldnote-Echo]

Summary:

• Add a manual pre-tag GitHub Environment audit for crates-io and pypi.
• Document the pre-tag audit and registry Trusted Publisher manual checks.
• Remove Scorecard maximum-score overclaims and packaged README relative governance links.

Validation:

• bash -n tests/release_environment_settings.sh
• bash tests/release_publish_invariants.sh
• bash tests/release_signed_release_invariants.sh
• cargo package -p ordvec --locked --list
• cargo publish -p ordvec --dry-run --locked
• stale Scorecard/link rg check: no matches
• shellcheck skipped: not installed

Manual setting still required before tagging:

• bash tests/release_environment_settings.sh currently fails because both release environments still include branch:main alongside tag:v[0-9].[0-9].[0-9]*. Remove branch:main before tagging.

[qodo-code-review]

Review Summary by Qodo

✨ Enhancement 📝 Documentation

Walkthroughs

Description

• Add manual pre-tag GitHub Environment audit script for release gates
• Document registry Trusted Publisher manual verification requirements
• Update release documentation with new audit step and numbering
• Fix README governance links to use absolute GitHub URLs
• Clarify Scorecard signed-release provenance expectations

Diagram

flowchart LR
  A["Release Process"] --> B["Manual Audit Script"]
  B --> C["Verify GitHub Environments"]
  C --> D["Check Reviewer & Tag Policy"]
  D --> E["Document Requirements"]
  E --> F["Update RELEASING.md"]
  A --> G["Fix Documentation Links"]
  G --> H["Absolute GitHub URLs"]

Loading

File Changes

1. tests/release_environment_settings.sh ✨ Enhancement +90/-0

Add manual release environment audit script

• New bash script for manual pre-tag GitHub Environment audit
• Validates crates-io and pypi environments have required reviewer
• Verifies deployment branch policies accept only stable tag pattern
• Uses gh CLI with authenticated API calls to inspect environment settings

tests/release_environment_settings.sh

---

2. tests/release_signed_release_invariants.sh 📝 Documentation +4/-2

Clarify signed-release provenance documentation

• Clarify that .intoto.jsonl and Sigstore assets enable Scorecard detection
• Document that older unsigned releases may temporarily keep score below 10
• Improve explanation of signed-release graph purpose

tests/release_signed_release_invariants.sh

---

3. .github/workflows/release.yml 📝 Documentation +7/-4

Improve release workflow documentation clarity

• Update provenance documentation to note older unsigned releases may keep Scorecard score below 10
• Clarify Scorecard signing probe uses Sigstore asset as backup
• Improve comments explaining SLSA-attested artifact packaging
• Refine explanation of publish-crate artifact comparison logic

.github/workflows/release.yml

---

View more (3)

4. Cargo.toml ⚙️ Configuration changes +1/-0

Exclude audit script from package

• Add tests/release_environment_settings.sh to package exclude list
• Ensures new audit script is not included in published crate

Cargo.toml

---

5. README.md 📝 Documentation +4/-3

Fix governance links to absolute URLs

• Convert relative GOVERNANCE.md link to absolute GitHub URL
• Convert relative CONTRIBUTING.md link to absolute GitHub URL
• Improves link reliability across different documentation contexts

README.md

---

6. RELEASING.md 📝 Documentation +14/-4

Document pre-tag environment audit requirement

• Add new step 4 for running manual release environment audit script
• Document verification of GitHub Environments and Trusted Publisher settings
• Renumber subsequent steps from 4-7 to 5-8
• Clarify that audit must run before creating version tag
• Add instructions for manual Trusted Publisher record verification

RELEASING.md

---

[qodo-code-review]

Code Review by Qodo

🐞 Bugs (0) 📘 Rule violations (0) 📎 Requirement gaps (0)

1. Stderr corrupts jq output ✓ Resolved 🐞 Bug ☼ Reliability

Description

tests/release_environment_settings.sh captures gh api stderr into the same variable as the
jq-filtered stdout (2>&1), so any successful-call warning text can contaminate values like
true/false and numeric counts and cause the audit to fail incorrectly. This is release-process
impacting because RELEASING.md requires running this script before tagging.

Code

tests/release_environment_settings.sh[R19-29]

Evidence

The helper function merges stderr into the returned jq output, and later the script compares that
output for exact equality against literals (e.g., "true"), which will break if stderr contains any
extra text. The release process documentation now requires running this script before tagging,
amplifying the impact of false failures.

tests/release_environment_settings.sh[19-29]
tests/release_environment_settings.sh[62-81]
RELEASING.md[129-139]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
`api_jq()` currently captures `gh api` stderr into the same string used as the jq output (`2>&1`). If `gh` emits warnings/info to stderr while still exiting 0, the captured output is polluted and later string/number comparisons can fail even when the environment settings are correct.

### Issue Context
This script is invoked as a manual pre-tag audit per `RELEASING.md`, so flakiness here blocks or degrades the release checklist.

### Fix Focus Areas
- tests/release_environment_settings.sh[19-29]

### Suggested fix
Update `api_jq()` to:
- capture **stdout only** for the jq-filter result
- capture stderr separately (temp file or separate variable)
- only include stderr content in the failure message when the command exits non-zero

Example approach:
```bash
api_jq() {
 local path="$1"
 local filter="$2"
 local output
 local err

 err="$(mktemp)"
 if ! output="$(gh api "$path" --jq "$filter" 2>"$err")"; then
   fail "cannot read ${path}; authenticate with a token that can read ${REPO} repository environment settings. gh api: $(cat "$err")"
 fi
 rm -f "$err"
 printf '%s\n' "$output"
}
```
(Any equivalent stdout/stderr separation is fine.)

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

2. No explicit gh presence check ✓ Resolved 🐞 Bug ⚙ Maintainability

Description

The audit script calls gh without an explicit command -v gh check, so if gh is missing the
script can exit with a generic shell error instead of the script’s actionable fail(...) message.
This degrades the reliability of the documented pre-tag checklist step.

Code

tests/release_environment_settings.sh[R31-33]

Evidence

The script invokes gh auth status and gh api but has no explicit gh existence check, while the
release checklist now requires running the script before tagging.

tests/release_environment_settings.sh[7-33]
RELEASING.md[129-133]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
The script assumes `gh` exists. If it does not, Bash emits `command not found` and the script exits without the intended, actionable guidance.

### Issue Context
`RELEASING.md` instructs running this script manually before tagging.

### Fix Focus Areas
- tests/release_environment_settings.sh[7-35]

### Suggested fix
Add an early check before calling `gh auth status`:
```bash
command -v gh >/dev/null 2>&1 || fail "gh CLI not found; install GitHub CLI (gh) and authenticate before running this audit"
```
Optionally, if you want to be stricter/clearer, run `gh auth status -h github.com` to ensure the correct host is authenticated.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[gemini-code-assist]

Code Review

This pull request introduces a manual pre-tag audit script (tests/release_environment_settings.sh) to verify GitHub Environment release gates before publishing, updates RELEASING.md to document this step, and excludes the script from the Cargo package. It also updates relative links in README.md to absolute URLs and refines comments in tests/release_signed_release_invariants.sh. Feedback on the new script suggests optimizing GitHub API calls by querying all required fields in a single gh api call per endpoint using jq with TSV formatting, reducing the total API calls from 18 to 4 to prevent potential rate limiting.

[Copilot]

Pull request overview

This PR adds a manual pre-tag audit script for GitHub Environment release gates and tightens release documentation to remove Scorecard maximum-score claims and packaged README relative governance links.

Changes:

• New tests/release_environment_settings.sh audits crates-io/pypi environments (required reviewer + tag-only deployment policy) via gh api.
• RELEASING.md adds the audit step to the release checklist and renumbers subsequent steps; release.yml and release_signed_release_invariants.sh reword Scorecard claims to drop the "= 10" overclaim.
• README.md converts GOVERNANCE.md/CONTRIBUTING.md links to absolute GitHub URLs (so they work in packaged distributions); Cargo.toml excludes the new script from the published crate.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
tests/release_environment_settings.sh	New manual audit script for GitHub Environment release gates.
tests/release_signed_release_invariants.sh	Reword comment to drop "Signed-Releases = 10" claim.
RELEASING.md	Add audit step to checklist; renumber subsequent steps.
README.md	Convert GOVERNANCE/CONTRIBUTING relative links to absolute GitHub URLs.
Cargo.toml	Exclude new audit script from packaged crate.
.github/workflows/release.yml	Soften Scorecard score wording; refresh package step comment.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.