feat(release): add tracked release-evidence bundle and release gate#11
Merged
Conversation
Add build/release-evidence.json binding a release to a validated harness commit and a content digest of the exact module setup, plus verified adapter/vendor identity, platform tiers, and a freshness window. The release workflow now refuses to publish without a present, schema-valid, version-consistent bundle. The bundle is tracked, so it is carried into the release archive and covered by the existing SLSA build-provenance and SBOM attestations. The harness re-derives the content digest and re-validates the bundle before advancing a pin.
6fd7194 to
18838ab
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Module side of RVR-P2-002 (machine-readable release ↔ harness-evidence binding).
What
build/release-evidence.json(new, tracked) — binds a release to: the validated harness commit, asha256:content digest of the exact module setup (the file is excluded from its own digest), verified vendor identity (3.3.4/0.15.2/GLM-5.2), adapter version, per-platform support tiers, declared check coverage, a freshness window, and a promotion decision..github/workflows/release.yml— theverifyjob now refuses to publish a tag unless the bundle is present,schema_version==1, from this repository, with a well-formed digest + harness SHA, andadapter.version == VERSION.Binding
The bundle is tracked, so it is carried into the deterministic release archive and covered by the existing SLSA build-provenance + SBOM attestations. The harness re-derives the content digest and fully re-validates the bundle (vendor/tiers/adapter) before advancing its pin — that enforcement + the private tests land in nddev-harnesses alongside the pin advance.
No installed runtime behavior changes.