ActionLineage v0.1.0a5

ActionLineage v0.1.0a5

ActionLineage 0.1.0a5 is a corrective public-alpha release that makes the
release evidence, package metadata, and public documentation line up with the
same tagged source commit.

This release supersedes the failed v0.1.0a4 artifact workflow attempt.
v0.1.0a4 was tagged and its verify jobs passed, but its release workflow
failed before artifact upload, attestations, package publication, or GitHub
Release creation because the tagged workflow used a non-canonical provenance
filename. The v0.1.0a4 tag is preserved as source history and should not be
used as a package or release-artifact reference.

Highlights

• Package metadata now exposes repository, documentation, changelog, issue
  tracker, and security policy links.
• Release artifacts are built from the same commit as the v0.1.0a5 tag.
• The workflow publishes SBOM, dependency license report, provenance,
  offline release-consistency report, manifest, review index, checksums, and
  artifact attestations.
• The deterministic demo remains credential-free and runs without a model API
  key, cloud account, external service, or internet access after installation.
• TestPyPI and PyPI publication paths both installed the exact published
  package and ran public smoke checks on Python 3.12 and Python 3.13.

Verification Summary

• Release workflow tag run: 28022808901
• TestPyPI workflow run: 28022909971
• PyPI workflow run: 28023047754
• Audited implementation commit: e674b097cc6e703ff678f88612dfa0f0e1cd9fd5
• Published package version: actionlineage==0.1.0a5

The attached SHA256SUMS.txt verifies the workflow-built wheel, source
distribution, SBOM, provenance, manifest, review index, license report, and
offline release-consistency report. The post-publication JSON assets capture
index propagation and public smoke results from the published PyPI package.

Limitations

ActionLineage remains a public alpha. Local hash-chain evidence is not
tamper-proof against a host attacker who can rewrite local roots. Service mode,
MCP interception, cloud observers, GHCR images, Kubernetes, and deployment
assets remain preview or external-validation surfaces. No independent external
review, production adoption, production operating history, or third-party audit
is claimed for this release.

ActionLineage v0.1.0a2

ActionLineage v0.1.0a2

Public-alpha release candidate for ActionLineage, a vendor-neutral evidence and detection plane for tool-using agents.

This release keeps the project in alpha posture. It is not a production/stable claim.

Release evidence

Artifacts were built by the GitHub release workflow from tag v0.1.0a2 at commit ac97c901412576a93c4d9ac7a621ceafbb5c4d12.

Workflow run: https://github.com/VectorTrace-Labs/ActionLineage/actions/runs/27920690328

Workflow gates passed:

• ruff check .
• ruff format --check .
• mypy src
• pytest
• claim-language guard
• secret scan
• pip-audit
• wheel and source distribution build
• SBOM generation
• local release provenance generation
• SHA-256 checksum generation
• GitHub artifact attestation generation

Artifact checksums

45b2e81267b92ea69687ab9a0dfb1b2e32ffca4e1263eeea53d84ae00f0ab0d0  dist/actionlineage-0.1.0a2-py3-none-any.whl
3ab6056d08d458e983c691946507e904532c312df907f79d1cb744d1885b87d1  dist/actionlineage-0.1.0a2.tar.gz
da0427d5ef50b0413beb30658c39267632e5cf65802f08a8652f7c34106d3df7  build/release/actionlineage-provenance.json
5778ed14e310d272a2c54e601df716d39bd9638adc803f48efaf85da55859d0b  build/release/actionlineage-sbom.json

Local verification commands

shasum -a 256 -c build/release/SHA256SUMS.txt
gh attestation verify dist/actionlineage-0.1.0a2-py3-none-any.whl --repo VectorTrace-Labs/ActionLineage
gh attestation verify dist/actionlineage-0.1.0a2.tar.gz --repo VectorTrace-Labs/ActionLineage
gh attestation verify build/release/actionlineage-sbom.json --repo VectorTrace-Labs/ActionLineage
gh attestation verify build/release/actionlineage-provenance.json --repo VectorTrace-Labs/ActionLineage

Package-index status

This pre-release is attached to GitHub only. TestPyPI/PyPI publication is deferred until Trusted Publisher records are configured on the package indexes. See issue #19.

Wheel smoke test

The workflow-built wheel was installed into a fresh temporary Python 3.13 environment with uv pip install. The installed CLI returned 0.1.0a2, actionlineage demo run produced 18 verified records, and actionlineage journal verify confirmed the deterministic demo journal hash:

sha256:c51f29aadf75d59dd69813e0348f6fbfe2a4297a31051bbdb362017aac01b981

ActionLineage v0.1.0a1

ActionLineage v0.1.0a1

This is the first public alpha pre-release of ActionLineage, a vendor-neutral evidence and detection plane for tool-using agents.

Maturity

This release is intentionally labeled alpha. Core event, redaction, local journal, projection, source-neutral ingestion, deterministic demo, and contract validation surfaces are alpha-supported. MCP/service/exporter/cloud/deployment surfaces remain preview unless stated otherwise in the maturity docs.

Included Artifacts

• Source distribution: actionlineage-0.1.0a1.tar.gz
• Wheel: actionlineage-0.1.0a1-py3-none-any.whl
• SBOM: actionlineage-sbom.json
• Unsigned local provenance: actionlineage-provenance.json
• Checksums: SHA256SUMS.txt

Artifacts are not signed in this alpha. Hosted/signed provenance remains external-validation-required.

Fresh Public Clone Verification

Validated from a fresh clone of public main at 34b3791:

uv sync --locked --all-extras
uv run actionlineage version
uv run actionlineage doctor
uv run actionlineage demo run --output-dir build/actionlineage-demo
uv run actionlineage journal verify build/actionlineage-demo/evidence.jsonl --expected-record-count 18 --expected-last-event-hash sha256:c51f29aadf75d59dd69813e0348f6fbfe2a4297a31051bbdb362017aac01b981
uv run actionlineage contract validate contracts/examples/outbound-http.json build/actionlineage-demo/evidence.jsonl
uv run ruff check .
uv run ruff format --check .
uv run mypy src
uv run pytest
uv run python scripts/check_claims_language.py .
uv run python scripts/secret_scan.py .
uv run pip-audit
uv build --out-dir /tmp/actionlineage-release-v0.1.0a1/dist
uv run python scripts/generate_sbom.py --output /tmp/actionlineage-release-v0.1.0a1/actionlineage-sbom.json
uv run python scripts/generate_release_provenance.py --dist-dir /tmp/actionlineage-release-v0.1.0a1/dist --output /tmp/actionlineage-release-v0.1.0a1/actionlineage-provenance.json

Results:

• pytest: 239 passed, 1 FastAPI/Starlette deprecation warning.
• pip-audit: no known third-party vulnerabilities; local unpublished actionlineage skipped.
• Demo: 18 verified journal records; verified, unverified, conflicting, and not-dispatched outcomes covered.

Security/Repository Controls Confirmed

• main branch protection enabled.
• Required PR review before merge.
• Required checks: python, container, CodeQL analysis, Dependency review.
• Force pushes and branch deletion disabled for main.
• Conversation resolution required.
• Dependabot alerts/security updates enabled.
• Secret scanning and push protection enabled.
• Private vulnerability reporting enabled.
• Code scanning ran successfully for the merged release-readiness PR.

Known Limitations

• This is not a production/stable 1.0 release.
• Release artifacts are unsigned.
• PyPI and GHCR publication are deferred.
• Optional service, deployment, cloud, exporter, and MCP runtime surfaces remain preview.
• Independent external security review and production evaluation remain future validation items.