Skip to content

ActionLineage v0.1.0a5

Pre-release
Pre-release

Choose a tag to compare

View all tags
@Marq-Dev Marq-Dev released this 23 Jun 11:37
v0.1.0a5
e674b09
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

ActionLineage v0.1.0a5

ActionLineage 0.1.0a5 is a corrective public-alpha release that makes the
release evidence, package metadata, and public documentation line up with the
same tagged source commit.

This release supersedes the failed v0.1.0a4 artifact workflow attempt.
v0.1.0a4 was tagged and its verify jobs passed, but its release workflow
failed before artifact upload, attestations, package publication, or GitHub
Release creation because the tagged workflow used a non-canonical provenance
filename. The v0.1.0a4 tag is preserved as source history and should not be
used as a package or release-artifact reference.

Highlights

  • Package metadata now exposes repository, documentation, changelog, issue
    tracker, and security policy links.
  • Release artifacts are built from the same commit as the v0.1.0a5 tag.
  • The workflow publishes SBOM, dependency license report, provenance,
    offline release-consistency report, manifest, review index, checksums, and
    artifact attestations.
  • The deterministic demo remains credential-free and runs without a model API
    key, cloud account, external service, or internet access after installation.
  • TestPyPI and PyPI publication paths both installed the exact published
    package and ran public smoke checks on Python 3.12 and Python 3.13.

Verification Summary

  • Release workflow tag run: 28022808901
  • TestPyPI workflow run: 28022909971
  • PyPI workflow run: 28023047754
  • Audited implementation commit: e674b097cc6e703ff678f88612dfa0f0e1cd9fd5
  • Published package version: actionlineage==0.1.0a5

The attached SHA256SUMS.txt verifies the workflow-built wheel, source
distribution, SBOM, provenance, manifest, review index, license report, and
offline release-consistency report. The post-publication JSON assets capture
index propagation and public smoke results from the published PyPI package.

Limitations

ActionLineage remains a public alpha. Local hash-chain evidence is not
tamper-proof against a host attacker who can rewrite local roots. Service mode,
MCP interception, cloud observers, GHCR images, Kubernetes, and deployment
assets remain preview or external-validation surfaces. No independent external
review, production adoption, production operating history, or third-party audit
is claimed for this release.

Assets 15
Loading