You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Add release-asset builds to the active public library repos that support
adafmt, so each Git tag automatically produces a deterministic source tarball
(+ .sha256) attached to the GitHub Release, and so the Alire community-index
entry for that crate can reference that asset as a stable, verifiable origin
instead of GitHub's auto-generated archive URL.
This is deferred until after adafmt v1.0.0 ships so shared-tooling churn
doesn't risk the rc4 → v1.0.0 window. Owner may adjust timing.
Why
Today, the four supporting public library repos all publish source-only
GitHub Releases. Alire-indexed crates (functional, clara) resolve via
GitHub's auto-generated …/archive/refs/tags/<tag>.tar.gz, which includes .git*, .github/, dev-only files, and is not byte-stable across
GitHub-side regenerations.
A deterministic, manifest-controlled release tarball with a published .sha256 gives Alire (and any downstream consumer) a stable origin to pin
against, mirrors the discipline package_dist.py already enforces for
adafmt binary releases, and removes the implicit trust in GitHub's archive
generator.
The two library repos not yet in the community index (tzif_ada, zoneinfo_ada) need this work as a prerequisite for any clean
Alire-publish path.
Current state (2026-06-20)
Verified by walking /repos/<owner>/<repo>/releases and the alire-project/alire-index index entries:
Repo
Latest tag
Alire indexed?
Source tarball asset?
SPARK proof log?
abitofhelp/functional
v4.1.0 (latest) / v4.1.1 (indexed)
yes (functional-4.1.1.toml)
no — source-only
partial (v4.1.0 has it; older don't)
abitofhelp/clara
v1.0.1
yes (clara-1.0.1.toml)
no — source-only
no
abitofhelp/tzif_ada
v3.0.3
no
no — source-only
partial
abitofhelp/zoneinfo_ada
v1.1.1
no
no — source-only
partial
So none of the four supporting library repos attach a source tarball today.
Two of the four aren't even in the community index yet.
Scope
1. Shared tooling
In this repo (hybrid_scripts_python), add (or extend an existing helper to
provide) a source-tarball builder that:
Stages a clean tree containing only the files an end-user/Alire-resolver
needs (Ada/SPARK sources, alire.toml, *.gpr, README.md, LICENSE,
third-party-licenses, CHANGELOG.md, formal-doc PDFs, etc.).
Excludes .git*, .github/, dist/, .codex/, exports/, stashes/, coverage/, IDE config, dev container files, AND macOS metadata (per [[feedback-release-source-archive-hygiene]]).
Emits <crate>-<bare-semver>.tar.gz + <crate>-<bare-semver>.tar.gz.sha256
in sha256sum-compatible format, following the same shape conventions package_dist.py uses for binary tarballs.
Returns a deterministic byte-for-byte result given identical inputs (use --sort=name, fixed mtime, fixed owner/group when invoking tar).
Must follow the asset-naming convention being standardized in
hybrid_scripts_python#18 — bare semver, no v prefix in the artifact
filename. The v belongs only on the Git tag / Release tag_name.
2. Per-repo workflow integration
For each in-scope library repo, add (or extend) a release.yml
workflow that:
Triggers on push: tags: ['v*'].
Invokes the shared source-tarball builder.
Verifies sha256 round-trip in the workflow.
Uploads the tarball + sha256 sibling to the corresponding GitHub Release
(creating the Release if a draft does not already exist — match adafmt's release-linux.yml discipline of expecting a pre-created draft).
For each release where the GitHub Release now carries a deterministic source
tarball + sha256:
Update or create the corresponding alire-project/alire-index entry to
point at the release-asset URL instead of GitHub's auto-archive.
For tzif_ada and zoneinfo_ada, perform first-time publish to the
community index, gated on the rest of the standard Alire-publish checklist
(licensing, manifest correctness, build smoke).
4. Per-repo follow-up issues
Once the shared tooling lands, file one follow-up issue per consumer repo to
track the per-repo workflow integration + community-index update:
abitofhelp/functional
abitofhelp/clara
abitofhelp/tzif_ada
abitofhelp/zoneinfo_ada
The list above is provisional. Owner / maintainer to confirm whether
additional supporting repos (e.g. hybrid_lib_ada, hybrid_lib_cpp, hybrid_lib_go) should also be in scope at the same time.
Out of scope
Renaming or replacing historical published assets — forward conformance
only. Existing Alire-indexed releases (functional-4.1.1, clara-1.0.1,
earlier) stay as they are.
Changing the tag surface (v<semver> stays on Git tags / Release tag_name).
Binary tarball production for libraries — these are source libraries; only
source tarballs apply.
Anything in private adafmt-product repos (astfmt, astengine, deps26) — those follow a different distribution path.
Timing
Do NOT start until adafmt v1.0.0 final tag ships and any immediate
v1.0.0 follow-ups have settled. This issue is paired with
hybrid_scripts_python#18 (asset-naming standardization). Both should land
in the same post-v1.0.0 cycle, with [POST-v1.0.0] Standardize release asset naming: drop v prefix uniformly + codify rule globally #18 landing first so the new asset
generator built here automatically inherits the bare-semver convention.
adafmt's release-linux.yml + hybrid_scripts_python/package_dist/package_dist.py —
reference implementations for the binary-release side; this issue brings
source releases for libraries onto equivalent footing.
adafmt project memory: feedback_release_source_archive_hygiene.md —
exclusion list (.DS_Store, ._*, exports/, coverage/, stashes/,
nested *.tar.gz) that the new source-tarball builder MUST honor.
Summary
Add release-asset builds to the active public library repos that support
adafmt, so each Git tag automatically produces a deterministic source tarball
(+
.sha256) attached to the GitHub Release, and so the Alire community-indexentry for that crate can reference that asset as a stable, verifiable origin
instead of GitHub's auto-generated archive URL.
This is deferred until after adafmt v1.0.0 ships so shared-tooling churn
doesn't risk the rc4 → v1.0.0 window. Owner may adjust timing.
Why
GitHub Releases. Alire-indexed crates (
functional,clara) resolve viaGitHub's auto-generated
…/archive/refs/tags/<tag>.tar.gz, which includes.git*,.github/, dev-only files, and is not byte-stable acrossGitHub-side regenerations.
.sha256gives Alire (and any downstream consumer) a stable origin to pinagainst, mirrors the discipline
package_dist.pyalready enforces foradafmt binary releases, and removes the implicit trust in GitHub's archive
generator.
tzif_ada,zoneinfo_ada) need this work as a prerequisite for any cleanAlire-publish path.
Current state (2026-06-20)
Verified by walking
/repos/<owner>/<repo>/releasesand thealire-project/alire-indexindex entries:abitofhelp/functionalv4.1.0(latest) /v4.1.1(indexed)functional-4.1.1.toml)v4.1.0has it; older don't)abitofhelp/clarav1.0.1clara-1.0.1.toml)abitofhelp/tzif_adav3.0.3abitofhelp/zoneinfo_adav1.1.1So none of the four supporting library repos attach a source tarball today.
Two of the four aren't even in the community index yet.
Scope
1. Shared tooling
In this repo (
hybrid_scripts_python), add (or extend an existing helper toprovide) a source-tarball builder that:
needs (Ada/SPARK sources,
alire.toml,*.gpr,README.md,LICENSE,third-party-licenses,
CHANGELOG.md, formal-doc PDFs, etc.)..git*,.github/,dist/,.codex/,exports/,stashes/,coverage/, IDE config, dev container files, AND macOS metadata (per[[feedback-release-source-archive-hygiene]]).<crate>-<bare-semver>.tar.gz+<crate>-<bare-semver>.tar.gz.sha256in sha256sum-compatible format, following the same shape conventions
package_dist.pyuses for binary tarballs.--sort=name, fixed mtime, fixed owner/group when invokingtar).hybrid_scripts_python#18 — bare semver, no
vprefix in the artifactfilename. The
vbelongs only on the Git tag / Releasetag_name.2. Per-repo workflow integration
For each in-scope library repo, add (or extend) a
release.ymlworkflow that:
push: tags: ['v*'].(creating the Release if a draft does not already exist — match adafmt's
release-linux.ymldiscipline of expecting a pre-created draft).vprefix uniformly + codify rule globally #18) correctedname.
3. Alire community-index follow-up
For each release where the GitHub Release now carries a deterministic source
tarball + sha256:
alire-project/alire-indexentry topoint at the release-asset URL instead of GitHub's auto-archive.
tzif_adaandzoneinfo_ada, perform first-time publish to thecommunity index, gated on the rest of the standard Alire-publish checklist
(licensing, manifest correctness, build smoke).
4. Per-repo follow-up issues
Once the shared tooling lands, file one follow-up issue per consumer repo to
track the per-repo workflow integration + community-index update:
abitofhelp/functionalabitofhelp/claraabitofhelp/tzif_adaabitofhelp/zoneinfo_adaThe list above is provisional. Owner / maintainer to confirm whether
additional supporting repos (e.g.
hybrid_lib_ada,hybrid_lib_cpp,hybrid_lib_go) should also be in scope at the same time.Out of scope
only. Existing Alire-indexed releases (
functional-4.1.1,clara-1.0.1,earlier) stay as they are.
v<semver>stays on Git tags / Releasetag_name).source tarballs apply.
astfmt,astengine,deps26) — those follow a different distribution path.Timing
v1.0.0 follow-ups have settled. This issue is paired with
hybrid_scripts_python#18 (asset-naming standardization). Both should land
in the same post-v1.0.0 cycle, with [POST-v1.0.0] Standardize release asset naming: drop
vprefix uniformly + codify rule globally #18 landing first so the new assetgenerator built here automatically inherits the bare-semver convention.
Related
[POST-v1.0.0]Standardize release asset naming(drop
vprefix uniformly + codify rule globally).release-linux.yml+hybrid_scripts_python/package_dist/package_dist.py—reference implementations for the binary-release side; this issue brings
source releases for libraries onto equivalent footing.
feedback_release_source_archive_hygiene.md—exclusion list (
.DS_Store,._*,exports/,coverage/,stashes/,nested
*.tar.gz) that the new source-tarball builder MUST honor.