agent-assure v0.3.0
v0.3.0 prepares the adoption release packaging path. The package metadata now
targets PyPI/TestPyPI, the wheel build explicitly includes frozen schema
snapshots through schemas/v0.3.0 under agent_assure/schema_resources/, and
deterministic example suite resources are bundled under agent_assure.examples.
The persisted artifact schema_version remains 0.2.0; the v0.3.0 schema
directory is a frozen release snapshot for package inspection and release
gating, not a breaking artifact-shape change.
Release checks now inspect the built wheel for the required schema and example
paths, then install the local wheel into a clean virtual environment without
resolving agent-assure from a package index. The smoke test also asserts that
packaged example resources are visible through importlib.resources from the
installed wheel.
The Trusted Publishing path supports manual TestPyPI uploads from a selected
candidate ref and tag-gated PyPI uploads from the release workflow. Final PyPI
publishing uses the package files already present in the release bundle
artifact, so it does not run a second package build. The release workflow blocks
when a tag such as v0.3.0 does not match project.version = "0.3.0" and
agent_assure.__version__ = "0.3.0".
Top-level repository examples and bundled package example resources are checked
for parity to reduce fixture drift risk while the repository keeps both paths
for docs, tests, and installed-wheel demos.
OIDC publish and signing jobs use immutable third-party action SHAs, with
comments preserving the reviewed upstream tags for maintainability.
Package publishing jobs validate release-version input before use and recheck
downloaded package artifacts at the upload boundary. Final PyPI publishing also
replays the downloaded release bundle digests before staging upload files.
Sprint 5 hardening adds frozen-schema parity to make release-check, verifies
every frozen schema file in the built and installed wheel, pins remaining
GitHub Actions references to reviewed SHAs, and moves release-bundle cosign
signing and verification artifact selection out of workflow shell snippets into
a Python helper.