Harden the release pipeline: provenance, dry-run, pack-contents check#26
Merged
andrew-jon-p7a merged 1 commit intomainfrom Apr 30, 2026
Merged
Harden the release pipeline: provenance, dry-run, pack-contents check#26andrew-jon-p7a merged 1 commit intomainfrom
andrew-jon-p7a merged 1 commit intomainfrom
Conversation
Three guard rails added to `.github/workflows/release.yml` so the
next `git tag v… && git push` ships with stronger supply-chain
guarantees and fewer surprises.
Provenance
- Added `id-token: write` permission to the release job and
`--provenance` to the `pnpm publish` invocation. The npm registry
now attaches a signed attestation linking each published tarball
to this exact GitHub commit; consumers see a "Provenance" badge
on the package page.
Manual rehearsal
- Added `workflow_dispatch` trigger with an optional `version`
input (default `0.0.0-rehearsal`). Running the workflow manually
executes the full pipeline (install / version-stamp / lint /
build / typecheck / test / pack-verify) but skips both the
`publish` and the GitHub Release steps. Use it to sanity-check
a release would succeed before committing the tag.
- Version-stamp step branches on `github.event_name`: tag drives
the version on real pushes, the input drives it on manual runs.
- Publish step + GH Release step are now gated
`if: github.event_name == 'push'`. A dispatch run cannot
accidentally publish.
Pack-contents verification
- New `scripts/verify-pack-contents.mjs` (~160 lines, no deps).
Discovers every non-private workspace package, runs `pnpm pack`,
walks the resulting tarball, and verifies every relative path
declared by `exports` (incl. nested condition objects), `main`,
`module`, `types`, and `bin` actually ships in the tarball.
- Wired into the release workflow as a step before `publish`, so
any future change that drops a file from the published artifact
(e.g. a removed entry in `files`, a moved source path) fails the
release loud — never silently in npm.
- Verified clean against the current monorepo:
@agentc7/ac7: OK (2 paths)
@agentc7/cli: OK (1 path)
@agentc7/core: OK (2 paths)
@agentc7/sdk: OK (10 paths)
@agentc7/web-shell: OK (2 paths)
@agentc7/server: OK (4 paths)
Signed-off-by: Andrew Jon Przybilla <andrew@przy.email>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Three guard rails added to
.github/workflows/release.ymlso thenext
git tag v… && git pushships with stronger supply-chainguarantees and fewer surprises.
Provenance
id-token: writepermission to the release job and--provenanceto thepnpm publishinvocation. The npm registry now attaches a signed attestation linking each published tarball to this exact GitHub commit; consumers see a "Provenance" badge on the package page.Manual rehearsal
workflow_dispatchtrigger with an optionalversioninput (default0.0.0-rehearsal). Running the workflow manually executes the full pipeline (install / version-stamp / lint / build / typecheck / test / pack-verify) but skips both thepublishand the GitHub Release steps. Use it to sanity-check a release would succeed before committing the tag.github.event_name: tag drives the version on real pushes, the input drives it on manual runs.if: github.event_name == 'push'. A dispatch run cannot accidentally publish.Pack-contents verification
scripts/verify-pack-contents.mjs(~160 lines, no deps). Discovers every non-private workspace package, runspnpm pack, walks the resulting tarball, and verifies every relative path declared byexports(incl. nested condition objects),main,module,types, andbinactually ships in the tarball.publish, so any future change that drops a file from the published artifact (e.g. a removed entry infiles, a moved source path) fails the release loud — never silently in npm.@agentc7/ac7: OK (2 paths)
@agentc7/cli: OK (1 path)
@agentc7/core: OK (2 paths)
@agentc7/sdk: OK (10 paths)
@agentc7/web-shell: OK (2 paths)
@agentc7/server: OK (4 paths)