Skip to content

PR-F4: Add release verification docs for attestations + SBOM evidence#1206

Merged
lmeyerov merged 6 commits intomasterfrom
chore/1205-pr-f4-signing-verification-docs-v2
Apr 25, 2026
Merged

PR-F4: Add release verification docs for attestations + SBOM evidence#1206
lmeyerov merged 6 commits intomasterfrom
chore/1205-pr-f4-signing-verification-docs-v2

Conversation

@lmeyerov
Copy link
Copy Markdown
Contributor

@lmeyerov lmeyerov commented Apr 24, 2026

Summary

  • add docs/source/release-verification.md with consumer verification steps for PyPI attestations/provenance
  • document SBOM evidence retrieval from publish workflow artifacts
  • link release verification guidance from SECURITY.md
  • add release-verification to docs index toctree
  • add plan.md for context-free resumption of this slice

Why

Follow-up for trusted release hardening PR-F4 after PR-F3 merged, tracked in #1205.

Validation

  • documentation-only changes; no runtime code paths modified
  • guidance aligned with PyPI attestation model and current publish workflow behavior from run 24877854485

Closes #1205

This was referenced Apr 24, 2026
Closed
Closed
@lmeyerov @claude
chore: remove plan.md from PR
15230be 
plan.md is already gitignored (/plan.md in .gitignore). Untracked here
so it stops shipping in the PR diff; file remains on disk locally for
session context.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@lmeyerov lmeyerov marked this pull request as ready for review April 24, 2026 22:36
@lmeyerov lmeyerov mentioned this pull request Apr 25, 2026
Open
lmeyerov and others added 3 commits April 24, 2026 20:06
@lmeyerov @claude
docs: move release verification guide out of readthedocs
e930d02 
Top-level docs/source/index.rst toctree is a weirdly prominent place
for supply-chain verification content — it sat as a peer of the entire
`graphistry` API module. Move the guide to repo root
(RELEASE_VERIFICATION.md) until a dedicated docs Security section
exists to host it.

- mv docs/source/release-verification.md -> RELEASE_VERIFICATION.md
- drop toctree entry from docs/source/index.rst
- update SECURITY.md link + note the rehoming follow-up (#1208)

Follow-up tracked in #1208.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@lmeyerov @claude
docs: inline-trim release verification into SECURITY.md
13350f5 
RELEASE_VERIFICATION.md was punching above its weight as a top-level
doc for ~60 lines of supply-chain guidance. Trim hard and fold the
essential commands into a "Verifying Releases" section in SECURITY.md.

- pypi-attestations verify recipe
- gh run download recipe for SBOM evidence
- pointer to canonical PyPI attestations docs
- pointer to #1208 for the eventual docs Security section

Drops operational notes and verbose framing; downstream verifiers
get what they need in one place.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@lmeyerov @claude
docs: drop internal tracking reference from SECURITY.md
f45f97e 
The "tracked in #1208" line was internal planning context, not
consumer-facing security content. Drop it.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@lmeyerov lmeyerov merged commit 4642931 into master Apr 25, 2026
51 of 52 checks passed
@lmeyerov lmeyerov deleted the chore/1205-pr-f4-signing-verification-docs-v2 branch April 25, 2026 11:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

PR-F4: release signing + consumer verification docs

1 participant

@lmeyerov