Skip to content

Docs: clean up release-readiness tutorials and standards metadata#333

Merged
jeremi merged 23 commits into
mainfrom
codex/docs-release-policy-lab-cleanup
Jul 10, 2026
Merged

Docs: clean up release-readiness tutorials and standards metadata#333
jeremi merged 23 commits into
mainfrom
codex/docs-release-policy-lab-cleanup

Conversation

@jeremi

@jeremi jeremi commented Jul 9, 2026

Copy link
Copy Markdown
Member

Summary

  • Archives the remaining current DHIS2/FHIR lab-backed tutorials, removes current navigation to them, and keeps retired routes as redirects without leaking retired pages into machine-readable outputs.
  • Documents signed config-bundle stability and break-glass semantics, corrects release verification scope, and preserves explicit source-review and standards metadata across current and archived docsets.
  • Hardens registryctl update/install guidance with canonical whole-string release-tag validation, explicit refs/tags/ script URLs, Bash invocation, hostile-tag regression coverage, SHA256-only trust disclosure, Intel macOS behavior, and refreshed tutorial links.
  • Makes redirects and the version switcher base-path aware for current previews and archive transitions, with focused path-matrix tests.

Issues

Closes #257
Closes #219
Closes #217
Closes #221
Closes #220
Refs #203
Refs #309

Security review required

  • The Draft 1.0 lifecycle policies: API stability, deprecation, security support window, upgrade and rollback #203 stability row was traced to registry-platform-config and registry-platform-ops: normal signed verification, accept_rollback, and accept_unsigned retain the documented hash, binding, closure, product-validation, and anti-rollback boundaries.
  • The registryctl installer rejects single-line and multiline noncanonical tags without echoing attacker-controlled values or printing a shell-active fallback. Update notices accept only canonical vMAJOR.MINOR.PATCH tags and fetch the Bash installer through an explicit refs/tags/ raw URL.
  • release/VERIFY.md was traced to the release workflow and the v0.8.4 asset layout: selected GitHub Release artifacts receive cosign siblings; the separately generated provenance is verified with slsa-verifier.
  • Explicit maintainer Tier-C security signoff remains required before merge for the config-bundle and break-glass policy row.

Verification

  • cargo fmt --all -- --check
  • cargo clippy --locked --workspace --all-targets -- -D warnings
  • cargo test --locked -p registryctl (86 tests across lib, main, integrations, and doc tests)
  • cargo test --locked -p registry-platform-config -p registry-platform-ops (113 tests)
  • bash -n crates/registryctl/install.sh docs/site/scripts/check-registryctl-tutorials.sh docs/site/scripts/check-tutorial.sh
  • python3 -m unittest discover -s release/scripts -p 'test_*.py' (47 tests)
  • npm --prefix docs/site test (76 tests)
  • npm --prefix docs/site run check:tutorial:dry-run
  • npm --prefix docs/site run check (current plus 8 archives; 151 LLM checks; 217 latest and 1,881 archived SEO pages; 349,619 internal links/assets)
  • curl -fsSI https://raw.githubusercontent.com/registrystack/registry-stack/refs/tags/v0.8.4/crates/registryctl/install.sh (HTTP 200)
  • git diff --check

Existing warning-only output remains from generated product-doc Vale suggestions, archived OpenAPI/link warnings, Astro deprecation hints, and code-highlighting fallbacks.

Remaining manual gates

  • Full Solmara tutorial execution remains manual and was not rerun in the final pass. The dedicated registryctl-tutorials CI job executes the registryctl tutorials from source.
  • Live cosign verify-blob and slsa-verifier commands were not rerun locally; the staff review traced the commands to workflow subjects and the published v0.8.4 asset shape.
  • Maintainer Tier-C security signoff is required before merge.

jeremi commented Jul 9, 2026

Copy link
Copy Markdown
Member Author

@codex review

@chatgpt-codex-connector

Copy link
Copy Markdown

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, you can upgrade your account or add credits to your account and enable them for code reviews in your settings.

@jeremi jeremi marked this pull request as ready for review July 9, 2026 16:22
@chatgpt-codex-connector

Copy link
Copy Markdown

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

jeremi added 22 commits July 10, 2026 09:18
Archive the DHIS2 and FHIR lab-backed tutorials out of the current docset, add redirects to integration patterns, and remove current-page links to the archived pages.

Refs #257. Refs #309.

Signed-off-by: Jeremi Joslin <jeremi@joslin.fr>
Document signed config bundle formats and verification semantics as a governed stability surface with the tests that enforce it.

Refs #203.

Signed-off-by: Jeremi Joslin <jeremi@joslin.fr>
Add adopter tutorial troubleshooting for amd64-only images, warn Intel macOS readers about source builds, refresh registryctl tutorial links and image wording, make the OpenCRVS redirect base-path aware for current docs, and add as-of provenance wording.

Closes #219. Closes #217.

Signed-off-by: Jeremi Joslin <jeremi@joslin.fr>
Signed-off-by: Jeremi Joslin <jeremi@joslin.fr>
Signed-off-by: Jeremi Joslin <jeremi@joslin.fr>
Closes #220.

Signed-off-by: Jeremi Joslin <jeremi@joslin.fr>
Closes #219.

Signed-off-by: Jeremi Joslin <jeremi@joslin.fr>
Closes #217.

Signed-off-by: Jeremi Joslin <jeremi@joslin.fr>
Closes #257.

Signed-off-by: Jeremi Joslin <jeremi@joslin.fr>
Closes #221.

Signed-off-by: Jeremi Joslin <jeremi@joslin.fr>
Refs #203.

Signed-off-by: Jeremi Joslin <jeremi@joslin.fr>
Refs #220.

Signed-off-by: Jeremi Joslin <jeremi@joslin.fr>
Refs #217.

Signed-off-by: Jeremi Joslin <jeremi@joslin.fr>
Refs #221.

Signed-off-by: Jeremi Joslin <jeremi@joslin.fr>
Refs #203.

Signed-off-by: Jeremi Joslin <jeremi@joslin.fr>
Refs #257.

Signed-off-by: Jeremi Joslin <jeremi@joslin.fr>
Refs #220.

Signed-off-by: Jeremi Joslin <jeremi@joslin.fr>
Refs #203.

Signed-off-by: Jeremi Joslin <jeremi@joslin.fr>
Refs #257.

Signed-off-by: Jeremi Joslin <jeremi@joslin.fr>
Refs #220.

Signed-off-by: Jeremi Joslin <jeremi@joslin.fr>
Refs #217.

Signed-off-by: Jeremi Joslin <jeremi@joslin.fr>
Refs #220.

Signed-off-by: Jeremi Joslin <jeremi@joslin.fr>
@jeremi jeremi force-pushed the codex/docs-release-policy-lab-cleanup branch from f5b723c to b8d64f9 Compare July 10, 2026 05:58
@jeremi

jeremi commented Jul 10, 2026

Copy link
Copy Markdown
Member Author

@codex review

Refs #220.

Signed-off-by: Jeremi Joslin <jeremi@joslin.fr>
@chatgpt-codex-connector

Copy link
Copy Markdown

Codex Review: Didn't find any major issues. More of your lovely PRs please.

Reviewed commit: b8d64f924f

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

@jeremi

jeremi commented Jul 10, 2026

Copy link
Copy Markdown
Member Author

@codex review

@jeremi

jeremi commented Jul 10, 2026

Copy link
Copy Markdown
Member Author

Maintainer Tier-C security signoff: approved for merge.

Reviewed the #203 config-bundle and break-glass stability row against registry-platform-config and registry-platform-ops enforcement and regression tests. The documented normal verification, accept_rollback, and accept_unsigned boundaries match implementation. Installer trust limitations and release verification scope are explicitly disclosed. All staff findings are addressed, required CI is green, and no unresolved security review thread remains.

@jeremi jeremi merged commit 6dbf673 into main Jul 10, 2026
11 checks passed
@jeremi jeremi deleted the codex/docs-release-policy-lab-cleanup branch July 10, 2026 06:22
@chatgpt-codex-connector

Copy link
Copy Markdown

Codex Review: Didn't find any major issues. Breezy!

Reviewed commit: b43c9407d1

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment