release-proof verifies that an OSS release is actually available where users consume it: GitHub Releases, release assets, SHA-256 sidecars, GitHub artifact attestations, crates.io, docs.rs, and a fresh cargo install smoke test.
It is meant for release managers who want a single receipt that answers: did the tag resolve to the intended commit, did the public release publish the expected artifacts, do the checksums and attestations verify, did the crate reach crates.io, did docs.rs build, and can a user install and run the binary from scratch?
cargo install release-proof --lockedYou also need these tools on PATH for full verification:
ghgitcargo
gh auth login is recommended. Public GitHub releases can often be checked without authentication, but release asset downloads and attestations are more reliable with an authenticated GitHub CLI.
Create a starter config:
release-proof init `
--repo wildmason/tauri-hardening-md `
--tag v1.0.0 `
--expected-commit 1023a099025cd50255ad6b71fe75cfea67871c7e `
--crate-name tauri-hardening-md `
--crate-version 1.0.0 `
> release-proof.tomlRun the check:
release-proof check --config release-proof.tomlWrite a Markdown receipt:
release-proof check `
--config examples/tauri-hardening-md-v1.0.0.toml `
--format markdown `
--output release-proof.mdUse it from GitHub Actions:
jobs:
release-proof:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: wildmason/release-proof@v1.0.1
with:
config: release-proof.toml
format: markdown
output: release-proof.md- Config schema version, repo shape, and tag presence.
- GitHub Release existence, tag name, draft state, and prerelease state.
- Git tag resolution through
git ls-remote --tags, including annotated tag peeling. - Expected commit match by full hash or prefix.
- Expected GitHub assets exist.
- Unexpected non-sidecar GitHub assets are reported.
- Asset SHA-256 checks against either an inline digest or a
.sha256sidecar. - GitHub artifact attestations through
gh attestation verify. - crates.io package version exists and is not yanked.
- docs.rs URL returns success.
cargo install --version ... --lockedsucceeds in a fresh temp root and the installed binary can run.
See docs/CONFIG.md for the full schema and examples/tauri-hardening-md-v1.0.0.toml for a complete real release config.
Minimal GitHub-only config:
schema_version = 1
[release]
repo = "wildmason/example"
tag = "v1.0.0"
expected_commit = "0123456789abcdef0123456789abcdef01234567"
allow_draft = false
allow_prerelease = falseComplete Rust CLI config:
schema_version = 1
[release]
repo = "wildmason/example"
tag = "v1.0.0"
expected_commit = "0123456789abcdef0123456789abcdef01234567"
allow_draft = false
allow_prerelease = false
[[github.assets]]
name = "example-x86_64-unknown-linux-gnu.tar.gz"
sha256 = "sidecar"
attest = true
[crates_io]
name = "example"
version = "1.0.0"
[docs_rs]
url = "https://docs.rs/example/1.0.0/example/"
[[cargo_installs]]
package = "example"
version = "1.0.0"
binary = "example"
locked = true
args = ["--version"]
expect_stdout_contains = "example 1.0.0"release-proof check exits 0 when every required check passes. It exits 1 when any required check fails. Skipped checks are explicit in the receipt and do not fail the run.
Receipts can be rendered as text, JSON, or Markdown:
release-proof check --format text
release-proof check --format json --output receipt.json
release-proof check --format markdown --output receipt.mdSee docs/RECEIPTS.md for output examples and field notes.
release-proof verifies publication and installability. It does not prove that source archives are reproducible from source, that binaries are deterministic, or that a crate's code is free of malicious behavior. It is deliberately scoped to release surface integrity.
Licensed under either of:
- Apache License, Version 2.0 (LICENSE-APACHE)
- MIT license (LICENSE-MIT)
at your option.