From 15dcd44db39590bdf2d695a7e96d918a790c522c Mon Sep 17 00:00:00 2001 From: docushell-admin Date: Tue, 23 Jun 2026 21:39:43 +0530 Subject: [PATCH] Clarify patch 0.1.1 artifact refresh prep Signed-off-by: docushell-admin --- .../test_release_reproducibility_scaffold.py | 24 +++++++++++++++ CHANGELOG.md | 1 + docs/RELEASE_OPERATOR_RUNBOOK.md | 30 ++++++++++++++----- docs/release-artifact-notices.md | 10 ++++--- 4 files changed, 54 insertions(+), 11 deletions(-) diff --git a/.github/scripts/test_release_reproducibility_scaffold.py b/.github/scripts/test_release_reproducibility_scaffold.py index d6a648a..80587f4 100644 --- a/.github/scripts/test_release_reproducibility_scaffold.py +++ b/.github/scripts/test_release_reproducibility_scaffold.py @@ -17,6 +17,7 @@ from __future__ import annotations +import re import unittest from pathlib import Path @@ -25,12 +26,18 @@ WORKFLOW = ROOT / ".github/workflows/release.yml" INVENTORY_WRITER = ROOT / ".github/scripts/write_release_artifact_inventory.py" INVENTORY_VALIDATOR = ROOT / ".github/scripts/validate_release_artifact_inventory.py" +OPERATOR_RUNBOOK = ROOT / "docs/RELEASE_OPERATOR_RUNBOOK.md" +RELEASE_NOTICES = ROOT / "docs/release-artifact-notices.md" def read(path: Path) -> str: return path.read_text(encoding="utf-8") +def normalized(path: Path) -> str: + return re.sub(r"\s+", " ", read(path)) + + class ReleaseReproducibilityScaffoldTests(unittest.TestCase): def test_workflow_records_rebuildable_cli_inputs(self) -> None: text = read(WORKFLOW) @@ -53,6 +60,23 @@ def test_inventory_binds_checksum_target_and_publication_status(self) -> None: self.assertIn("linux-x64", validator) self.assertIn("malformed sha256", validator) + def test_patch_release_artifact_refresh_prep_stays_bounded(self) -> None: + runbook = read(OPERATOR_RUNBOOK) + notices = read(RELEASE_NOTICES) + normalized_notices = normalized(RELEASE_NOTICES) + combined = f"{runbook}\n{notices}" + + self.assertIn("@docushell/ethos-pdf@0.1.1", runbook) + self.assertIn("Patch 0.1.1 Artifact Refresh Prep", runbook) + self.assertIn("ethos 0.1.1", runbook) + self.assertIn("ethos 0.1.1", notices) + self.assertIn("packages/npm/ethos-pdf/vendor/manifest.json", combined) + self.assertIn("draft_not_release_ready", notices) + self.assertIn("publication: blocked", notices) + self.assertIn("does not authorize", normalized_notices) + self.assertIn("npm publication as blocked", runbook) + self.assertNotIn("@docushell/ethos-pdf@0.1.0` surfaces", combined) + if __name__ == "__main__": unittest.main() diff --git a/CHANGELOG.md b/CHANGELOG.md index 4082eae..8529306 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,7 @@ ## Unreleased +- boundary-exception: clarify patch `0.1.1` artifact and npm vendor refresh prep in operator docs; no artifact publication, package publication, or support-boundary change. - boundary-exception: prepare patch `0.1.1` workspace, Python, npm, CLI, and public install/version surfaces for review; no new hosted, production, Windows, bundled PDFium, benchmark, `ethos-doc`, or `ethos-rag` boundary opens. - boundary-exception: add patch `0.1.1` readiness-prep record for review only; no version bump, release approval, artifact approval, package publication, or support-boundary change. - process-follow-up: record patch `0.1.1` readiness prep contents and retained blockers without approving release action or changing versions. diff --git a/docs/RELEASE_OPERATOR_RUNBOOK.md b/docs/RELEASE_OPERATOR_RUNBOOK.md index b099ba9..9afc31d 100644 --- a/docs/RELEASE_OPERATOR_RUNBOOK.md +++ b/docs/RELEASE_OPERATOR_RUNBOOK.md @@ -1,10 +1,10 @@ # Release Operator Runbook -Ethos is public beta evaluation for approved source, Rust crate, Python wheel, macOS arm64 CLI -artifact, Linux x64 CLI artifact, and npm `@docushell/ethos-pdf@0.1.0` surfaces. This runbook -describes the operator checks required before any additional public promotion. It does not authorize -new GitHub Release artifacts, new package publication, hosted surfaces, production positioning, -Windows packaged artifacts, bundled project-maintained PDFium builds, or benchmark reports. +Ethos is public beta evaluation for source, Rust crate, Python wheel, macOS arm64 CLI artifact, +Linux x64 CLI artifact, and npm `@docushell/ethos-pdf@0.1.1` surfaces. This runbook describes the +operator checks required before any public promotion. It does not authorize new GitHub Release +artifacts, new package publication, hosted surfaces, production positioning, Windows packaged +artifacts, bundled project-maintained PDFium builds, or benchmark reports. ## Who Can Release @@ -24,6 +24,23 @@ record names an operator or approving group, treat the workflow output as draft 7. Treat the downloaded archives as CI evidence only unless a separate approval record authorizes the exact public release artifact, version, checksum, and wording. +## Patch 0.1.1 Artifact Refresh Prep + +The source tree now prepares `0.1.1` package and CLI version surfaces. The checked-in npm vendor +manifest and vendor binaries must not be refreshed from local builds or unapproved archives. Before +publishing or attaching any `0.1.1` artifact, the operator must: + +1. Produce macOS arm64 and Linux x64 draft CLI archives from the release workflow at the reviewed + source commit. +2. Verify each archive with `smoke_release_cli_artifact.py` and require `ethos 0.1.1` in the smoke + evidence. +3. Record each archive SHA256 and inventory in a dedicated approval record. +4. Update `packages/npm/ethos-pdf/vendor/manifest.json` only from approved `0.1.1` archive + checksums. +5. Run `npm run prepare:vendor -- ` only against the approved archives. +6. Treat npm publication as blocked until an approval record binds the refreshed vendor checksums, + package version, artifact source commit, and exact public wording. + ## Local Checks Before Any Future Promotion ```sh @@ -36,8 +53,7 @@ python3 .github/scripts/validate_release_artifact_inventory.py target/release-ar ## Promotion Gate Before creating or updating any public GitHub Release, package registry entry, or public release -notes beyond the already-approved `v0.1.0` evaluation surfaces, the operator needs an approval -record that binds: +notes for `v0.1.1`, the operator needs an approval record that binds: - exact source commit; - artifact names and platform targets; diff --git a/docs/release-artifact-notices.md b/docs/release-artifact-notices.md index 7960aa9..dffe342 100644 --- a/docs/release-artifact-notices.md +++ b/docs/release-artifact-notices.md @@ -1,7 +1,7 @@ # Release Artifact Notices -Ethos has approved `v0.1.0` public beta evaluation surfaces for source, Rust crates, Python wheel, -macOS arm64 CLI artifact, Linux x64 CLI artifact, and npm `@docushell/ethos-pdf@0.1.0`. This +Ethos has prepared `v0.1.1` public beta evaluation surfaces for source, Rust crates, Python wheel, +macOS arm64 CLI artifact, Linux x64 CLI artifact, and npm `@docushell/ethos-pdf@0.1.1`. This document defines the license and NOTICE bundle contract for release artifacts; it does not authorize additional releases, package publication, binaries, wheels, npm updates, hosted surfaces, production positioning, Windows packaged artifacts, bundled project-maintained PDFium builds, or @@ -56,8 +56,9 @@ It writes a planning bundle under `target/release-notice-draft/`: The draft bundle is intentionally marked `draft_not_release_ready`. -The first public release-prep workflow may also create CI-only draft CLI artifact archives for -macOS arm64 and Linux x64. Those archives must include SHA256 checksums and an +The release-prep workflow may also create CI-only draft CLI artifact archives for macOS arm64 and +Linux x64. Patch `0.1.1` archives must smoke as `ethos 0.1.1`. Those archives must include SHA256 +checksums and an `ethos.release_artifact_inventory.v1` inventory marked `draft_not_release_ready` and `publication: blocked`. @@ -79,6 +80,7 @@ Before any public release artifact: - replace the draft artifact identifier with the concrete artifact name and platform; - review the artifact payload inventory and checksums; +- refresh `packages/npm/ethos-pdf/vendor/manifest.json` only from approved artifact checksums; - include PDFium/font notices when those assets are bundled; - rerun `make release-advisory`; - rerun `make third-party-license-manifest`;