diff --git a/.github/scripts/test_patch_0_1_1_release_artifact_evidence.py b/.github/scripts/test_patch_0_1_1_release_artifact_evidence.py new file mode 100644 index 0000000..aeb5e80 --- /dev/null +++ b/.github/scripts/test_patch_0_1_1_release_artifact_evidence.py @@ -0,0 +1,137 @@ +#!/usr/bin/env python3 +# +# Copyright 2026 The Ethos maintainers +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +from __future__ import annotations + +import re +import unittest +from pathlib import Path + + +ROOT = Path(__file__).resolve().parents[2] +RECORD = ROOT / "docs/validation/patch-0-1-1-release-artifact-evidence-validation-2026-06-23.md" +VALIDATION_README = ROOT / "docs/validation/README.md" + +SOURCE_SHORT = "3cbbb8f" +SOURCE_COMMIT = "3cbbb8f8b8195fe0f964ab4e5d2bf0458770ad11" +SOURCE_TREE = "2791caca23354bd11974f391fa94c5de02df91a4" +RUN_URL = "https://github.com/docushell/ethos/actions/runs/28040466463" + +EXPECTED_ARTIFACTS = { + "macos-arm64": { + "archive": "ethos-macos-arm64.tar.gz", + "sha256": "eac79cddc6f5fc834ecc279401905729978d73e99ae11a2bea82d7356a4bcd88", + }, + "linux-x64": { + "archive": "ethos-linux-x64.tar.gz", + "sha256": "842aa4b71333aecc54f344d9f5362160d0943d8efd32dffabe99dc19553916a0", + }, +} + +RETAINED_BLOCKERS = ( + "GitHub Release publication remains blocked", + "packages/npm/ethos-pdf/vendor/manifest.json", + "npm publication remains blocked", + "Hosted surfaces remain blocked", + "Production positioning remains blocked", + "Windows packaged artifacts remain blocked", + "Bundled project-maintained PDFium builds remain blocked", + "Public benchmark reports remain blocked", + "Public benchmark claims remain blocked", + "`ethos-doc` remains blocked", + "`ethos-rag` remains blocked", +) + +FORBIDDEN_APPROVALS = ( + "publish approval granted", + "npm publication approved", + "github release publication approved", + "production positioning approved", + "hosted surfaces approved", + "bundled pdfium approved", + "public benchmark claims approved", +) + + +def read(path: Path) -> str: + return path.read_text(encoding="utf-8") + + +def normalized(path: Path) -> str: + return re.sub(r"\s+", " ", read(path)) + + +class Patch011ReleaseArtifactEvidenceTests(unittest.TestCase): + def test_record_binds_source_and_workflow_run(self) -> None: + text = normalized(RECORD) + raw = read(RECORD) + + self.assertIn(f"Validated source HEAD before this record: `{SOURCE_SHORT}`", raw) + self.assertIn(f"Artifact-evidence source commit: `{SOURCE_COMMIT}`", text) + self.assertIn(f"Artifact-evidence source tree: `{SOURCE_TREE}`", text) + self.assertIn(RUN_URL, text) + self.assertIn("conclusion: `success`", text) + self.assertIn("event: `workflow_dispatch`", text) + self.assertIn("branch: `main`", text) + + def test_record_captures_both_platform_artifacts_and_smoke(self) -> None: + text = normalized(RECORD) + + for target, expected in EXPECTED_ARTIFACTS.items(): + self.assertIn(f"inventory target: `{target}`", text) + self.assertIn(f"smoke target: `{target}`", text) + self.assertIn(expected["archive"], text) + self.assertIn(expected["sha256"], text) + self.assertEqual(2, text.count("smoke version stdout: `ethos 0.1.1`")) + self.assertEqual(2, text.count("inventory status: `draft_not_release_ready`")) + self.assertEqual(2, text.count("inventory publication: `blocked`")) + self.assertIn("validate_release_artifact_inventory.py", text) + + def test_record_keeps_publication_and_vendor_refresh_blocked(self) -> None: + text = normalized(RECORD) + lower = text.lower() + + for blocker in RETAINED_BLOCKERS: + self.assertIn(blocker, text) + for phrase in FORBIDDEN_APPROVALS: + self.assertNotIn(phrase, lower) + self.assertIn("not itself a publish approval", text) + + def test_record_is_indexed(self) -> None: + readme = read(VALIDATION_README) + readme_normalized = normalized(VALIDATION_README).lower() + + self.assertIn(RECORD.name, readme) + self.assertIn("patch 0.1.1 release artifact evidence", readme_normalized) + + def test_record_avoids_local_private_paths(self) -> None: + text = read(RECORD) + + for private in ( + "/" + "Users/", + "/" + "private/tmp", + "/" + "private/var", + "/" + "var/folders", + "saumil" + "diwaker", + "Desktop/" + "Stuff", + "project/repo/" + "ethos", + ): + self.assertNotIn(private, text) + + +if __name__ == "__main__": + unittest.main() diff --git a/.github/scripts/test_release_candidate_prep.py b/.github/scripts/test_release_candidate_prep.py index 1399d87..5ce2a2e 100644 --- a/.github/scripts/test_release_candidate_prep.py +++ b/.github/scripts/test_release_candidate_prep.py @@ -39,6 +39,7 @@ "$(PYTHON) .github/scripts/test_npm_publication_closeout.py", "$(PYTHON) .github/scripts/test_pdfium_manual_setup_contract.py", "$(PYTHON) .github/scripts/test_release_artifact_workflow_prep.py", + "$(PYTHON) .github/scripts/test_patch_0_1_1_release_artifact_evidence.py", "$(PYTHON) .github/scripts/test_release_candidate_prep.py", "$(PYTHON) .github/scripts/test_release_reproducibility_scaffold.py", "$(PYTHON) .github/scripts/test_launch_copy_approval_scaffold.py", diff --git a/CHANGELOG.md b/CHANGELOG.md index 8529306..a1fe4a5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,7 @@ ## Unreleased +- boundary-exception: record patch `0.1.1` draft artifact evidence for decider review; no GitHub Release publication, npm vendor refresh, npm publication, or support-boundary change. - boundary-exception: clarify patch `0.1.1` artifact and npm vendor refresh prep in operator docs; no artifact publication, package publication, or support-boundary change. - boundary-exception: prepare patch `0.1.1` workspace, Python, npm, CLI, and public install/version surfaces for review; no new hosted, production, Windows, bundled PDFium, benchmark, `ethos-doc`, or `ethos-rag` boundary opens. - boundary-exception: add patch `0.1.1` readiness-prep record for review only; no version bump, release approval, artifact approval, package publication, or support-boundary change. diff --git a/Makefile b/Makefile index df73b07..3322cc1 100644 --- a/Makefile +++ b/Makefile @@ -281,6 +281,7 @@ release-candidate-prep: $(PYTHON) .github/scripts/test_npm_publication_closeout.py $(PYTHON) .github/scripts/test_pdfium_manual_setup_contract.py $(PYTHON) .github/scripts/test_release_artifact_workflow_prep.py + $(PYTHON) .github/scripts/test_patch_0_1_1_release_artifact_evidence.py $(PYTHON) .github/scripts/test_release_candidate_prep.py $(PYTHON) .github/scripts/test_release_reproducibility_scaffold.py $(PYTHON) .github/scripts/test_launch_copy_approval_scaffold.py diff --git a/docs/validation/README.md b/docs/validation/README.md index 1b7eb84..c4e3419 100644 --- a/docs/validation/README.md +++ b/docs/validation/README.md @@ -561,6 +561,13 @@ recording the exact current-main source candidate and required follow-up evidenc on `main`; no release, tag, version bump, package publish, GitHub Release artifact, hosted surface, production positioning, Windows packaged artifact, bundled project-maintained PDFium build, public benchmark report, or public benchmark claim is approved. +- `patch-0-1-1-release-artifact-evidence-validation-2026-06-23.md` - patch 0.1.1 release artifact + evidence validation records the green release workflow run, downloaded macOS arm64 and Linux x64 + draft CLI artifacts, matching SHA256 sidecars, inventory status `draft_not_release_ready`, + `publication: blocked`, and smoke evidence showing `ethos 0.1.1`; it does not approve GitHub + Release publication, npm vendor refresh, npm publication, hosted surfaces, production + positioning, Windows packaged artifacts, bundled project-maintained PDFium, or public benchmark + claims. - `milestone-e-validation-command-index-validation-2026-06-20.md` - internal Milestone E validation-command index validation passed through command-alignment checks, schema enum checks, row-record checks, public-surface posture checks, `make milestone-e-prep`, and diff hygiene; the diff --git a/docs/validation/patch-0-1-1-release-artifact-evidence-validation-2026-06-23.md b/docs/validation/patch-0-1-1-release-artifact-evidence-validation-2026-06-23.md new file mode 100644 index 0000000..96336db --- /dev/null +++ b/docs/validation/patch-0-1-1-release-artifact-evidence-validation-2026-06-23.md @@ -0,0 +1,101 @@ +# Patch 0.1.1 Release Artifact Evidence Validation - 2026-06-23 + +## Purpose + +Record the green release workflow run and downloaded draft CLI artifact evidence for patch `0.1.1`. +This record is evidence only. It does not approve attaching GitHub Release assets, publishing npm, +refreshing checked-in npm vendor binaries, changing PDFium posture, or opening any new public +surface. + +Validated source HEAD before this record: `3cbbb8f`. +Artifact-evidence source commit: `3cbbb8f8b8195fe0f964ab4e5d2bf0458770ad11`. +Artifact-evidence source tree: `2791caca23354bd11974f391fa94c5de02df91a4`. + +## Workflow Run + +Workflow: + +```text +.github/workflows/release.yml +``` + +Run: + +```text +https://github.com/docushell/ethos/actions/runs/28040466463 +``` + +Observed run metadata: + +- status: `completed` +- conclusion: `success` +- event: `workflow_dispatch` +- branch: `main` +- head SHA: `3cbbb8f8b8195fe0f964ab4e5d2bf0458770ad11` +- created at: `2026-06-23T16:23:14Z` +- updated at: `2026-06-23T16:24:57Z` + +## Downloaded Artifact Set + +The operator downloaded these workflow artifacts from run `28040466463`: + +- `ethos-cli-draft-macos-arm64/ethos-macos-arm64.tar.gz` +- `ethos-cli-draft-macos-arm64/ethos-macos-arm64.tar.gz.sha256` +- `ethos-cli-draft-macos-arm64/ethos-macos-arm64.inventory.json` +- `ethos-cli-draft-macos-arm64/ethos-macos-arm64.smoke.json` +- `ethos-cli-draft-linux-x64/ethos-linux-x64.tar.gz` +- `ethos-cli-draft-linux-x64/ethos-linux-x64.tar.gz.sha256` +- `ethos-cli-draft-linux-x64/ethos-linux-x64.inventory.json` +- `ethos-cli-draft-linux-x64/ethos-linux-x64.smoke.json` + +## Artifact Evidence + +macOS arm64: + +- archive: `ethos-macos-arm64.tar.gz` +- SHA256: `eac79cddc6f5fc834ecc279401905729978d73e99ae11a2bea82d7356a4bcd88` +- inventory schema: `ethos.release_artifact_inventory.v1` +- inventory target: `macos-arm64` +- inventory status: `draft_not_release_ready` +- inventory publication: `blocked` +- smoke schema: `ethos.release_artifact_smoke.v1` +- smoke target: `macos-arm64` +- smoke version stdout: `ethos 0.1.1` + +Linux x64: + +- archive: `ethos-linux-x64.tar.gz` +- SHA256: `842aa4b71333aecc54f344d9f5362160d0943d8efd32dffabe99dc19553916a0` +- inventory schema: `ethos.release_artifact_inventory.v1` +- inventory target: `linux-x64` +- inventory status: `draft_not_release_ready` +- inventory publication: `blocked` +- smoke schema: `ethos.release_artifact_smoke.v1` +- smoke target: `linux-x64` +- smoke version stdout: `ethos 0.1.1` + +The downloaded checksum sidecars matched the recomputed archive SHA256 values above. The inventory +sidecars passed `validate_release_artifact_inventory.py`. + +## Retained Blockers + +- GitHub Release publication remains blocked until a dedicated decider record approves exact + artifact names, checksums, source commit, and public wording. +- `packages/npm/ethos-pdf/vendor/manifest.json` must not be refreshed until a decider approves the + exact `0.1.1` artifact checksums. +- npm publication remains blocked until the checked-in vendor payload is refreshed from approved + artifacts and a dedicated npm approval record passes. +- Hosted surfaces remain blocked. +- Production positioning remains blocked. +- Windows packaged artifacts remain blocked. +- Bundled project-maintained PDFium builds remain blocked. +- Public benchmark reports remain blocked. +- Public benchmark claims remain blocked. +- `ethos-doc` remains blocked. +- `ethos-rag` remains blocked. + +## Result + +The patch `0.1.1` release workflow produced smoke-validated macOS arm64 and Linux x64 draft CLI +artifacts from `main`. This is sufficient evidence for decider review of the artifact/vendor +refresh lane, but it is not itself a publish approval.