Tighten release-candidate publication surfaces#23
Merged
GsCommand merged 1 commit intoMar 21, 2026
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation
v1.1.0and remove any broken integrity/trust signals for archivalv1.0.0so the repository is safe to review before tagging.dist-pin/agent-cards/v1.0.0so it cannot be mistaken for a verified release artifact.Description
publish_statefrompublishedtorelease_candidate_pending_validationand tightening descriptive text for release-candidate language in.well-known/agent.json,.well-known/agent-cards-v1.1.0.json,meta/commons-agent.json, andmeta/commercial-agent.json, plus their copies underdist-pin/agent-cards/v1.1.0/.meta/manifest.json(and the rebuiltdist-pin/agent-cards/v1.1.0/meta/manifest.json) to stop usingroots.published_bundle, rename it toroots.derivative_bundle, narrow thedist_pinsurface role language, and addpublication.state: release_candidate_pending_validationandpublication.external_bindings: unconfirmed_until_validate_release_passes.dist-pin/agent-cards/v1.0.0trust surface by removing its stalechecksums.txt, insertingdist-pin/agent-cards/v1.0.0/ARCHIVE_NOTICE.md, and annotating v1.0.0 metadata witharchive_state: archival_only_unverified_snapshotandtrust_notice: integrity_manifest_removed_due_to_incomplete_bundleso v1.0.0 remains archival-only and not integrity-claimed.README.md,SPEC.md,SECURITY_PROVENANCE.md,ONBOARDING.md, andPOLICY.mdto describev1.1.0as a release-candidate and defer publication claims untilvalidate:release+ external binding checks pass..well-known/agent.json,.well-known/agent-cards-v1.1.0.json,meta/manifest.json,meta/commons-agent.json,meta/commercial-agent.json,dist-pin/agent-cards/v1.1.0/*copies,dist-pin/agent-cards/v1.0.0/*(annotated andchecksums.txtremoved),ARCHIVE_NOTICE.mdadded underdist-pin/agent-cards/v1.0.0, and docsREADME.md,SPEC.md,SECURITY_PROVENANCE.md,ONBOARDING.md,POLICY.md, plus refreshedchecksums.txt.publish_state→release_candidate_pending_validationin the descriptors listed above;roots.published_bundle→roots.derivative_bundleinmeta/manifest.json; addedpublication.state: release_candidate_pending_validationandpublication.external_bindings: unconfirmed_until_validate_release_passes.Testing
node scripts/build-dist-pin.mjs— succeeded and rebuiltdist-pin/agent-cards/v1.1.0successfully. (✅)node scripts/generate-checksums.mjs— succeeded and regenerated rootchecksums.txtto reflect the edits. (✅)npm run validate— repository-local validation (structure, manifest/card alignment, checksums) passed. (✅)npm run validate:release— derivative-bundle reproducibility checks passed but the run failed overall because external resolution of upstream tagged Commons/Commercial schema URLs could not be fetched; mirrors resolution is still pending so publication claims are deferred. (partial success; external fetches failed)Codex Task