feat(plugin): release-artifact-pipeline — five tracks from the org-wide release sweep (v0.10.0)#97
Merged
Conversation
…de sweep (v0.10.0) An org-wide release-consistency sweep (12 repos) found the pipelines have drifted: every repo signs its native binary to the full bar (cosign + SHA256SUMS + CycloneDX SBOM + SLSA) but holds its *wasm* to a weaker one, distribution channels are incoherent (rivet npm-only, sigil/synth/scry crates.io-only, mcp a stale unsigned manual script), and witness/scry run on almost no wasm-emitting repo. Extend release-artifact-pipeline from a single (native-binary) standard to five artifact-type tracks, encoding the policy decisions: - Track A — native binaries: the existing synth-canonical bundle (unchanged). - Track B — distribution: crates.io for everything Rust (signed CI, OIDC), npm for every CLI/tool (not just rivet); more channels later; mcp's manual unsigned publish is the named anti-pattern. - Track C — wasm: sigil + cosign signing AND a witness MC/DC gate AND a scry abstract-interpretation gate; same bar as the binary. sigil step is gated on fixing sigil's wasip2 parser first (add cosign now, sigil as it clears); SLSA subject-path must cover the .wasm. - Track D — Pages verification dashboard (witness-viz/scry-viz), with the github-pages v* tag deployment-branch-policy gotcha documented. - Track E — rivet verification extraction as a release requirement; copy relay's test-level verifies pattern (gale/synth for volume); laggards are scry/witness/loom/meld/mcp. "How to apply" deltas updated to the real per-repo gaps from the sweep. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
An org-wide release-consistency sweep across 12 release-cutting repos (rivet, sigil, witness, scry, synth, gale, meld, loom, spar, relay, wohl, mcp) found systematic drift. This extends
release-artifact-pipelinefrom a single native-binary standard to five artifact-type tracks, encoding the maintainer's policy decisions.The drift the sweep found
TODO(sigil).The five tracks
subject-pathmust cover the.wasm.github-pagesv*tag deployment-branch-policy gotcha documented.verifiespattern.Per-repo rollout will be tracked separately. Bumps the plugin to v0.10.0.
🤖 Generated with Claude Code