Skip to content

Add release governance and PyPI trusted publishing#4

Merged
Codeblin merged 2 commits into
masterfrom
env/release_impl
Jul 15, 2026
Merged

Add release governance and PyPI trusted publishing#4
Codeblin merged 2 commits into
masterfrom
env/release_impl

Conversation

@Codeblin

Copy link
Copy Markdown
Owner

Summary

Prepare DexMachina for a credible v0.1.0 public alpha by adding release governance, supply-chain documentation, CI hardening, PyPI Trusted Publishing support, and cross-platform test fixes.

This PR also improves download integrity handling, lockfile reproducibility, emulator CI diagnostics, and the Frida device-ready flow.

Testing

  • python -m pytest
  • dexmachina --help
  • dexmachina status --offline

Additional validation:

  • py -m pytest -> 132 passed
  • py scripts\verify_release.py v0.1.0
  • py -m uv build
  • Verified workflows contain no external uses: actions

Device or Emulator Coverage

If this affects device flows, note what you tested:

  • Setup: GitHub Actions rooted AVD workflow, shell-only because repo policy blocks external actions
  • Rooted: CI attempts adb root and then runs device readiness checks
  • Command: dexmachina --no-banner up --profile minimal --yes, dexmachina --no-banner device ready, dexmachina frida-ps -U
  • Result: Workflow has been iteratively fixed for SDK bootstrap, AVD visibility, emulator boot diagnostics, and active Frida venv resolution

Supply Chain Impact

  • No new downloads or network calls
  • New/changed downloads are documented in THREAT_MODEL.md
  • Checksums/signatures were added when upstream provides them

Notes:

  • Direct and GitHub Release downloads now record SHA-256 metadata.
  • Restore enforces lockfile SHA-256 digests for direct/GitHub Release artifacts.
  • GitHub Release checksum discovery supports common upstream checksum assets.
  • Signature verification is still documented as a future gap.
  • PyPI publishing uses Trusted Publishing/OIDC via uv, avoiding long-lived PyPI tokens.

Codeblin added 2 commits July 15, 2026 15:17
- add CODEOWNERS and branch protection checklist
- document release process and PyPI trusted publisher setup
- publish tagged releases to PyPI with OIDC via uv
- group future Dependabot Python updates
- clean package metadata for PyPI builds
@Codeblin Codeblin merged commit a4e340f into master Jul 15, 2026
9 checks passed
@Codeblin Codeblin deleted the env/release_impl branch July 15, 2026 12:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant