You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
docs(release): org-owned private App procedure with key handling (#353) (#366)
* docs(release): org-owned private App procedure with key handling (#353)
Mirror the issue-353 tracker into the runbook: the policy-read App
requires GoogleCloudPlatform organization-owner authority to install
(repository Administration permission), must be registered as
installable only on this account (private App), webhooks disabled and
no organization/account permissions, with explicit private-key
generation, installation scoped to this repository only, and PEM
handling guidance (delete the workstation copy after storing the
secret; record key-rotation ownership).
* docs(release): first-release setup parity + corrected recovery semantics (#353 review)
- Immutable-release refusal recovery: the GitHub release stays a
draft, but PyPI/TestPyPI already contain the exact files when
finalize reaches the policy precondition — enable the setting and
re-run finalize from the ORIGINAL attempt, never a full rerun.
- Pre-flight: the first release requires PENDING Trusted Publishers
on both indexes (no project exists yet; the pending publisher
creates it on first trusted upload).
- One-time GitHub setup enumerates the tracing-v* tag restriction on
all three environments and scopes required reviewers to pypi and
release-promote only.
- Version-burn rule distinguishes true burns (defective bytes after
acceptance, index deviations, reconciler burn states) from
retryable failures where the index holds the exact anchor bytes
(original-attempt rerun; the pre-checks pass without re-upload).
* docs(release): reject-vs-burn distinction, missing-release state, Owner requirement, publisher failure paths (#353 review)
- A full rerun is REJECTED (return to the recoverable original run),
not itself a burn: a burn is asserted only for deviation from the
original accepted anchor.
- The reconciler burn-state list includes missing-release.
- Post-first-publish: a second Google-controlled Owner (not
Maintainer) on each index, timed to each index's first trusted
upload, with 2FA/recovery for both owners.
- Publisher misconfiguration is documented per DAG path: missing
TestPyPI publisher stops promote/publish-pypi; missing production
publisher fails only publish-pypi after earlier stages pass.
* docs(release): 'original workflow build anchor' wording; first-attempt conflicts burn (#353 review round 2)
0 commit comments