docs(release): org-owned private App procedure with key handling (#353)#366
Merged
haiyuan-eng-google merged 4 commits intoJul 15, 2026
Merged
Conversation
haiyuan-eng-google
pushed a commit
that referenced
this pull request
Jul 15, 2026
…353) (#367) Upstream yanked build==1.5.1, so the deterministic two-phase regeneration (regen-locks.sh, converged in one phase inside the pinned base image) now resolves build==1.5.0 in pip-tools.lock and build-requirements.lock. This is the drift currently failing the Hash-lock drift check on main and on PR #366.
caohy1988
force-pushed
the
docs/353-app-runbook
branch
from
July 15, 2026 22:02
5852bc1 to
8034906
Compare
…gleCloudPlatform#353) Mirror the issue-353 tracker into the runbook: the policy-read App requires GoogleCloudPlatform organization-owner authority to install (repository Administration permission), must be registered as installable only on this account (private App), webhooks disabled and no organization/account permissions, with explicit private-key generation, installation scoped to this repository only, and PEM handling guidance (delete the workstation copy after storing the secret; record key-rotation ownership).
…ics (GoogleCloudPlatform#353 review) - Immutable-release refusal recovery: the GitHub release stays a draft, but PyPI/TestPyPI already contain the exact files when finalize reaches the policy precondition — enable the setting and re-run finalize from the ORIGINAL attempt, never a full rerun. - Pre-flight: the first release requires PENDING Trusted Publishers on both indexes (no project exists yet; the pending publisher creates it on first trusted upload). - One-time GitHub setup enumerates the tracing-v* tag restriction on all three environments and scopes required reviewers to pypi and release-promote only. - Version-burn rule distinguishes true burns (defective bytes after acceptance, index deviations, reconciler burn states) from retryable failures where the index holds the exact anchor bytes (original-attempt rerun; the pre-checks pass without re-upload).
…er requirement, publisher failure paths (GoogleCloudPlatform#353 review) - A full rerun is REJECTED (return to the recoverable original run), not itself a burn: a burn is asserted only for deviation from the original accepted anchor. - The reconciler burn-state list includes missing-release. - Post-first-publish: a second Google-controlled Owner (not Maintainer) on each index, timed to each index's first trusted upload, with 2FA/recovery for both owners. - Publisher misconfiguration is documented per DAG path: missing TestPyPI publisher stops promote/publish-pypi; missing production publisher fails only publish-pypi after earlier stages pass.
…t conflicts burn (GoogleCloudPlatform#353 review round 2)
caohy1988
force-pushed
the
docs/353-app-runbook
branch
from
July 15, 2026 23:08
8034906 to
cabd1a3
Compare
haiyuan-eng-google
approved these changes
Jul 15, 2026
haiyuan-eng-google
merged commit Jul 15, 2026
08d1dd8
into
GoogleCloudPlatform:main
23 checks passed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Runbook follow-up from the #353 operational reviews: brings
producers/RELEASING.mdto full parity with the canonical tracker checklist. Reviewers are approving the complete first-release operational contract:GitHub App (policy read)
BQAA_RELEASE_POLICY_APP_ID(variable) /BQAA_RELEASE_POLICY_APP_PRIVATE_KEY(secret); PEM workstation copy deleted after storage unless kept in an approved secret manager; key-rotation ownership recorded.First-release setup parity
tracing-v*tag restriction on all three environments (testpypi,release-promote,pypi) with required reviewers onrelease-promoteandpypionly.Recovery semantics
finalizefrom the original attempt; never a full rerun.empty-release,testpypi-partial,partial,missing-release), not burned (byte-exact transient failures → original-attempt rerun), and rejected-but-not-burned (an accidental full rerun: abandon it, return to the recoverable original run).promote/publish-pypi; a missing production publisher fails onlypublish-pypiafter earlier stages pass.Docs-only (
producers/RELEASING.md).Status: rebased onto post-#369
main; headcabd1a3descends directly from the #369 merge (7cd8401). Fresh required checks running; needs approval from a write-access collaborator other than the author on this head.Part of #353.