Skip to content

docs(release): org-owned private App procedure with key handling (#353)#366

Merged
haiyuan-eng-google merged 4 commits into
GoogleCloudPlatform:mainfrom
caohy1988:docs/353-app-runbook
Jul 15, 2026
Merged

docs(release): org-owned private App procedure with key handling (#353)#366
haiyuan-eng-google merged 4 commits into
GoogleCloudPlatform:mainfrom
caohy1988:docs/353-app-runbook

Conversation

@caohy1988

@caohy1988 caohy1988 commented Jul 15, 2026

Copy link
Copy Markdown
Collaborator

Runbook follow-up from the #353 operational reviews: brings producers/RELEASING.md to full parity with the canonical tracker checklist. Reviewers are approving the complete first-release operational contract:

GitHub App (policy read)

  • Organization-owner authority required (the App requests repository Administration permission); organization-owned App; registration setting "Where can this GitHub App be installed?" → Only on this account (private App); Administration:read only; webhooks disabled; no organization/account permissions; explicit private-key generation; installation on this repository only; App ID/PEM stored as BQAA_RELEASE_POLICY_APP_ID (variable) / BQAA_RELEASE_POLICY_APP_PRIVATE_KEY (secret); PEM workstation copy deleted after storage unless kept in an approved secret manager; key-rotation ownership recorded.

First-release setup parity

  • Pre-flight requires pending Trusted Publishers on both indexes (no project exists before the first trusted upload).
  • One-time GitHub setup enumerates the tracing-v* tag restriction on all three environments (testpypi, release-promote, pypi) with required reviewers on release-promote and pypi only.
  • Immediately after each index's first trusted upload: add a second Google-controlled Owner (not Maintainer — no administrative recovery) and confirm 2FA/recovery for both owners.

Recovery semantics

  • Corrected immutable-release refusal recovery: the GitHub release stays a draft but PyPI/TestPyPI already contain the exact files — enable the setting and re-run finalize from the original attempt; never a full rerun.
  • Version-burn rule distinguishes burned (deviation from the original workflow build anchor — including pre-existing files on the first attempt — or reconciler burn states empty-release, testpypi-partial, partial, missing-release), not burned (byte-exact transient failures → original-attempt rerun), and rejected-but-not-burned (an accidental full rerun: abandon it, return to the recoverable original run).
  • Publisher misconfiguration documented per DAG path: a missing TestPyPI publisher stops promote/publish-pypi; a missing production publisher fails only publish-pypi after earlier stages pass.

Docs-only (producers/RELEASING.md).

Status: rebased onto post-#369 main; head cabd1a3 descends directly from the #369 merge (7cd8401). Fresh required checks running; needs approval from a write-access collaborator other than the author on this head.

Part of #353.

haiyuan-eng-google pushed a commit that referenced this pull request Jul 15, 2026
…353) (#367)

Upstream yanked build==1.5.1, so the deterministic two-phase
regeneration (regen-locks.sh, converged in one phase inside the pinned
base image) now resolves build==1.5.0 in pip-tools.lock and
build-requirements.lock. This is the drift currently failing the
Hash-lock drift check on main and on PR #366.
@caohy1988
caohy1988 force-pushed the docs/353-app-runbook branch from 5852bc1 to 8034906 Compare July 15, 2026 22:02
…gleCloudPlatform#353)

Mirror the issue-353 tracker into the runbook: the policy-read App
requires GoogleCloudPlatform organization-owner authority to install
(repository Administration permission), must be registered as
installable only on this account (private App), webhooks disabled and
no organization/account permissions, with explicit private-key
generation, installation scoped to this repository only, and PEM
handling guidance (delete the workstation copy after storing the
secret; record key-rotation ownership).
…ics (GoogleCloudPlatform#353 review)

- Immutable-release refusal recovery: the GitHub release stays a
  draft, but PyPI/TestPyPI already contain the exact files when
  finalize reaches the policy precondition — enable the setting and
  re-run finalize from the ORIGINAL attempt, never a full rerun.
- Pre-flight: the first release requires PENDING Trusted Publishers
  on both indexes (no project exists yet; the pending publisher
  creates it on first trusted upload).
- One-time GitHub setup enumerates the tracing-v* tag restriction on
  all three environments and scopes required reviewers to pypi and
  release-promote only.
- Version-burn rule distinguishes true burns (defective bytes after
  acceptance, index deviations, reconciler burn states) from
  retryable failures where the index holds the exact anchor bytes
  (original-attempt rerun; the pre-checks pass without re-upload).
…er requirement, publisher failure paths (GoogleCloudPlatform#353 review)

- A full rerun is REJECTED (return to the recoverable original run),
  not itself a burn: a burn is asserted only for deviation from the
  original accepted anchor.
- The reconciler burn-state list includes missing-release.
- Post-first-publish: a second Google-controlled Owner (not
  Maintainer) on each index, timed to each index's first trusted
  upload, with 2FA/recovery for both owners.
- Publisher misconfiguration is documented per DAG path: missing
  TestPyPI publisher stops promote/publish-pypi; missing production
  publisher fails only publish-pypi after earlier stages pass.
@caohy1988
caohy1988 force-pushed the docs/353-app-runbook branch from 8034906 to cabd1a3 Compare July 15, 2026 23:08
@haiyuan-eng-google
haiyuan-eng-google merged commit 08d1dd8 into GoogleCloudPlatform:main Jul 15, 2026
23 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants