You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: .github/prompts/codex-pr-review.md
+15Lines changed: 15 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -126,6 +126,21 @@ Example finding:
126
126
```
127
127
````
128
128
129
+
## Release And Distribution Validation
130
+
131
+
When a PR touches `.github/workflows/release.yml`, `.github/workflows/packaging-smoke.yml`, `packaging/**`, release notes, or package-manager manifests, review it as a release-path change. Do not stop at YAML syntax or local manifest shape.
132
+
133
+
Check these paths explicitly when relevant:
134
+
135
+
-`packaging/update-shas.sh` must derive version, release URLs, checksums, and release dates from the actual published release or current workflow input. It must not depend on `github.ref_name` when the workflow can run from `workflow_dispatch` on `main`.
136
+
- Post-release jobs must run both for stable tag pushes and for non-draft manual dispatches that publish or overwrite release assets. If a workflow can overwrite release files, the packaging/Homebrew/Scoop/winget sync jobs must also run on that path.
137
+
-`packaging/homebrew/Casks/open-codesign.rb`, `packaging/scoop/bucket/open-codesign.json`, `packaging/winget/**`, and `packaging/flatpak/**` must match the current release assets and `SHA256SUMS.txt`. Hash drift in any public install channel is a **Blocker** because users will get checksum failures or install the wrong artifact.
138
+
- Homebrew and Scoop downstream repos are separate public install sources. If the PR changes generated manifests or release assets, check whether the workflow or release process updates `OpenCoworkAI/homebrew-tap` and `OpenCoworkAI/scoop-bucket`; otherwise call out the gap.
139
+
- winget manifests should match the schema version used by the published package series and include fields required by winget validation, especially `ReleaseDate` in installer manifests when previous published versions have it. Installer URLs and `InstallerSha256` must match the current GitHub Release assets, not stale assets from an earlier rerun.
140
+
- For release PRs, compare `SHA256SUMS.txt`, attached assets, in-repo manifests, external channel manifests, and workflow triggers as one system. A fix that updates only one channel while leaving another channel stale is incomplete.
141
+
142
+
If the validation context is unavailable in the public checkout, say exactly what could not be verified and treat the risk conservatively. Do not claim a release/distribution PR is safe unless the artifact/checksum/update path is internally consistent.
143
+
129
144
## Severity And Noise Control
130
145
131
146
Use severity to reflect merge risk, not personal taste:
0 commit comments