Skip to content

PUBLIC_RELEASE_CHECKLIST.md

Latest commit

 

History

History
224 lines (182 loc) · 9.24 KB

PUBLIC_RELEASE_CHECKLIST.md

File metadata and controls

224 lines (182 loc) · 9.24 KB

Public Release Checklist

This repository remains private until the exact v1 release candidate passes this checklist. Changing visibility is the final publication action, not the start of sanitation.

Anonymization Boundary

Public-safe identity is intentional:

  • GitHub owner and maintainer identity Shaelz;
  • MIT copyright holder;
  • published security and conduct contact.

Sanitize private project context:

  • private validation target names;
  • concrete workstation checkout paths;
  • private repository identifiers;
  • secrets, credentials, and generated artifacts; and
  • stale release evidence that names private targets.

Run:

npm run check:public
npm run check:public:history

The current-tree check is part of npm run check. The history check is an M6 gate because reachable commits and tags become public when visibility changes. If it fails, rewrite the private pre-public history and recreate any candidate tags before enabling rulesets or publishing.

GitHub Settings Target

Match Shaelz/codebase-orient-skill unless a documented product difference requires otherwise:

Audited: 2026-06-06

Final pre-public API pass: 2026-06-06

Setting Current visualize repo Sibling-grade v1 target
Visibility private public only after all gates pass
Description A reusable codebase-visualization skill for Claude Code and Codex. same
Topics agent-skills, ai-agents, claude-code, codebase-visualization, codex, developer-tools, repository-analysis sibling-adapted topics
Issues enabled enabled
Projects disabled disabled
Wiki disabled disabled
Discussions disabled disabled
Delete head branches after merge enabled enabled
Merge commits enabled enabled
Squash merging enabled enabled
Rebase merging enabled enabled
Default squash title pull request title pull request title
Auto-merge disabled disabled
Web commit signoff disabled disabled
License detection MIT MIT
Security policy root SECURITY.md root SECURITY.md
Private vulnerability reporting unavailable while private enabled after public switch if available
Secret scanning unavailable/disabled while private on current plan enabled after public switch if available
Push protection unavailable/disabled while private on current plan enabled after public switch if available
Immutable releases unavailable/deferred while private enabled after final tag/release flow if available

Create the same active rulesets after the repository is public:

  1. Protect main history
    • target: refs/heads/main
    • block deletion
    • block non-fast-forward updates
  2. Protect version tags
    • target: refs/tags/v*
    • block update
    • block deletion
    • block non-fast-forward updates

Do not enable immutable history or tag rules before any required pre-public history rewrite and tag recreation is complete.

Keep "private": true in package.json. It prevents accidental publication to the npm registry and is independent of GitHub repository visibility.

Current inspectable GitHub status:

  • main is the only branch.
  • No tags or releases exist.
  • No issues or pull requests exist.
  • No Actions runs, artifacts, caches, environments, deployments, hooks, deploy keys, Actions secrets, or Actions variables exist.
  • Pages is not configured.
  • Rulesets are unavailable while the repository remains private on the current plan.
  • Vulnerability alerts/private vulnerability reporting and security-analysis features are unavailable or disabled while private.
  • The sibling public repo has private vulnerability reporting enabled, secret scanning enabled, push protection enabled, and the two active rulesets above.

Publication Order

  1. Sanitize the tracked current tree.
  2. Audit the complete GitHub repository exposure surface.
  3. Audit all reachable commits and tags.
  4. Rewrite private pre-public history if required.
  5. Validate the exact rewritten release candidate from a fresh checkout.
  6. Complete Linux/WSL2, visual, live-fire, pressure, and cold-user evidence.
  7. Confirm repository metadata and merge options still match this checklist.
  8. Change visibility to public.
  9. Enable security features, private vulnerability reporting, immutable releases, and the sibling-grade rulesets.
  10. Publish the final immutable v1.0.0 release.

Final Human Action Checklist

Before changing visibility

  • Confirm the repository is still private.
  • Confirm default branch is main.
  • Confirm only main exists as a branch.
  • Confirm no tags or releases exist unless intentionally created for the final release flow.
  • Confirm no issues, pull requests, Actions runs/artifacts/caches, deployments, environments, Pages site, wiki, discussions, projects, hooks, deploy keys, Actions secrets, or Actions variables have appeared since this record.
  • Manually glance at GitHub UI-only surfaces not fully represented by the API: social preview, package views, repository header/about panel, and Security tab availability.
  • Decide whether the agent-mediated cold-user rehearsal is sufficient for v1 or whether to run an additional external human-through-agent validation pass.
  • If the final tag target includes commits after the latest exact-candidate validation record, refresh exact-candidate validation for that target before tagging.

Immediately after changing visibility to public

  • Re-check repository header/about metadata and topics.
  • Enable supported security features:
    • secret scanning;
    • push protection;
    • private vulnerability reporting;
    • Dependabot/security alerts if available and desired.
  • Create ruleset Protect main history:
    • target: branch;
    • include: refs/heads/main;
    • enforcement: active;
    • rules: block deletion and non-fast-forward updates.
  • Create ruleset Protect version tags:
    • target: tag;
    • include: refs/tags/v*;
    • enforcement: active;
    • rules: block update, deletion, and non-fast-forward updates.

Before or while creating v1.0.0

  • Confirm package.json intentionally remains "private": true.
  • Confirm the release tag target is the exact validated candidate.
  • Create v1.0.0 only after the final exact-candidate decision.
  • Publish release notes from CHANGELOG.md and the frozen validation evidence.
  • Do not upload release assets unless there is an intentional, documented asset.

After release publication

  • Confirm the public repo page renders README, license, security policy, and code of conduct correctly.
  • Confirm rulesets are active and protect main and v* tags.
  • Confirm public clone/install instructions work from the release tag or release archive.
  • Freeze the final v1 validation record and only then run the post-v1 documentation compaction pass.

M6 GitHub Exposure Audit

Before changing visibility, inspect everything that may become visible or remain accessible from GitHub. For every finding, explicitly choose one: retain, generalize, remove from the current tree, delete from GitHub, or rewrite from reachable history.

Audit at least:

  • tracked files and generated artifacts on the default branch;
  • all branches, commits, tags, commit authors, emails, and messages;
  • repository description, homepage, topics, social preview, and visibility;
  • issues, pull requests, comments, review threads, and attachments;
  • Actions runs, logs, workflow artifacts, caches, and environments;
  • releases, release notes, and uploaded release assets;
  • GitHub Pages, wiki, projects, discussions, and packages;
  • deploy keys, webhooks, collaborators, installed apps, and environments;
  • secrets, variables, security alerts, and private vulnerability reports; and
  • forks or external references that cannot be rewritten here.

Clarify the mechanism used:

  • .gitignore prevents future accidental additions; it does not remove tracked files or history.
  • git rm plus a commit removes a tracked file from the current branch only.
  • GitHub deletion removes platform objects such as issues, releases, or artifacts where supported.
  • A controlled history rewrite removes or generalizes content from reachable commits and tags.

Freeze the exact candidate only after this audit and required cleanup complete.

Maintained M6 records:

Current deterministic candidate status:

  • Current validated candidate content has fresh working-tree and clean-clone deterministic validation evidence for revision c7855e07c40df5220df446d81e5639c5ecc55aa5.
  • Agent-mediated cold-user and pre-public rehearsal evidence is recorded.
  • Final pre-public API/readiness pass was performed while private; no new hosted-surface blocker was found.
  • Final manual GitHub UI-only checks, public-only security/ruleset setup, and final tag/release/publication decisions remain. Maintainers may still choose to perform an additional external human-through-agent validation pass.
  • If maintainers choose a later content commit for tagging, refresh the exact-candidate validation record for that content.