Releasing¶
Aksara release publishing should be gated, reproducible, and based on PyPI Trusted Publishing. This page documents the intended release process; it does not publish packages by itself.
Release Candidate Checks¶
Before a production-mode claim or public release candidate, run the release gate workflow and confirm these checks pass:
- Full test suite
- Security tests
- Diagnostics tests
- Bounded fuzz/adversarial tests
- DB-backed migration tests (transactional application, advisory lock, and checksum verification) against a real PostgreSQL database
- A migration smoke check:
aksara migrateandaksara statusagainst a scratch database, confirming checksum recording and verification aksara doctor production-check- Strict docs build
- Dependency audit
- Static analysis
- Secret scan
- Package build
twine check- Wheel import verification
- SBOM generation
PyPI Trusted Publishing¶
Configure PyPI Trusted Publishing in the PyPI project settings:
- Publisher: GitHub
- Repository:
nagarjuna-tella/Aksara - Workflow:
publish.yml - Environment:
pypi
The publish workflow uses GitHub OIDC and does not require a PyPI API token.
Keep the pypi environment protected so maintainers must approve publishing.
Publish Workflow¶
Publishing is manual. Use the Publish Package workflow only after release-gate
checks pass and the protected pypi environment is ready.
The workflow:
- Builds wheel and source distributions.
- Runs
twine check. - Publishes through
pypa/gh-action-pypi-publishusing Trusted Publishing.
Provenance and Signing¶
Release artifacts should be traceable to:
- Git tag
- GitHub Actions run
- Built wheel and source distribution
- SBOM artifact
- Release notes and changelog entry
Signed tags or commits may be required by project policy before a production-mode claim.
What This Does Not Mean¶
These release gates prepare Aksara for trustworthy releases. They do not replace external security review and do not constitute a production-readiness claim.