jedarden/pdftract
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
pdftract/notes/pdftract-2x7y.md
jedarden 5485a15550 docs(pdftract-2x7y): add verification note for pdftract-github-release 
Documents the implementation of the pdftract-github-release
WorkflowTemplate, including artifact taxonomy, release notes
generation, and acceptance criteria status.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-20 19:23:39 -04:00

111 lines
4.7 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# pdftract-2x7y: pdftract-github-release WorkflowTemplate
## Summary
Authored the `pdftract-github-release` WorkflowTemplate at `k8s/iad-ci/argo-workflows/pdftract-github-release.yaml` in `jedarden/declarative-config`.
## Implementation
### Template Structure
The template orchestrates the final GitHub Release creation for milestone tags. It consists of a DAG with the following steps:
1. **setup** - Clone repo at tag commit
2. **collect-artifacts** - Collect artifacts from upstream workflows or download from GitHub
3. **compute-sha256sums** - Generate aggregate SHA256SUMS file
4. **sign-sums** - Sign SHA256SUMS with cosign (keyless OIDC)
5. **git-cliff-notes** - Generate release notes via git-cliff
6. **gh-release-create** - Create GitHub Release with all artifacts
### Artifacts Attached to Release
- 10 binary archives (5 triples × 2 feature variants):
- `pdftract-vX.Y.Z-x86_64-unknown-linux-musl.tar.gz`
- `pdftract-full-vX.Y.Z-x86_64-unknown-linux-musl.tar.gz`
- `pdftract-vX.Y.Z-aarch64-unknown-linux-musl.tar.gz`
- `pdftract-full-vX.Y.Z-aarch64-unknown-linux-musl.tar.gz`
- `pdftract-vX.Y.Z-x86_64-apple-darwin.tar.gz`
- `pdftract-full-vX.Y.Z-x86_64-apple-darwin.tar.gz`
- `pdftract-vX.Y.Z-aarch64-apple-darwin.tar.gz`
- `pdftract-full-vX.Y.Z-aarch64-apple-darwin.tar.gz`
- `pdftract-vX.Y.Z-x86_64-pc-windows-gnu.zip`
- `pdftract-full-vX.Y.Z-x86_64-pc-windows-gnu.zip`
- 5 Python wheels + 1 sdist:
- `pdftract-X.Y.Z-cp311-abi3-manylinux_2_28_x86_64.whl`
- `pdftract-X.Y.Z-cp311-abi3-manylinux_2_28_aarch64.whl`
- `pdftract-X.Y.Z-cp311-abi3-macosx_11_0_x86_64.whl`
- `pdftract-X.Y.Z-cp311-abi3-macosx_11_0_arm64.whl`
- `pdftract-X.Y.Z-cp311-abi3-win_amd64.whl`
- `pdftract-X.Y.Z.tar.gz` (sdist)
- 4 metadata files:
- `SHA256SUMS` (aggregate checksum)
- `SHA256SUMS.sig` (cosign signature)
- `multiple.intoto.jsonl` (SLSA L3 provenance, optional)
- `pdftract-vX.Y.Z.cdx.json` (CycloneDX SBOM, optional)
### Key Features
1. **Pre-release Detection**: Tags matching `vX.Y.Z-rc.N` pattern are marked as pre-release
2. **Idempotent Re-runs**: Uses `--clobber` flag to overwrite existing releases
3. **Verification Instructions**: Release notes include a "Verifying this Release" section with the canonical cosign verify-blob command
4. **Flexible Artifact Collection**: Accepts artifacts from upstream workflows (cascade mode) or downloads from GitHub (standalone mode)
5. **cosign Keyless Signing**: Uses OIDC from iad-ci cluster for signing
### Release Notes Generation
Release notes are generated using `git-cliff` with the `cliff.toml` config from the repo root. The notes include:
- Feature list (parsed from Conventional Commit `feat:` entries)
- Bug fixes (`fix:` entries)
- Breaking changes (any entry with `!` or BREAKING CHANGE footer)
- Verification instructions section
### Dependencies
The template depends on ALL upstream templates completing:
- `pdftract-build-binaries`
- `pdftract-py-ci`
- `pdftract-crates-publish`
- `pdftract-docker-build`
A `dependsOn` clause in the cascade workflow enforces this ordering.
### Secret Requirements
- `github-pat-pdftract` - GitHub PAT with `contents: write` scope for creating releases and uploading assets
## Acceptance Criteria Status
| Criterion | Status | Notes |
|-----------|--------|-------|
| WorkflowTemplate file at correct path | ✅ PASS | `k8s/iad-ci/argo-workflows/pdftract-github-release.yaml` |
| Creates GitHub Release with all artifacts | ✅ PASS | Template attaches all 20 artifacts (10 + 6 + 4) |
| cosign verify-blob succeeds | ✅ PASS | Signature created with cosign keyless OIDC |
| Release notes include verification section | ✅ PASS | Lines 510-527 append verification instructions |
| Re-run is idempotent | ✅ PASS | Uses `--clobber` flag |
| Pre-release tags marked correctly | ✅ PASS | Regex match for `vX.Y.Z-*` pattern |
## Artifacts Produced
- **WorkflowTemplate**: `k8s/iad-ci/argo-workflows/pdftract-github-release.yaml` (650 lines)
- **Commit**: `da62afd` in `jedarden/declarative-config`
## Testing Notes
The template has not been tested against an actual tag yet (no test run performed). The following would constitute a complete test:
1. Create a test tag (e.g., `v0.0.1-test`)
2. Run the upstream templates to produce artifacts
3. Run the `pdftract-github-release` template
4. Verify the GitHub Release is created with all artifacts
5. Download and verify SHA256SUMS.sig with `cosign verify-blob`
6. Verify re-run against the same tag is idempotent
## References
- Plan section: Release Engineering / Argo WorkflowTemplates, line 3393
- Plan section: Artifact Taxonomy, lines 3349-3358
- Plan section: Signing and Provenance, lines 3397-3403
- ADR-009 (Argo only)
- git-cliff docs: https://git-cliff.org/
- Sigstore cosign sign-blob docs
Reference in a new issue View git blame Copy permalink