Skip to content

Publish and verify the first immutable Flow policy release #23

Description

@jmcte

Problem statement

Flow has an exact v1.0.0 tag but no published GitHub Release. The first Publish Policy Release run failed at an administrator-only immutable-release preflight. PR #22 repaired the workflow permission boundary, but the release has not been retried from a tag containing that repair.

Desired outcome

Publish and independently verify the first immutable Flow policy release from a fresh exact SemVer patch tag that contains PR #22.

Scope

  • Verify immutable releases are enabled with an administrator-capable credential before tagging.
  • Select the next exact patch version without moving v1.0.0.
  • Create the exact tag from the reviewed main commit.
  • Dispatch Publish Policy Release with this issue as the governing release issue.
  • Verify the published archive, manifest, checksums, standalone verifier, and GitHub immutability evidence.

Non-goals

  • Moving or overwriting v1.0.0.
  • Publishing from main, latest, v1, or another floating reference.
  • Beginning the fleet-wide Bootstrap rollout.

Acceptance criteria

  • Administrator-capable preflight evidence confirms immutable releases are enabled.
  • A fresh exact SemVer tag containing commit 504c79e or its descendant is created without moving an existing tag.
  • Publish Policy Release completes successfully.
  • The GitHub Release contains the expected archive, manifest, checksums, and standalone verifier.
  • Downloaded assets verify successfully without a repository checkout.
  • GitHub reports the release as immutable.
  • Workflow, commit, tag, release, and postpublication evidence are recorded on this issue.
  • Issue Dogfood Public Repository Standard v1 in Flow #13 is updated with the immutable release reference that Bootstrap should consume.

Test expectations

  • Run the complete Python unit suite and all four policy validators on the tagged commit.
  • Build and verify the release locally before tagging.
  • Download and verify the published assets in a clean directory.

Security implications

This is a policy supply-chain publication. The built-in workflow token must remain least-privileged; administrator credentials are used only for the preflight and are not stored in the repository or workflow.

Documentation implications

Record the exact consumer reference and postpublication evidence in the release documentation and governing issue.

Dependencies

Human decision points

  • Administrator-capable immutable-release preflight
  • Any attempt to move or replace an existing exact tag

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind:governancePolicy, flow, bootstrap, or governance work.lane:pheidonOrchestration, gate, governance, and controller action.priority:p0Critical/urgent.review:releaseNeeds release review.state:intakeCaptured but not yet planned.

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions