Added
- Automated PyPI Release Pipeline – Tag-triggered GitHub Actions workflow automatically builds, validates, and publishes releases to PyPI using
PYPI_API_TOKENsecret, eliminating manual publish steps. - Release Validation Tooling –
scripts/release/validate_release.pyCLI enforces semantic version progression, changelog completeness, and version/tag alignment in both branch and tag modes with actionable error messages. - Release Readiness Guardrails – Pull request workflow validates version bumps, changelog entries, and test passage before merge; nightly scheduled checks monitor drift.
- Comprehensive Release Documentation – Complete maintainer guides covering secret management, branch protection, troubleshooting, and step-by-step release workflows.
- Changelog Extraction –
scripts/release/extract_changelog.pyautomatically extracts version-specific release notes for GitHub Releases. - Release Test Suite – 4 pytest tests validate branch mode, tag mode, changelog parsing, and version regression detection.
Changed
- GitHub Actions Workflows – Updated
release.ymlwith pinned dependency versions, proper workflow ordering (PyPI publish before GitHub Release), and checksums stored indist/SHA256SUMS.txt. - Workflow Reliability – Fixed heredoc syntax error in
protect-main.ymlthat was causing exit code 127 failures.
Security
- Secret Hygiene – PyPI credentials exclusively stored in GitHub Actions secrets with rotation guidance; no tokens in repository or logs; workflows sanitize outputs.
- Workflow Permissions – Explicit least-privilege permissions in all workflows (contents:write, id-token:write for releases; contents:read for guards).