Skip to content

release: keep evidence filenames download-stable#5

Merged
sumitake merged 1 commit into
mainfrom
dev/codex/release-asset-filename
Jul 12, 2026
Merged

release: keep evidence filenames download-stable#5
sumitake merged 1 commit into
mainfrom
dev/codex/release-asset-filename

Conversation

@sumitake

@sumitake sumitake commented Jul 12, 2026

Copy link
Copy Markdown
Owner

Summary

  • generate release archives with the GitHub-stable dot filename before upload
  • keep the checksum sidecar and SPDX packageFileName aligned with the downloaded asset
  • add a regression contract for the normalized release filename

Root cause and verification

GitHub normalized agent-collab v3.1.0.plugin to agent-collab.v3.1.0.plugin during upload, while the generated checksum and SPDX retained the pre-upload space name. A fresh download therefore failed shasum -c.

TDD evidence:

  • the new regression test failed against the old workflow
  • the same test passes after the one-line workflow fix
  • a local dot-named archive/evidence rehearsal passes shasum -c and records the dot name in SPDX
  • the already-published v3.1.0 checksum and SPDX assets were repaired and independently re-downloaded/verified; the archive and signed tag were not changed

Validation

  • python3 -m unittest discover -s tests -t . -q (223 tests)
  • python3 -m unittest discover -s scripts -p 'test_*.py' -q (255 tests)
  • python3 scripts/build_skills.py --check
  • python3 scripts/build_marketplace.py --check
  • python3 scripts/build-changelog.py --check
  • python3 scripts/check_release_consistency.py --against-ref origin/main
  • python3 scripts/check-public-export-safety.py --active-tree --history
  • python3 scripts/secret_scan.py
  • git diff --check
  • local standalone actionlint unavailable because neither the binary nor Go is installed; required CI remains authoritative

No changelog fragment: this is an internal release-workflow correction and the affected v3.1.0 public evidence assets were repaired in place.

Operator override

On 2026-07-12, John Osumi explicitly directed: “Merge PR #5 without cross-family review.” This authorizes the operator-reserved merge despite the unavailable independent-review routes; the review blockers remain recorded rather than being relabeled as a review verdict.

author: Codex under John Osumi operator direction
standing_directives: Read and followed AGENTS.md, docs/public-governance.md, the v3.1.0 release plan, and the repository debugging and TDD workflow
tier: 3
cross_check: BLOCKED — quota: GitHub Gemini Code Assist exhausted its daily review quota; unified managed review is duplicate_blocked, and browser review is prohibited by user policy; explicit operator override to merge without cross-family review recorded above
post_condition: After the explicitly operator-directed merge, future releases generate checksum and SPDX evidence against the exact public asset filename
mcp_coverage_gap: NONE
contributor_rights: OWNER-AUTHORED
operator_reserved: yes — .github/workflows/release.yml; John Osumi explicitly directed this merge

@gemini-code-assist

Copy link
Copy Markdown

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

@sumitake sumitake marked this pull request as ready for review July 12, 2026 21:39
@gemini-code-assist

Copy link
Copy Markdown

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

@sumitake sumitake merged commit a3c3a6d into main Jul 12, 2026
16 checks passed
@sumitake sumitake deleted the dev/codex/release-asset-filename branch July 12, 2026 22:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant