Problem
During the v0.8.52 recovery we had to repair a moved tag and wait for the GitHub Release assets to be rebuilt before publishing Cargo/npm. The current process makes it too easy to mistake a green build matrix for a fully refreshed Release.
Goal
Add an explicit release gate that proves the public GitHub Release assets correspond to the tag/commit being published before Cargo or npm can proceed.
Acceptance criteria
- Verify local tag and remote tag resolve to the same commit SHA.
- Verify the release workflow run used that same SHA.
- Verify the public GitHub Release asset set is fresh for that run, including checksum manifest and canonical npm-facing assets.
- Make
npm/codewhale release verification fail loudly if the release asset set is stale or incomplete.
- Document the manual gate in the release checklist so future release stewards do not publish registries against stale assets.
Thanks to everyone who reported install/release fallout around v0.8.51/v0.8.52. This is the cleanup issue to make that failure mode much harder to repeat.
Problem
During the v0.8.52 recovery we had to repair a moved tag and wait for the GitHub Release assets to be rebuilt before publishing Cargo/npm. The current process makes it too easy to mistake a green build matrix for a fully refreshed Release.
Goal
Add an explicit release gate that proves the public GitHub Release assets correspond to the tag/commit being published before Cargo or npm can proceed.
Acceptance criteria
npm/codewhalerelease verification fail loudly if the release asset set is stale or incomplete.Thanks to everyone who reported install/release fallout around v0.8.51/v0.8.52. This is the cleanup issue to make that failure mode much harder to repeat.