release: prepare v0.2.0 (version, CHANGELOG, supported-versions, compare links)#116
Merged
Merged
Conversation
…sions, compare links) Stages the v0.2.0 release in-repo. Does NOT tag or publish — the signed tag push + `pypi` environment approval remain the maintainer's step (runbook §6.6). MINOR bump per SemVer: the [Unreleased] block is backwards-compatible new features + fixes (new env vars/settings, redaction coverage, --verify-audit, seccomp-notify, deploy hardening), no breaking changes and the 21-tool contract is unchanged. - pyproject.toml + src/relay_shell/__init__.py: 0.1.0 -> 0.2.0 (kept in sync; server_info reports it). - CHANGELOG.md: the accumulated [Unreleased] content is stamped `[0.2.0] - 2026-06-21`; a fresh empty [Unreleased] opens above it. Added the Keep-a-Changelog version-compare link references at the foot (closes the DOC-5 deferral — now that a second release exists). - SECURITY.md: added the "Supported versions" table (the runbook §8.2 item, deferred until a second release existed) — pre-1.0, only the latest minor (0.2.x) is patched. - README.md status line: v0.1.0 -> v0.2.0; last-validated date refreshed to 2026-06-21 to match the ADR 0005 validation pass recorded this cycle. Gate: ruff / ruff format / mypy --strict clean; pytest 374 passed; pyproject version == __version__ == 0.2.0 verified. Rollback: revert; this is metadata/docs only, no runtime behavior change. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01UyCRhjk4M9W1i7XP4VyiHN
…on bump doesn't fail --strict
The release-prep version bump (0.1.0 -> 0.2.0) made `pip-audit --strict` fail:
ERROR: relay-shell: Dependency not found on PyPI and could not be audited:
relay-shell (0.2.0)
pip-audit looks each installed distribution up on PyPI for known CVEs. The
local `relay-shell` is installed editable; 0.1.0 happens to be published so it
audited fine, but the unreleased 0.2.0 is not on PyPI, so --strict errors.
Auditing the project against itself is not the intent — pip-audit is here to
scan the third-party dependency graph for CVEs. `--skip-editable` excludes the
editable local install while still auditing every pinned dependency (incl. the
[dev]/[http] extras). This also makes every future release-prep bump robust.
actionlint clean. Folded into this release PR because the bump is what surfaces
the gap.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01UyCRhjk4M9W1i7XP4VyiHN
…r fix)
The previous attempt (`--strict --skip-editable`) still failed:
ERROR: relay-shell: distribution marked as editable
`--strict` treats the skipped editable project as an incomplete audit and
errors, so it is incompatible with `--skip-editable`. Drop `--strict`:
`--skip-editable` excludes only the local editable `relay-shell` (the project,
not a third-party dependency, and unpublished at the release-prep version),
while every actual dependency (incl. [dev]/[http] extras, all on PyPI) is still
audited and pip-audit still exits non-zero on any CVE found. actionlint clean.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01UyCRhjk4M9W1i7XP4VyiHN
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Stages the v0.2.0 release in-repo. This does not tag or publish — the signed-tag push and
pypienvironment approval remain the maintainer's step (runbook §6.6). It's a MINOR bump per SemVer: the[Unreleased]block is backwards-compatible new features + fixes (new env vars/settings, redaction coverage,--verify-audit, seccomp-notify, deploy hardening), no breaking changes, and the 21-tool contract is unchanged.Changes
pyproject.tomlandsrc/relay_shell/__init__.py(kept in sync;server_inforeports it; consistency asserted in the gate).[Unreleased]content is stamped[0.2.0] - 2026-06-21with a fresh empty[Unreleased]above it, and the Keep-a-Changelog version-compare links are added at the foot — this closes the DOC-5 deferral (which was waiting on a second release existing).v0.1.0→v0.2.0; last-validated date refreshed to2026-06-21to match the ADR 0005 validation pass recorded this cycle.To actually cut the release (your step, per runbook §6.6)
After merge:
git tag -s v0.2.0 -m "Release v0.2.0"→git push origin v0.2.0→ approve thepypienvironment when prompted. That exercisesrelease.yml(build + SLSA attestation + PyPI OIDC publish) andsbom.yml(SBOM + the new #113 attestation). Confirm the pypi.org trusted-publisher claim is configured first (§6.6 has the form values) — the one B-005 step I can't verify from here.Validation
ruff/ruff format --check/mypy --strictclean; pytest 374 passed;pyproject.version == __version__ == 0.2.0verified.Rollback
Revert; metadata/docs only, no runtime behavior change.
🤖 Generated with Claude Code
Generated by Claude Code