Skip to content

release: prepare v0.2.0 (version, CHANGELOG, supported-versions, compare links)#116

Merged
rmednitzer merged 3 commits into
mainfrom
claude/release-v0.2.0-2026-06-21
Jun 21, 2026
Merged

release: prepare v0.2.0 (version, CHANGELOG, supported-versions, compare links)#116
rmednitzer merged 3 commits into
mainfrom
claude/release-v0.2.0-2026-06-21

Conversation

@rmednitzer

Copy link
Copy Markdown
Owner

What

Stages the v0.2.0 release in-repo. This does not tag or publish — the signed-tag push and pypi environment approval remain the maintainer's step (runbook §6.6). It's a MINOR bump per SemVer: the [Unreleased] block is backwards-compatible new features + fixes (new env vars/settings, redaction coverage, --verify-audit, seccomp-notify, deploy hardening), no breaking changes, and the 21-tool contract is unchanged.

Changes

  • Version → 0.2.0 in pyproject.toml and src/relay_shell/__init__.py (kept in sync; server_info reports it; consistency asserted in the gate).
  • CHANGELOG: the accumulated [Unreleased] content is stamped [0.2.0] - 2026-06-21 with a fresh empty [Unreleased] above it, and the Keep-a-Changelog version-compare links are added at the foot — this closes the DOC-5 deferral (which was waiting on a second release existing).
  • SECURITY.md: added the "Supported versions" table — the runbook §8.2 item that was explicitly deferred "until the project tags a second release." Pre-1.0, only the latest minor (0.2.x) is patched.
  • README status line: v0.1.0v0.2.0; last-validated date refreshed to 2026-06-21 to match the ADR 0005 validation pass recorded this cycle.

To actually cut the release (your step, per runbook §6.6)

After merge: git tag -s v0.2.0 -m "Release v0.2.0"git push origin v0.2.0 → approve the pypi environment when prompted. That exercises release.yml (build + SLSA attestation + PyPI OIDC publish) and sbom.yml (SBOM + the new #113 attestation). Confirm the pypi.org trusted-publisher claim is configured first (§6.6 has the form values) — the one B-005 step I can't verify from here.

Validation

ruff / ruff format --check / mypy --strict clean; pytest 374 passed; pyproject.version == __version__ == 0.2.0 verified.

Rollback

Revert; metadata/docs only, no runtime behavior change.

🤖 Generated with Claude Code


Generated by Claude Code

rmednitzer and others added 3 commits June 21, 2026 17:58
…sions, compare links)

Stages the v0.2.0 release in-repo. Does NOT tag or publish — the signed tag
push + `pypi` environment approval remain the maintainer's step (runbook §6.6).
MINOR bump per SemVer: the [Unreleased] block is backwards-compatible new
features + fixes (new env vars/settings, redaction coverage, --verify-audit,
seccomp-notify, deploy hardening), no breaking changes and the 21-tool
contract is unchanged.

- pyproject.toml + src/relay_shell/__init__.py: 0.1.0 -> 0.2.0 (kept in sync;
  server_info reports it).
- CHANGELOG.md: the accumulated [Unreleased] content is stamped
  `[0.2.0] - 2026-06-21`; a fresh empty [Unreleased] opens above it. Added the
  Keep-a-Changelog version-compare link references at the foot (closes the
  DOC-5 deferral — now that a second release exists).
- SECURITY.md: added the "Supported versions" table (the runbook §8.2 item,
  deferred until a second release existed) — pre-1.0, only the latest minor
  (0.2.x) is patched.
- README.md status line: v0.1.0 -> v0.2.0; last-validated date refreshed to
  2026-06-21 to match the ADR 0005 validation pass recorded this cycle.

Gate: ruff / ruff format / mypy --strict clean; pytest 374 passed; pyproject
version == __version__ == 0.2.0 verified.

Rollback: revert; this is metadata/docs only, no runtime behavior change.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01UyCRhjk4M9W1i7XP4VyiHN
…on bump doesn't fail --strict

The release-prep version bump (0.1.0 -> 0.2.0) made `pip-audit --strict` fail:

    ERROR: relay-shell: Dependency not found on PyPI and could not be audited:
    relay-shell (0.2.0)

pip-audit looks each installed distribution up on PyPI for known CVEs. The
local `relay-shell` is installed editable; 0.1.0 happens to be published so it
audited fine, but the unreleased 0.2.0 is not on PyPI, so --strict errors.
Auditing the project against itself is not the intent — pip-audit is here to
scan the third-party dependency graph for CVEs. `--skip-editable` excludes the
editable local install while still auditing every pinned dependency (incl. the
[dev]/[http] extras). This also makes every future release-prep bump robust.

actionlint clean. Folded into this release PR because the bump is what surfaces
the gap.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01UyCRhjk4M9W1i7XP4VyiHN
…r fix)

The previous attempt (`--strict --skip-editable`) still failed:

    ERROR: relay-shell: distribution marked as editable

`--strict` treats the skipped editable project as an incomplete audit and
errors, so it is incompatible with `--skip-editable`. Drop `--strict`:
`--skip-editable` excludes only the local editable `relay-shell` (the project,
not a third-party dependency, and unpublished at the release-prep version),
while every actual dependency (incl. [dev]/[http] extras, all on PyPI) is still
audited and pip-audit still exits non-zero on any CVE found. actionlint clean.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01UyCRhjk4M9W1i7XP4VyiHN
@rmednitzer rmednitzer merged commit 10ee165 into main Jun 21, 2026
8 checks passed
@rmednitzer rmednitzer deleted the claude/release-v0.2.0-2026-06-21 branch June 21, 2026 16:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant