ci: add release workflow rehearsal

squaeragent · squaeragent · commit 64f52e999da5 · 2026-05-04T07:50:07.000+07:00
diff --git a/.github/RELEASE_TEMPLATE.md b/.github/RELEASE_TEMPLATE.md
@@ -29,6 +29,7 @@ just paper-api-smoke
 - [ ] `just registry-readiness`
 - [ ] `just release-rehearsal`
 - [ ] `just draft-release-rehearsal`
+- [ ] `scripts/release_workflow_rehearsal.sh --execute` has passed for a temporary rehearsal tag, or this release explains why the high-fidelity tag workflow drill was intentionally skipped.
 - [ ] Draft GitHub Release contains the Python package, CLI binaries, paper image tarball, and `SHA256SUMS`.
 - [ ] `scripts/release_verify.py <downloaded-release-dir>` passes.
 - [ ] `SBOM.spdx.json` and `PROVENANCE.json` are attached and included in `SHA256SUMS`.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -152,6 +152,7 @@ jobs:
           test -x scripts/network_proof_pack.py
           test -x scripts/release_rehearsal.sh
           test -x scripts/draft_release_rehearsal.sh
+          test -x scripts/release_workflow_rehearsal.sh
           test -x scripts/railway_start.sh
           test -x scripts/railway_doctor.py
           test -x scripts/deployment_identity_evidence.py
diff --git a/docs/distribution.md b/docs/distribution.md
@@ -123,6 +123,22 @@ fresh directory, verifies the bundle, renders the Homebrew formula, then deletes
 the draft release and temporary tag. This proves the rollback motion without
 publishing a package registry, Homebrew tap, or production release.
 
+## Tag Workflow Rehearsal
+
+After changing `.github/workflows/release.yml`, run the full tag-triggered
+release workflow drill:
+
+```bash
+scripts/release_workflow_rehearsal.sh --execute
+```
+
+The drill creates a temporary prerelease tag on `origin/main`, waits for the
+real release workflow, verifies the `public-proof` job and all artifact jobs,
+downloads the generated draft GitHub Release, checks `SHA256SUMS`, runs
+`scripts/release_verify.py`, verifies executable attestations, renders the
+Homebrew formula, then deletes the draft release and tag. It does not publish
+package registries, Homebrew taps, or production releases.
+
 ## Registry Rollback
 
 If a package is unsafe:
diff --git a/docs/llms-full.txt b/docs/llms-full.txt
@@ -6574,6 +6574,23 @@ Homebrew formula from the fresh download, then deletes the draft release and its
 temporary tag. Use `--keep` only when a maintainer needs to inspect the draft
 release manually.
 
+## Tag Workflow Rehearsal
+
+Before the first public release candidate, and after any material release
+workflow change, run the high-fidelity GitHub tag workflow drill:
+
+```bash
+scripts/release_workflow_rehearsal.sh --execute
+```
+
+The script creates a temporary prerelease tag on `origin/main`, waits for the
+real `.github/workflows/release.yml` run, verifies that `public-proof`,
+registry-readiness, package builds, CLI builds, container smoke, and draft
+release assembly all succeeded, downloads the generated draft release from
+GitHub, verifies checksums, release provenance, Homebrew formula rendering, and
+executable attestations, then deletes the draft release and temporary tag. Use
+`--keep` only when a maintainer needs to inspect the temporary draft manually.
+
 ## Current Automation
 
 `.github/workflows/release.yml` runs on tags shaped like `v*.*.*` and builds:
@@ -6593,6 +6610,8 @@ release manually.
   checksum manifest
 - Dry-run draft release rollback rehearsal in CI; execute mode remains
   maintainer-triggered only
+- Maintainer-triggered tag workflow rehearsal through
+  `scripts/release_workflow_rehearsal.sh --execute`
 
 The workflow uploads artifacts to the GitHub Actions run and attaches the
 assembled release bundle to a draft GitHub Release. It does not publish to PyPI,
diff --git a/docs/release.md b/docs/release.md
@@ -215,6 +215,23 @@ Homebrew formula from the fresh download, then deletes the draft release and its
 temporary tag. Use `--keep` only when a maintainer needs to inspect the draft
 release manually.
 
+## Tag Workflow Rehearsal
+
+Before the first public release candidate, and after any material release
+workflow change, run the high-fidelity GitHub tag workflow drill:
+
+```bash
+scripts/release_workflow_rehearsal.sh --execute
+```
+
+The script creates a temporary prerelease tag on `origin/main`, waits for the
+real `.github/workflows/release.yml` run, verifies that `public-proof`,
+registry-readiness, package builds, CLI builds, container smoke, and draft
+release assembly all succeeded, downloads the generated draft release from
+GitHub, verifies checksums, release provenance, Homebrew formula rendering, and
+executable attestations, then deletes the draft release and temporary tag. Use
+`--keep` only when a maintainer needs to inspect the temporary draft manually.
+
 ## Current Automation
 
 `.github/workflows/release.yml` runs on tags shaped like `v*.*.*` and builds:
@@ -234,6 +251,8 @@ release manually.
   checksum manifest
 - Dry-run draft release rollback rehearsal in CI; execute mode remains
   maintainer-triggered only
+- Maintainer-triggered tag workflow rehearsal through
+  `scripts/release_workflow_rehearsal.sh --execute`
 
 The workflow uploads artifacts to the GitHub Actions run and attaches the
 assembled release bundle to a draft GitHub Release. It does not publish to PyPI,
diff --git a/justfile b/justfile
@@ -173,6 +173,9 @@ public-proof:
 draft-release-rehearsal:
     scripts/draft_release_rehearsal.sh
 
+release-workflow-rehearsal:
+    scripts/release_workflow_rehearsal.sh
+
 homebrew-formula release_dir tag:
     scripts/homebrew_formula.py "{{release_dir}}" --tag "{{tag}}"
 
@@ -385,6 +388,7 @@ docs-check:
     test -x scripts/network_proof_pack.py
     test -x scripts/release_rehearsal.sh
     test -x scripts/draft_release_rehearsal.sh
+    test -x scripts/release_workflow_rehearsal.sh
     test -x scripts/hardening_gate.sh
     test -x scripts/public_readiness_gate.sh
     test -x scripts/railway_start.sh
diff --git a/scripts/hardening_gate.sh b/scripts/hardening_gate.sh
@@ -161,8 +161,12 @@ contains "just public-proof" docs/release.md
 contains "just public-proof" .github/RELEASE_TEMPLATE.md
 contains "public-proof" .github/workflows/release.yml
 contains "release-preflight" justfile
+contains "release-workflow-rehearsal" justfile
 contains "just release-preflight" docs/release.md
 contains "just release-preflight" .github/RELEASE_TEMPLATE.md
+contains "release_workflow_rehearsal.sh --execute" docs/release.md
+contains "release_workflow_rehearsal.sh --execute" docs/distribution.md
+contains "release_workflow_rehearsal.sh --execute" .github/RELEASE_TEMPLATE.md
 contains "Stewardship Pledge" GOVERNANCE.md
 contains "CODEOWNERS" GOVERNANCE.md
 contains "Review Ownership" docs/review-ownership.md
@@ -214,6 +218,7 @@ bash -n scripts/install.sh
 bash -n scripts/package_dry_run.sh
 bash -n scripts/release_rehearsal.sh
 bash -n scripts/draft_release_rehearsal.sh
+bash -n scripts/release_workflow_rehearsal.sh
 bash -n scripts/paper_api_smoke.sh
 bash -n scripts/fresh_clone_rehearsal.sh
 bash -n scripts/railway_smoke.sh
diff --git a/scripts/release_workflow_rehearsal.sh b/scripts/release_workflow_rehearsal.sh
