Skip to content

RELEASING.md

Latest commit

 

History

History
76 lines (59 loc) · 3.16 KB

RELEASING.md

File metadata and controls

76 lines (59 loc) · 3.16 KB

Releasing

AgentGuard SDK publishing is tag-triggered. Push a vX.Y.Z tag after the release-prep PR lands on main. Release announcements run only after the package publishes and the GitHub Release exists.

Workflow What it does
publish.yml Verifies the tag matches sdk/pyproject.toml, runs lint, Bandit, pytest, builds the wheel, publishes agentguard47 to PyPI, then creates or verifies the GitHub Release in a separate post-publish job.
release-content.yml Runs from explicit workflow_dispatch after publish, or from a manual release.published event, and posts optional release announcements. It skips safely when Discussions or dashboard credentials are unavailable.

Cut A Release

  1. Land all intended release PRs on main.

  2. Bump sdk/pyproject.toml.

  3. Move CHANGELOG.md entries from Unreleased into X.Y.Z.

  4. Update release markers checked by scripts/sdk_release_guard.py.

  5. Regenerate the package README:

    python scripts/generate_pypi_readme.py --write

  6. Run the local gates:

    make release-guard
make check
make structural
make security

  7. Merge the release-prep PR.

  8. Tag the merge commit. Verify the version from HEAD before pushing:

    git checkout main
git pull --ff-only
VERSION=$(python -c "import tomllib; print(tomllib.load(open('sdk/pyproject.toml','rb'))['project']['version'])")
git show HEAD:sdk/pyproject.toml | grep -Fx "version = \"$VERSION\"" || exit 1
git tag "v$VERSION"
git push origin "v$VERSION"

  9. Watch the tag workflow. The GitHub Release job starts only after PyPI publish succeeds. If the post-publish GitHub Release or announcement step fails, rerun that failed job instead of republishing the package.

If a tag exists but PyPI publish failed before a GitHub Release was created, prefer cutting the next patch version from current main. Do not force-move or delete a public release tag unless the repo owner explicitly approves it. The release workflow generates notes from the last published GitHub Release, not the last raw git tag, so a stale failed tag will not truncate public notes.

Verification

After the workflows finish:

  • Confirm gh release view vX.Y.Z --repo bmdhodl/agent47 succeeds.
  • Confirm python -m pip index versions agentguard47 reports the new version.
  • Install the published wheel in a clean venv and run agentguard doctor, agentguard demo, agentguard quickstart --framework raw --write, the generated file, and agentguard report.
  • Confirm PyPI files show Trusted Publishing provenance and attestations.
  • Confirm the Release Content - Auto-generate announcements workflow ran for the same tag, or skipped only optional destinations because Discussions or dashboard credentials were unavailable.

Release Notes

GitHub release notes are public. Keep PR titles and generated categories clear:

  • No customer, revenue, or private roadmap claims.
  • No internal-only incident language.
  • No security admissions beyond what is already public.
  • Use labels from .github/release.yml before merging PRs.