Parent: #250
Blocked by: #252
Agent brief — tier: medium, owner-supervised. This issue performs the first real Action release.
Goal
Publish an immutable GitHub Action release tag, verify the Action from a separate repository, and only then move the protected major tag through the manual workflow.
Preconditions
Immutable release tag
Create:
Requirements:
- tag points to the intended release commit;
- tag is never moved or recreated;
- tag namespace remains distinct from CLI tags (
owen-cli-v*);
- release-tag validation succeeds.
External consumer repository
Create or use a minimal separate public repository containing:
- a known leaking C# sample;
- a known clean C# sample;
- a workflow using the immutable Action tag:
uses: PhysShell/Own.NET@vX.Y.Z
The external workflow must not use:
uses: ./;
- a checkout of Own.NET as its implementation source;
- a local composite-action path;
- a locally built CLI package.
External assertions
Verify:
- Leak sample causes the Action step to fail for the expected finding.
- The workflow explicitly asserts that this failure is expected rather than swallowing arbitrary failure.
- Clean sample succeeds.
- SARIF is non-empty and accepted by GitHub Code Scanning.
- SARIF tool identity is
Owen.
- The workflow fetches the exact immutable Action tag.
Major-tag movement
Only after the immutable external consumer run succeeds:
- Manually dispatch the existing major-tag workflow.
- Target the immutable release tag.
- Approve the protected
action-major-tag-move deployment.
- Peel annotated tags to the release commit before updating the major ref.
- Verify:
v0 -> release commit for v0.x.y
Failure policy
- Never repair a broken immutable tag by moving it.
- Fix defects in a new patch tag.
- Do not move the major tag to a release that failed the external consumer workflow.
- Do not treat internal
uses: ./ dogfood as sufficient external proof.
Guardrails
- No analyzer behavior changes.
- No NuGet publication in this issue.
- No automatic major-tag movement.
- No dynamic/untrusted shell interpolation of tag inputs.
- No broad Marketplace marketing work; this is release correctness and verification.
Acceptance
- Immutable
vX.Y.Z exists and remains fixed.
- Separate consumer repository successfully invokes
PhysShell/Own.NET@vX.Y.Z.
- Leak, clean and SARIF controls pass as specified.
- Code Scanning accepts the uploaded SARIF.
- Protected workflow moves the major tag to the peeled release commit.
- Evidence links the immutable tag, external workflow run, Code Scanning result and major-tag workflow run.
Parent: #250
Blocked by: #252
Agent brief — tier: medium, owner-supervised. This issue performs the first real Action release.
Goal
Publish an immutable GitHub Action release tag, verify the Action from a separate repository, and only then move the protected major tag through the manual workflow.
Preconditions
action-major-tag-moveEnvironment exists with required reviewers.Immutable release tag
Create:
Requirements:
owen-cli-v*);External consumer repository
Create or use a minimal separate public repository containing:
The external workflow must not use:
uses: ./;External assertions
Verify:
Owen.Major-tag movement
Only after the immutable external consumer run succeeds:
action-major-tag-movedeployment.Failure policy
uses: ./dogfood as sufficient external proof.Guardrails
Acceptance
vX.Y.Zexists and remains fixed.PhysShell/Own.NET@vX.Y.Z.