feat(owen-cli): release-readiness pipeline, rebuilt against the Owen facade (P-013)#247
Conversation
…facade (P-013) Rebuild of PR #244's release-prep work directly against post-#246 main, using the Owen public identity throughout instead of the pre-rebrand ownsharp/OwnSharp.Cli names PR #244 used (per review: do not merge the old-brand version, rebuild it against the merged facade). Package metadata (OwnSharp.Cli.csproj) — added Authors, PackageProjectUrl, RepositoryUrl, RepositoryType, PackageTags, PackageReadmeFile, and deterministic-pack properties (Deterministic, ContinuousIntegrationBuild) on top of #246's already-Owen-branded PackageId/ToolCommandName/Description -- these are additive metadata, not a rebrand of what #246 already set. PackageLicenseExpression is deliberately left unset: the repository has no LICENSE file, and choosing one is the repository owner's call, not this session's -- flagged as the first blocker in the release checklist, not resolved unilaterally. New release workflow (.github/workflows/owen-cli-release.yml, replacing PR #244's ownsharp-cli-release.yml under the Owen tag namespace owen-cli-v*): build-test-pack -> smoke-test (ubuntu + windows) -> publish. The smoke-test job installs and exercises the already-packed Owen.Cli artifact from build-test-pack's upload -- no checkout, no rebuild, no invocation of the pre-rebrand `ownsharp` command -- verifying `owen --version`, a leak sample (exit 1, OWN001), a clean sample (exit 0), the OWEN_PYTHON-not-found actionable-failure path (exit 3), and a full uninstall/reinstall cycle. Publish still requires both a pushed owen-cli-v* tag (workflow_dispatch can never reach it) and a `nuget-release` GitHub Environment a repo admin has to configure with required reviewers -- it doesn't exist yet. Internal filenames (ownsharp.dll, ownsharp-extract.dll -- the real, unmodified AssemblyName-derived output, per #246's established internal/ public split) are intentionally left as-is in the package-content inspection step; only the public package ID, command name, tag namespace, and env var are Owen-branded. docs/notes/owen-cli-release.md (replacing PR #244's ownsharp-cli-release.md) documents the versioning policy, the verified determinism findings (re-verified against this exact source: two packs, byte-for-byte identical payload, only NuGet's own per-pack OPC wrapper GUID differs), the metadata audit, and the release checklist -- including the license blocker addressed explicitly to the repository owner. Every step in the new workflow was manually replicated and verified locally before being encoded: dotnet pack (twice, for determinism) -> diff unzipped payload -> package-content inspection -> isolated-feed install -> owen --version / leak / clean / OWEN_PYTHON-not-found / uninstall-reinstall, all matching what the workflow asserts. Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01SSXTDuh1ZHdQc4QqmYwshw
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (2)
🚧 Files skipped from review as they are similar to previous changes (1)
📝 WalkthroughWalkthroughAdds Owen.Cli package metadata and deterministic packing, a gated multi-platform release workflow, an offline environment-protection predicate with fixtures, and documentation for versioning, publishing, and release checks. ChangesOwen.Cli release
Estimated code review effort: 4 (Complex) | ~60 minutes Sequence Diagram(s)sequenceDiagram
participant GitHubActions
participant BuildTestPack
participant SmokeTest
participant Publish
participant NuGet
GitHubActions->>BuildTestPack: Build, test, pack, and inspect artifact
BuildTestPack->>SmokeTest: Provide packed nupkg
SmokeTest->>SmokeTest: Install and run on Ubuntu and Windows
SmokeTest->>Publish: Complete smoke tests
Publish->>Publish: Validate required reviewers
Publish->>NuGet: Push packaged artifact
🚥 Pre-merge checks | ✅ 4✅ Passed checks (4 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 9c79c19d63
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| # publish"). Requiring event_name == 'push' closes that hole. | ||
| if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/owen-cli-v') | ||
| runs-on: ubuntu-latest | ||
| environment: nuget-release |
There was a problem hiding this comment.
Do not rely on an unconfigured environment gate
When nuget-release has not been pre-created with required reviewers (the comments/docs say it does not exist yet), this line does not create a manual approval gate: GitHub documents that referencing a missing environment creates it and that the newly created environment has “no protection rules or secrets configured” (https://docs.github.com/en/actions/how-tos/deploy/configure-and-manage-deployments/manage-environments#creating-an-environment). If NUGET_API_KEY is present as a repository secret, a matching owen-cli-v* tag push can reach dotnet nuget push without the approval this workflow promises; fail the job unless the protected environment already exists or require the key only as a protected environment secret.
Useful? React with 👍 / 👎.
Codex review (P1): GitHub auto-creates a referenced-but-never-configured environment on first use, with zero protection rules. `environment: nuget-release` alone is therefore not proof a human ever approves this job -- if the environment is never actually set up under Settings -> Environments and NUGET_API_KEY already exists as a repository secret, a tag push could reach `dotnet nuget push` with no approval at all, silently defeating the safety story the workflow documents. The publish job's first step now queries the GitHub API for the environment's protection_rules and refuses to publish -- fails loudly, before the artifact is even downloaded -- when that array is empty, converting "never configured" from a silent bypass into a loud failure. Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01SSXTDuh1ZHdQc4QqmYwshw
Two independent review findings, both closed: 1. owen-cli-release.yml only triggered on tag push / workflow_dispatch, so a green PR check never actually ran build-test-pack -> smoke-test on either OS -- only a real tag push did, and PRs never push tags. Added a pull_request trigger scoped to the paths that matter (the CLI/extractor projects, ownlang, the workflow file itself, the shared protection script). The publish job's existing tag-push condition is unchanged, so it stays skipped on pull_request exactly as it already was on workflow_dispatch. 2. The environment-protection check (`.protection_rules | length`) accepted ANY protection rule -- a wait_timer-only or branch_policy-only environment, or a required_reviewers rule saved with zero reviewers, none of which actually gate on a human. Extracted the real predicate into scripts/check_environment_protection.sh: accepts only a required_reviewers rule with >=1 reviewer. The publish job now checks out just scripts/ (sparse), fetches the environment via `gh api` into a file, and calls the script. Its permissions gained `actions: read`, which the environment-read endpoint requires alongside `contents: read`. Fixture-driven, offline test in ci.yml's new environment-protection-selftest job (runs on every ordinary push/PR, no GitHub API or real Environment needed): zero rules, wait_timer-only, branch_policy-only, and required_reviewers-with-zero-reviewers all reject; required_reviewers with one reviewer accepts. The same script and fixtures will also back action-marketplace-readiness.yml's analogous move-major-tag check (PR #248, stacked on this branch for now -- duplication is temporary until #247 merges and #248 rebases cleanly onto main). Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01SSXTDuh1ZHdQc4QqmYwshw
…ction rule Follow-up review finding: the environment-protection check (`.protection_rules | length`) accepted ANY protection rule -- a wait_timer-only or branch_policy-only environment, or a required_reviewers rule saved with zero reviewers, none of which actually gate on a human. move-major-tag now checks out the repo first (moved ahead of the protection check, since it now needs a repo file), fetches the action-major-tag-move environment via `gh api` into a file, and calls scripts/check_environment_protection.sh -- the same shared, fixture-tested predicate owen-cli-release.yml's publish job uses, which only accepts a required_reviewers rule with >=1 reviewer. permissions gained actions:read, which the environment-read endpoint requires alongside contents:write. This branch is currently stacked on claude/owen-cli-release-prep-2026-07-12 (PR #247) to pick up the shared script/fixtures/ci.yml selftest -- it will be rebased cleanly onto main once #247 merges, per the reviewer's stated merge order. Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01SSXTDuh1ZHdQc4QqmYwshw
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (3)
.github/workflows/owen-cli-release.yml (3)
181-182: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick winSame expression-interpolation pattern repeats across
smoke-test.
${{ needs.build-test-pack.outputs.version }}is inlined directly intorun:scripts at lines 182, 200-201, 246, and 248 — same script-injection anti-pattern as above, flagged by zizmor at each site. Recommend consolidating into oneenv:block per step (or a single job-levelenv:) and referencing$OWEN_CLI_VERSIONinstead.🔒 Proposed fix (representative — apply to all four sites)
- name: dotnet tool install --global from the packed artifact (isolated source) - run: dotnet tool install --global Owen.Cli --version "${{ needs.build-test-pack.outputs.version }}" --configfile "$RUNNER_TEMP/isolated-nuget.config" + env: + OWEN_CLI_VERSION: ${{ needs.build-test-pack.outputs.version }} + run: dotnet tool install --global Owen.Cli --version "$OWEN_CLI_VERSION" --configfile "$RUNNER_TEMP/isolated-nuget.config" ... - name: owen --version reports the released version + env: + OWEN_CLI_VERSION: ${{ needs.build-test-pack.outputs.version }} run: | out=$(owen --version) - [ "$out" = "${{ needs.build-test-pack.outputs.version }}" ] \ - || { echo "FAIL: owen --version printed '$out', expected '${{ needs.build-test-pack.outputs.version }}'"; exit 1; } + [ "$out" = "$OWEN_CLI_VERSION" ] \ + || { echo "FAIL: owen --version printed '$out', expected '$OWEN_CLI_VERSION'"; exit 1; } ... - name: Reinstall/update behavior — uninstall, then reinstall clean + env: + OWEN_CLI_VERSION: ${{ needs.build-test-pack.outputs.version }} run: | dotnet tool uninstall --global Owen.Cli ... - dotnet tool install --global Owen.Cli --version "${{ needs.build-test-pack.outputs.version }}" --configfile "$RUNNER_TEMP/isolated-nuget.config" + dotnet tool install --global Owen.Cli --version "$OWEN_CLI_VERSION" --configfile "$RUNNER_TEMP/isolated-nuget.config" out=$(owen --version) - [ "$out" = "${{ needs.build-test-pack.outputs.version }}" ] \ + [ "$out" = "$OWEN_CLI_VERSION" ] \ || { echo "FAIL: reinstalled owen --version printed '$out'"; exit 1; }Practical exploitability today is low — the
pull_requesttrigger already runs the PR's own workflow content (so an attacker doesn't need this indirection to run arbitrary code), andpush/workflow_dispatchruns use presumably-reviewed content — but the fix is cheap and removes the pattern zizmor is designed to catch.Also applies to: 197-201, 240-248
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/owen-cli-release.yml around lines 181 - 182, Replace direct `${{ needs.build-test-pack.outputs.version }}` interpolation in all four smoke-test run steps with an environment variable such as OWEN_CLI_VERSION, defined in each step’s env block or once at the job level, and reference `$OWEN_CLI_VERSION` in the scripts. Apply this consistently to the dotnet tool installation and subsequent smoke-test commands while preserving the existing version value.Source: Linters/SAST tools
307-313: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick winConsider NuGet Trusted Publishing instead of a long-lived
NUGET_API_KEY.NuGet.org now supports OIDC-based Trusted Publishing for GitHub Actions (GA since September 2025), which trades the long-lived
secrets.NUGET_API_KEYfor a short-lived, per-run token — no secret to store, rotate, or leak. Sincenuget-releaseisn't configured yet (per docs/notes/owen-cli-release.md's boundaries), this would be a good time to set it up this way rather than provisioning a durable API key first.permissions: contents: read actions: read id-token: write # required for OIDC steps: - uses: NuGet/login@v1 id: nuget-login with: user: ${{ secrets.NUGET_USER }} - run: dotnet nuget push "$nupkg" --api-key "${{ steps.nuget-login.outputs.NUGET_API_KEY }}" --source https://api.nuget.org/v3/index.json --skip-duplicateRequires a one-time Trusted Publishing policy setup on nuget.org tied to this repo/workflow — an owner-side decision similar to the license blocker already tracked, so this is worth flagging now rather than after
NUGET_API_KEYis provisioned.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/owen-cli-release.yml around lines 307 - 313, The NuGet release currently relies on the long-lived NUGET_API_KEY secret. Update the workflow permissions and NuGet publishing step to use NuGet Trusted Publishing via NuGet/login@v1 and its short-lived NUGET_API_KEY output, including the required id-token: write and actions: read permissions; record or flag the one-time nuget.org policy setup required for the nuget-release workflow.Source: Linters/SAST tools
91-101: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick winRecommend env-var indirection to avoid literal expression expansion into the shell script.
csproj_version="${{ steps.version.outputs.version }}"is expanded by GitHub Actions as raw text into the script before bash runs it. Since this value isgrep'd straight out of the tracked csproj, and this same workflow triggers onpull_requestfor paths that include that csproj, a version string containing shell metacharacters could break out of the quoted assignment. Piping the value throughenv:instead keeps it as an opaque environment-variable value that bash never re-parses as script text.🔒 Proposed fix
- name: On a tag push, assert the tag matches the csproj Version if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/owen-cli-v') + env: + CSPROJ_VERSION: ${{ steps.version.outputs.version }} run: | tag_version="${GITHUB_REF_NAME#owen-cli-v}" - csproj_version="${{ steps.version.outputs.version }}" + csproj_version="$CSPROJ_VERSION" if [ "$tag_version" != "$csproj_version" ]; then🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/owen-cli-release.yml around lines 91 - 101, Update the tag/version assertion step around the shell variables tag_version and csproj_version to pass steps.version.outputs.version through the step’s env configuration, then read it from the environment inside the script instead of embedding the GitHub expression in the shell assignment. Preserve the existing comparison, error messages, and release failure behavior.Source: Linters/SAST tools
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@docs/notes/owen-cli-release.md`:
- Around line 133-135: Update the `publish` gate description in the release
notes to quote the complete condition, including `github.event_name == 'push'`
alongside the tag-prefix check. Preserve the explanation that
`workflow_dispatch` runs cannot reach `publish`, and ensure the wording does not
imply the tag check alone prevents dispatch bypasses.
---
Nitpick comments:
In @.github/workflows/owen-cli-release.yml:
- Around line 181-182: Replace direct `${{ needs.build-test-pack.outputs.version
}}` interpolation in all four smoke-test run steps with an environment variable
such as OWEN_CLI_VERSION, defined in each step’s env block or once at the job
level, and reference `$OWEN_CLI_VERSION` in the scripts. Apply this consistently
to the dotnet tool installation and subsequent smoke-test commands while
preserving the existing version value.
- Around line 307-313: The NuGet release currently relies on the long-lived
NUGET_API_KEY secret. Update the workflow permissions and NuGet publishing step
to use NuGet Trusted Publishing via NuGet/login@v1 and its short-lived
NUGET_API_KEY output, including the required id-token: write and actions: read
permissions; record or flag the one-time nuget.org policy setup required for the
nuget-release workflow.
- Around line 91-101: Update the tag/version assertion step around the shell
variables tag_version and csproj_version to pass steps.version.outputs.version
through the step’s env configuration, then read it from the environment inside
the script instead of embedding the GitHub expression in the shell assignment.
Preserve the existing comparison, error messages, and release failure behavior.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro Plus
Run ID: 790c65a9-eaa0-4fcc-8fa7-9af6a65c8760
📒 Files selected for processing (11)
.github/workflows/ci.yml.github/workflows/owen-cli-release.ymldocs/notes/owen-cli-release.mdfrontend/roslyn/OwnSharp.Cli/OwnSharp.Cli.csprojfrontend/roslyn/OwnSharp.Cli/README.mdscripts/check_environment_protection.shscripts/fixtures/environment-protection/branch-policy-only.jsonscripts/fixtures/environment-protection/required-reviewers-empty.jsonscripts/fixtures/environment-protection/required-reviewers-with-reviewer.jsonscripts/fixtures/environment-protection/wait-timer-only.jsonscripts/fixtures/environment-protection/zero-rules.json
CodeRabbit review:
- docs/notes/owen-cli-release.md quoted the publish gate as just
`startsWith(github.ref, 'refs/tags/owen-cli-v')`, dropping the
`github.event_name == 'push'` half the workflow's own comment explains
is required to block a `workflow_dispatch --ref owen-cli-vX` bypass --
the exact scenario the doc's next sentence claimed was already
impossible. Quoted the real condition in full.
- `${{ steps.version.outputs.version }}` (grep'd from the csproj, which
this workflow now also builds on pull_request) and
`${{ needs.build-test-pack.outputs.version }}` were both inlined
directly into run: scripts at five sites -- the same
expression-into-shell-text pattern zizmor flags elsewhere in this repo.
Both now flow through env: (a job-level OWEN_CLI_VERSION for
smoke-test's four sites, a step-level CSPROJ_VERSION for the
tag/version-match assertion) instead of raw interpolation.
Not implemented: CodeRabbit's NuGet Trusted Publishing (OIDC) suggestion
for the publish step. Real publication is already blocked on the license
and Environment decisions the docs already flag as the repository owner's
call, not this session's; swapping the auth mechanism before either of
those is resolved is the same category of decision, not a code fix.
Re-verified locally end-to-end after the env: refactor: pack, isolated-feed
install, `owen --version`, and the full uninstall/reinstall cycle all still
pass with the version flowing through the environment instead of inline
interpolation.
Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01SSXTDuh1ZHdQc4QqmYwshw
|
@coderabbitai review |
✅ Action performedReview finished.
|
…n facade (P-013 gate B) Rebase of PR #248 onto post-#247 main. New workflow (.github/workflows/action-marketplace-readiness.yml): consumer-simulation (uses: ./ against fixtures/marketplace-consumer-demo, not the precision-test corpus) -> validate-release-tag (immutable vX.Y.Z, gated on both event_name == 'push' and the ref prefix) -> move-major-tag (workflow_dispatch-only, environment-gated via the shared scripts/check_environment_protection.sh predicate #247 introduced, template-injection-safe input handling). docs/notes/action-marketplace-readiness.md documents the versioning policy, the consumer-simulation fixture rationale, and two prior review corrections (environment auto-creation with zero rules; predicate tightened to required_reviewers-only). README.md/README.ru.md get a casing fix (PhysShell/own.net -> PhysShell/Own.NET) and a versioning-policy pointer. Final review hardening: git rev-parse "refs/tags/$TARGET" returns an annotated tag's own SHA, not the commit it points at. Peeled to ^{commit} so the major tag always ends up on the release commit rather than on the tag object itself. Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01SSXTDuh1ZHdQc4QqmYwshw
…n facade (P-013 gate B) Rebase of PR #248 onto post-#247 main. New workflow (.github/workflows/action-marketplace-readiness.yml): consumer-simulation (uses: ./ against fixtures/marketplace-consumer-demo, not the precision-test corpus) -> validate-release-tag (immutable vX.Y.Z, gated on both event_name == 'push' and the ref prefix) -> move-major-tag (workflow_dispatch-only, environment-gated via the shared scripts/check_environment_protection.sh predicate #247 introduced, template-injection-safe input handling). docs/notes/action-marketplace-readiness.md documents the versioning policy, the consumer-simulation fixture rationale, and two prior review corrections (environment auto-creation with zero rules; predicate tightened to required_reviewers-only). README.md/README.ru.md get a casing fix (PhysShell/own.net -> PhysShell/Own.NET) and a versioning-policy pointer. Final review hardening: git rev-parse "refs/tags/$TARGET" returns an annotated tag's own SHA, not the commit it points at. Peeled to ^{commit} so the major tag always ends up on the release commit rather than on the tag object itself. Claude-Session: https://claude.ai/code/session_01SSXTDuh1ZHdQc4QqmYwshw Co-authored-by: Claude <noreply@anthropic.com>
Что и зачем
Rebuild of PR #244 directly against post-#246
main, using the Owen public identity throughout instead of the pre-rebrandownsharp/OwnSharp.Clinames PR #244 used. Per the merged facade's own PR body ("Phase 3 — rebuilt against this PR once merged, targetingOwen.Cli/owen") and the reviewer's explicit instruction not to merge #244 in its pre-Owen form, PR #244 is being closed in favor of this one.Prepares
Owen.Clifor eventual NuGet publication without publishing a production package.OwnSharp.Cli.csproj): addedAuthors,PackageProjectUrl,RepositoryUrl,RepositoryType,PackageTags,PackageReadmeFile,Deterministic,ContinuousIntegrationBuild— additive on top of feat(owen): public facade rebrand for the CLI, Action, and SARIF identity #246's already-Owen-brandedPackageId/ToolCommandName/Description.PackageLicenseExpressiondeliberately left unset: the repository has noLICENSEfile, and picking one is the repository owner's decision, not this session's — flagged as the first blocker in the release checklist, not resolved unilaterally..github/workflows/owen-cli-release.yml, tag namespaceowen-cli-v*, replacing PR feat(ownsharp-cli): release-readiness pipeline for the NuGet package (P-013) #244'sownsharp-cli-release.yml):build-test-pack→smoke-test(ubuntu + windows) →publish. The smoke-test job installs and exercises the already-packedOwen.Cliartifact frombuild-test-pack's upload — no checkout, no rebuild, no invocation of the pre-rebrandownsharpcommand — verifyingowen --version, a leak sample (exit 1,OWN001), a clean sample (exit 0), theOWEN_PYTHON-not-found actionable-failure path (exit 3), and a full uninstall/reinstall cycle. Publish still requires both a pushedowen-cli-v*tag (workflow_dispatchcan never reach it) and anuget-releaseGitHub Environment a repo admin has to configure with required reviewers — it doesn't exist yet.ownsharp.dll,ownsharp-extract.dll— the real, unmodifiedAssemblyName-derived output, per feat(owen): public facade rebrand for the CLI, Action, and SARIF identity #246's established internal/public split) are intentionally left as-is in the package-content inspection step; only the public package ID, command name, tag namespace, and env var are Owen-branded.docs/notes/owen-cli-release.md(replacing PR feat(ownsharp-cli): release-readiness pipeline for the NuGet package (P-013) #244'sownsharp-cli-release.md): versioning policy, the re-verified determinism findings (two packs against this exact source, byte-for-byte identical payload, only NuGet's own per-pack OPC wrapper GUID differs), the metadata audit, and the release checklist — the license blocker is addressed explicitly to the repository owner.Тип изменения
Как проверено
python tests/run_tests.py— 276/276ruff check ./mypy— cleanpython3 -c "import yaml; yaml.safe_load(...)"dotnet pack(twice, for determinism) → diff unzipped payload (only the OPC wrapper.rels/.psmdcpdiffer) → package-content inspection (ownsharp.dll,ownsharp-extract.dll, 20 vendored core.pyfiles, README all present;.nuspecid/description/tags/authors/repositoryall correct) → isolated-feed install →owen --version/ leak / clean /OWEN_PYTHON-not-found (exit 3) / uninstall→reinstall, all matching what the workflow asserts.Связанные issue
Refs #202, P-013. Supersedes #244 (closed in favor of this PR — pre-Owen branding). No issues closed (release infra, not a shipped release).
Чеклист
OwnSharp.Cli/README.mdlinks to the new release note;docs/notes/owen-cli-release.mdis newfeat:)Boundaries honored
secrets.NUGET_API_KEYby name.0.xalpha).Generated by Claude Code
Summary by CodeRabbit