Skip to content

Gate beta8 release on verified GitHub signature#65

Open
brik64-admin wants to merge 13 commits into
mainfrom
codex/beta8-compiler-functionality-carlos-signed
Open

Gate beta8 release on verified GitHub signature#65
brik64-admin wants to merge 13 commits into
mainfrom
codex/beta8-compiler-functionality-carlos-signed

Conversation

@brik64-admin

Copy link
Copy Markdown
Contributor

Summary

  • Supersedes PR Implement beta8 compiler functionality gate #64 with the same beta8 compiler functionality plus a release integrity gate for GitHub verified commit signatures.
  • Adds scripts/beta8-github-verified-signature-gate.js and wires beta8 release/publish planning to fail closed unless the exact release commit is GitHub verified.
  • Keeps beta8 in draft/non-public state until signing identity, platform smoke, curl/GCP, SDK/docs/web/changelog/skills and public-claim gates are complete.

Verification

  • node -c scripts/beta8-github-verified-signature-gate.js
  • npm run release:train:dry-run -- --allow-dirty
  • BRIK64_REQUIRE_GITHUB_VERIFIED_SIGNATURE=1 npm run release:train:dry-run -- --allow-dirty fails closed at beta8_github_verified_signature while the key remains unregistered.
  • npm run release:train:publish-plan fails closed with beta8_github_verified_signature_not_pass.

Known blocker

GitHub currently reports the signed commit as verified=false, reason=unknown_key. This PR must not be merged or published until the SSH signing key is registered and the gate passes.

carlosjperez
carlosjperez previously approved these changes Jun 6, 2026

@carlosjperez carlosjperez left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved for beta8 candidate review. Public release remains blocked until GitHub verified-signature gate passes and the full release train is synchronized.

carlosjperez
carlosjperez previously approved these changes Jun 6, 2026

@carlosjperez carlosjperez left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Re-approved after the generated signature report was moved out of tracked evidence. Release remains blocked until GitHub verified-signature gate passes for the final commit.

carlosjperez
carlosjperez previously approved these changes Jun 6, 2026

@carlosjperez carlosjperez left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Re-approved after binding the beta8 signature report to the exact release commit. Release remains blocked until the GitHub signing key is registered and the verified-signature gate passes.

carlosjperez
carlosjperez previously approved these changes Jun 6, 2026

@carlosjperez carlosjperez left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Re-approved after adding the beta8 verified-signature gate to the publish workflow. Release remains blocked until GitHub recognizes the signing key for the final commit.

carlosjperez
carlosjperez previously approved these changes Jun 6, 2026

@carlosjperez carlosjperez left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Re-approved after expanding release-train dry-run triggers to beta8 scripts, PCD and runtime inputs. Release remains blocked until GitHub verified-signature gate passes for the final commit.

carlosjperez
carlosjperez previously approved these changes Jun 6, 2026

@carlosjperez carlosjperez left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Re-approved after adding the GitHub signing-key preflight. The release remains blocked until the token is refreshed with admin:ssh_signing_key and the public signing key is registered.

carlosjperez
carlosjperez previously approved these changes Jun 6, 2026

@carlosjperez carlosjperez left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Re-approved after adding the GitHub signing-key runbook and dry-run trigger coverage for it. Release remains blocked until signing key scope/key registration passes.

carlosjperez
carlosjperez previously approved these changes Jun 6, 2026

@carlosjperez carlosjperez left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Re-approved after adding signing-key preflight to the publish workflow. Publication remains blocked until the preflight and verified-signature gate pass with the registered key.

}
}

function redact(text) {
carlosjperez
carlosjperez previously approved these changes Jun 6, 2026

@carlosjperez carlosjperez left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Re-approved after adding the idempotent GitHub signing key registration command. Release remains blocked until the required GitHub scopes are authorized and the public key is registered.

carlosjperez
carlosjperez previously approved these changes Jun 7, 2026

@carlosjperez carlosjperez left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved for beta8 release-surface sync gates after green CI and release dry-run. Boundary remains assisted/internal generation non-claim.

@carlosjperez carlosjperez left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Re-approved after account-specific SSH signing key registration. GitHub reports the beta8 PR head commit as verified and the beta8 verified-signature gate passes.

@carlosjperez carlosjperez left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Re-approved after brik64-admin pushed a GitHub-verified beta8 release head. Checks must remain green before merge.

@carlosjperez carlosjperez requested a review from a team June 7, 2026 10:33

@carlosjperez carlosjperez left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code owner approval from brik64-cli-maintainers for verified beta8 release head.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants