Release Checklist
Do not publish until the native bridge has been compiled and smoke-tested on all claimed target platforms.
Before Tagging
- Confirm package name ownership and approval.
- Confirm bundled Betterleaks version in
bridge/go.mod. - Run
uv run python scripts/check_betterleaks_pin.py. - Run
uv lock. - Run
uv run python scripts/build_native.py. - Run
uv run pytest. - Run
uv run ruff check .. - Run
uv run mypy python. - Run Go checks from
bridge/:gofmt,go test ./...,go vet ./...,staticcheck ./..., andgovulncheck ./.... - Run
uv build --wheeland confirm the wheel includes the native library andpy.typed. - Run
uv build --sdistand confirm the sdist does not include generated native libraries. - Run native smoke tests with the compiled library present.
- Run
uv run python benchmarks/bench.py --rounds 3 --warmups 1. - Run
bash e2e/run.shto verify a local wheel installs in a clean runtime image without a Go toolchain. - Update README platform matrix if support changed.
- Update
docs/betterleaks-pin.mdif the Betterleaks version changed. - Update release notes with the Python package version and bundled Betterleaks version.
CI Release Flow
- Push a tag like
v0.3.1. - GitHub Actions builds wheels on Linux, macOS, and Windows.
- Every wheel must install and run
scripts/wheel_smoke.py. - The Docker E2E workflow should build a local wheel, install it from
/tmp, and run directory/text scans against fake fixture secrets. publish.ymldownloads wheel artifacts, writesrelease/SHA256SUMS, uploads the checksum artifact, and publishes only wheel files fromdist.- The publish workflow then runs
scripts/pypi_smoke.pyto install the published version from PyPI in a temporary virtual environment. - Publish wheels to PyPI through trusted publishing only.
- Do not publish sdists until source builds are explicitly supported.
Musllinux Gate
Musllinux/Alpine is explicitly unsupported and must not be published as a wheel
target without a clean loader proof that avoids LD_PRELOAD, wrapper launchers,
or user-side runtime changes.
Current blocker:
initial-exec TLS resolves to dynamic definition
Do not add musllinux wheels to the publish matrix while that loader failure is reproducible.
After Publishing
- Verify
pip install pybetterleaksin a clean environment. - Verify
pip install --only-binary=:all: pybetterleaks. - Run
uv run python scripts/pypi_smoke.py --version <version>. - Verify Docker install using
python:3.12-slim. - Download a wheel and confirm
pybetterleaks/py.typedis included. - Confirm no install-time downloads occur.
- Publish checksum values with the GitHub release notes.