@kungfu-tech/buildchain 2.3.1-alpha.0 → 2.3.1-alpha.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/docs/cli.md CHANGED
@@ -27,6 +27,14 @@ pnpm add -D @kungfu-tech/buildchain
27
27
  pnpm exec buildchain validate
28
28
  ```
29
29
 
30
+ Consumers should pin the exact Buildchain version that was validated in their
31
+ repository. When dogfooding a fresh Buildchain release immediately after it is
32
+ published, pnpm may block the install through a minimum release-age policy. In
33
+ that case, add a temporary package/version-specific `minimumReleaseAgeExclude`
34
+ entry, such as `@kungfu-tech/buildchain@2.2.5`, and remove it once the package
35
+ has aged past the normal policy window. Do not replace that with a broad
36
+ registry or scope-wide exclude.
37
+
30
38
  Use the package API directly inside JavaScript build scripts:
31
39
 
32
40
  ```js
@@ -56,6 +64,10 @@ Supported presets:
56
64
  - `--type anchored-package` for packages whose version is anchored to an
57
65
  explicit upstream release manifest.
58
66
 
67
+ The native preset includes an opt-in `[diagnostics.native]` profile with common
68
+ tool/cache/artifact probes. Consumers can keep it enabled, adjust the tool and
69
+ directory lists, or disable it if a repository does not need native diagnostics.
70
+
59
71
  `buildchain validate` parses `buildchain.toml`, checks configured version-state
60
72
  files, and can require named lifecycle stages:
61
73
 
@@ -92,6 +104,8 @@ buildchain span --event native.build --phase build -- cmake --build build
92
104
  buildchain log warn --event cache.miss --component conan --attribute token=hidden
93
105
  buildchain log summary --json
94
106
  buildchain verify observability-log .buildchain/logs/events.jsonl --min-events 4 --require-phase build
107
+ buildchain diagnostics summary .buildchain/artifacts/*/diagnostics.json --json
108
+ buildchain sample process-tree --label native-build --interval-ms 15000 -- make -j20
95
109
  ```
96
110
 
97
111
  During `buildchain lifecycle run`, child processes receive
@@ -116,6 +130,61 @@ Secret-looking attribute keys such as `token`, `password`, `secret`,
116
130
  Full command strings are not recorded by `span`; scripts should provide stable
117
131
  event names and safe attributes instead.
118
132
 
133
+ `buildchain diagnostics summary` reads one or more small diagnostics artifacts
134
+ and emits the same cross-platform summary as the diagnostics SDK:
135
+
136
+ ```bash
137
+ buildchain diagnostics summary \
138
+ .buildchain/artifacts/linux-x64/diagnostics.json \
139
+ .buildchain/artifacts/macos-arm64/diagnostics.json \
140
+ --output .buildchain/artifacts/diagnostics-summary.json \
141
+ --json
142
+ ```
143
+
144
+ The JSON summary keeps per-platform lifecycle stage tables, adds lifecycle
145
+ total durations, carries top slow spans, aggregates warning/error counts, and
146
+ sorts the slowest platforms. Each platform row carries compact runner facts,
147
+ checked tool versions/missing tools, package manager/cache directory details,
148
+ compiler-cache availability, and a compact process sampler summary: requested
149
+ parallelism, observed max active processes, the ratio between them, sample
150
+ count, process categories, and the top sampled command basenames. This lets
151
+ maintainers inspect matrix timing, runner, tool, cache, and concurrency context
152
+ without downloading large platform binaries or process sidecars first.
153
+ When a sibling `diagnostics-manifest.json` is available, the summary also records
154
+ its file list and verifies the listed `diagnostics.json` byte count and sha256.
155
+ Missing, unreadable, or mismatched sidecar manifests are reported through
156
+ `diagnosticsManifestWarningCount` and the per-platform `diagnosticsManifest`
157
+ field without failing the timing rollup.
158
+ The summary also compares each `diagnostics.json` contract to
159
+ `BUILDCHAIN_DIAGNOSTICS_CONTRACT`; mismatches are reported through
160
+ `diagnosticsContractWarningCount` and the per-platform `diagnosticsContract`
161
+ field so reviewers can separate diagnostics schema drift from lifecycle
162
+ warnings or build failures.
163
+
164
+ Without `--json`, the command prints a compact lifecycle timing table with
165
+ install/build/verify/publish, artifact scan/upload, total, warning, and error
166
+ columns for each platform, plus `jobs` and `active` columns for requested and
167
+ observed process concurrency when sampler data is present.
168
+
169
+ `buildchain sample process-tree` wraps a long-running command and periodically
170
+ writes process-tree snapshots:
171
+
172
+ ```bash
173
+ buildchain sample process-tree \
174
+ --label native-build \
175
+ --interval-ms 15000 \
176
+ --output .buildchain/diagnostics/process-samples.jsonl \
177
+ --summary-output .buildchain/diagnostics/process-summary.json \
178
+ -- \
179
+ make -j20
180
+ ```
181
+
182
+ The command returns the wrapped command's exit status. The JSONL file contains
183
+ small timestamped samples; the summary JSON records requested parallelism,
184
+ observed concurrency, sampled CPU, command categories, and top command
185
+ basenames. Use it when a native build requests high parallelism but appears to
186
+ spend long stretches in low-concurrency compile, archive, link, or cache steps.
187
+
119
188
  `buildchain doctor` checks repository readiness before remote side effects:
120
189
 
121
190
  ```bash
@@ -123,8 +192,27 @@ buildchain doctor --json
123
192
  ```
124
193
 
125
194
  It validates `buildchain.toml`, package-manager detection, Git repository state,
126
- and the reusable workflow caller. The JSON result is shaped for future
127
- `buildchain.libkungfu.dev` fact ingestion.
195
+ and the reusable workflow caller. For `version.strategy = "anchored"` with
196
+ `version.next = "manual"`, it also embeds the anchored package release contract
197
+ check: anchor manifest readability, configured version files, trusted
198
+ publishing, package publish order, and required lifecycle stages. Add
199
+ `--require-publish-source-lock` inside a publish job when the doctor report
200
+ should also fail unless the job is running from a resolved `publish-gate/*`
201
+ source lock.
202
+
203
+ Anchored/manual package publish jobs can run the narrower source-lock gate
204
+ directly:
205
+
206
+ ```bash
207
+ buildchain publish-source validate-anchored-release --json
208
+ ```
209
+
210
+ The command requires `BUILDCHAIN_PUBLISH_SOURCE_REF`,
211
+ `BUILDCHAIN_PUBLISH_SOURCE_SHA`, and `BUILDCHAIN_PUBLISH_SOURCE_LOCKED` from the
212
+ reusable build workflow outputs. It fails closed for direct `alpha/*` or
213
+ `release/*` channel-branch publication, and checks the publish-gate consumer
214
+ version against configured version files and the anchor manifest. The JSON
215
+ result is shaped for future `buildchain.libkungfu.dev` fact ingestion.
128
216
 
129
217
  `buildchain release`, `buildchain web-surface`, `buildchain publish-source`,
130
218
  and `buildchain build-contract` route to the same scripts used by Buildchain's
@@ -148,6 +236,41 @@ and `llms.txt`. Production binary distribution defaults to GitHub-hosted
148
236
  runners so other projects can reproduce the release lane; self-hosted runners
149
237
  remain compatibility fixtures and are recorded as runner facts when used.
150
238
 
239
+ For publish-transaction releases, pass the additional evidence inputs so
240
+ `buildchain.release.json` becomes the unified passport instead of a binary-only
241
+ asset summary:
242
+
243
+ ```bash
244
+ buildchain collect github-release \
245
+ --tag v2.3.2 \
246
+ --repository kungfu-systems/buildchain \
247
+ --assets-dir dist \
248
+ --publish-evidence-json .buildchain/release-evidence/v2.3.2/evidence.json \
249
+ --transaction-json .buildchain/release-state/v2.3.2/state.json \
250
+ --package-set-json package-set.json \
251
+ --trusted-publishing-json trusted-publishing.json \
252
+ --anchor-manifest-json libnode.release.json \
253
+ --build-summary-json .buildchain/artifacts/build-summary.json \
254
+ --platform-manifest-json .buildchain/artifacts/linux-x64/manifest.json \
255
+ --platform-manifest-json .buildchain/artifacts/darwin-arm64/manifest.json \
256
+ --platform-manifest-json .buildchain/artifacts/win32-x64/manifest.json \
257
+ --dist-tag-evidence-json .buildchain/release-evidence/v2.3.2/dist-tag-evidence.json \
258
+ --release-extra-json '{"channel":"release","targetRef":"release/v2/v2.3"}' \
259
+ --output-dir .buildchain/release-passport
260
+ ```
261
+
262
+ The generated passport records the main and platform packages, npm dist-tags,
263
+ published versions, release source/ref state, anchor manifest digest, registry
264
+ artifact digests, trusted publishing evidence, and Buildchain transaction
265
+ result. It also records `buildSummary`, `platformArtifactManifests`, and
266
+ `distTagPromotion` when those JSON inputs are supplied. `packageSet` keeps the
267
+ ordered package set; `publish.packages[]` is the agent-readable npm publication
268
+ summary for each main/platform package. For Buildchain releases, verification
269
+ expects the supplied package set to include the main package plus the three
270
+ platform packages with version, dist-tag, and digest evidence. Verification
271
+ fails closed if supplied sections are internally incomplete or point to
272
+ artifacts without matching evidence.
273
+
151
274
  Buildchain dogfoods its observability toolkit in this lane. The standalone
152
275
  builder writes API-generated events, while the workflow uses `buildchain mark`,
153
276
  `buildchain span`, `buildchain verify observability-log`, and `buildchain log
package/docs/install.md CHANGED
@@ -54,6 +54,31 @@ npx buildchain doctor --json
54
54
  Alpha releases publish to the `alpha` npm dist-tag. Stable releases publish to
55
55
  `latest`. Both are created by the protected Buildchain promotion transaction.
56
56
 
57
+ Stable consumers should pin the exact Buildchain version they have validated,
58
+ for example:
59
+
60
+ ```bash
61
+ pnpm add -D @kungfu-tech/buildchain@2.2.5
62
+ ```
63
+
64
+ If a repository dogfoods a just-published Buildchain version and pnpm's release
65
+ age policy blocks the install, use a temporary package/version-specific
66
+ `minimumReleaseAgeExclude` entry instead of weakening the registry policy for
67
+ all packages:
68
+
69
+ ```json
70
+ {
71
+ "pnpm": {
72
+ "minimumReleaseAgeExclude": [
73
+ "@kungfu-tech/buildchain@2.2.5"
74
+ ]
75
+ }
76
+ }
77
+ ```
78
+
79
+ Remove that entry after the package is old enough for the repository's normal
80
+ policy. Do not use a broad exclude such as `@kungfu-tech/*` for this case.
81
+
57
82
  ## Repository Integration
58
83
 
59
84
  ```bash
@@ -75,4 +100,3 @@ buildchain explain release --passport buildchain.release.json --for agent --json
75
100
 
76
101
  The verifier fails closed when the passport or its sibling evidence files are
77
102
  missing required fields or mismatching artifact digests.
78
-
@@ -150,6 +150,14 @@ For package sets, `package_set_order = "platforms-first-main-last"` makes the
150
150
  main package the visibility gate. Platform package side effects are planned or
151
151
  retried first, and the main package or main dist-tag move happens last.
152
152
 
153
+ When the transaction reaches `complete`, `actions/promote-buildchain-ref`
154
+ generates `.buildchain/release-passport/buildchain.release.json` and persists
155
+ the `release-passport/*` files into the durable `buildchain/release-state/...`
156
+ ref. The passport is the stable release artifact for agents and people: it
157
+ links the package set, npm publish evidence, dist-tag evidence, build summary,
158
+ platform artifact manifests, trusted publishing metadata, release-state ref,
159
+ and transaction result in one schema.
160
+
153
161
  ## Evidence
154
162
 
155
163
  The publish lifecycle must write JSON evidence. Buildchain validates common
@@ -188,6 +196,8 @@ The generic contract is intentionally small:
188
196
 
189
197
  - `version`, `channel`, `source_sha`, `release_sha`, and `target_ref` must match
190
198
  the promotion run;
199
+ - dist-tag promotion evidence is written beside the publish evidence as
200
+ `dist-tag-evidence.json` and is referenced from the generated passport;
191
201
  - required artifacts must appear in evidence;
192
202
  - evidence used by a GitHub-hosted rerun must either be stored in the durable
193
203
  state ref or be reconstructed by a machine-verifiable consumer command;
@@ -27,6 +27,25 @@ P0 protocol artifacts:
27
27
 
28
28
  `buildchain.release.json` is the first file an agent should read. It points to
29
29
  artifact evidence, impact, recovery, product mechanism, and agent index facts.
30
+ It is also the unified release responsibility summary: when publish
31
+ transactions are used, the same passport records the package set, npm dist-tags,
32
+ release source refs, release-state ref, anchor manifest, registry artifact
33
+ digests, trusted publishing evidence, and transaction result.
34
+
35
+ Additive passport sections:
36
+
37
+ - `release`: exact tag, line, channel, source SHA, target ref, release SHA,
38
+ release material SHA, publish tooling SHA, and durable release-state ref.
39
+ - `packageSet`: main package, platform packages, package-set order, registry,
40
+ versions, dist-tags, and package digests.
41
+ - `anchorManifest`: anchored/manual version manifest path, digest, and fields.
42
+ - `trustedPublishing`: provider, auth mode, workflow run evidence, and whether
43
+ trusted publishing was enabled.
44
+ - `transaction`: durable Buildchain release transaction id, state, exact tag,
45
+ release SHA, state ref, and state SHA.
46
+ - `artifacts`: release assets and registry artifacts in one list, each pointing
47
+ back to the evidence file that proves its digest.
48
+
30
49
  Buildchain's own binary lane also publishes observability artifacts generated by
31
50
  the Buildchain logging API and CLI:
32
51
 
@@ -65,9 +84,25 @@ buildchain collect github-release \
65
84
  --tag v2.2.0 \
66
85
  --repository kungfu-systems/buildchain \
67
86
  --assets-dir dist \
87
+ --publish-evidence-json .buildchain/release-evidence/v2.2.0/evidence.json \
88
+ --transaction-json .buildchain/release-state/v2.2.0/state.json \
89
+ --package-set-json package-set.json \
90
+ --anchor-manifest-json libnode.release.json \
91
+ --build-summary-json .buildchain/artifacts/build-summary.json \
92
+ --platform-manifest-json .buildchain/artifacts/linux-x64/manifest.json \
93
+ --platform-manifest-json .buildchain/artifacts/darwin-arm64/manifest.json \
94
+ --platform-manifest-json .buildchain/artifacts/win32-x64/manifest.json \
95
+ --dist-tag-evidence-json .buildchain/release-evidence/v2.2.0/dist-tag-evidence.json \
68
96
  --output-dir .buildchain/release-passport
69
97
  ```
70
98
 
99
+ `packageSet` records the ordered main-plus-platform package set.
100
+ `publish.packages[]` summarizes each published npm package with its version,
101
+ dist-tag, registry, role, platform, and digest, so agents do not need to stitch
102
+ npm facts back together from the lower-level evidence files.
103
+ `buildSummary`, `platformArtifactManifests`, and `distTagPromotion` preserve the
104
+ build and npm dist-tag evidence chain in the same passport.
105
+
71
106
  Verify a release passport:
72
107
 
73
108
  ```bash
@@ -24,6 +24,7 @@ jobs:
24
24
  build/stage
25
25
  expected-artifacts-json: >-
26
26
  {"minFiles":2,"requiredPaths":["dist/libnode.tar.gz","dist/checksums.txt"]}
27
+ process-summary-path: .buildchain/diagnostics/process-summary.json
27
28
  publish-channel: release
28
29
  publish-source-ref: publish-gate/release/v22/v22.22/22.22.3-kf.0
29
30
  ```
@@ -108,6 +109,74 @@ Do not use `kungfu-verify` for stages that need CMake, Ninja, ccache, Conan, or
108
109
  Docker image publishing. Those should use a heavier native-build image or remain
109
110
  on a host runner until their image contract is explicit.
110
111
 
112
+ ## Buildchain Runtime Override
113
+
114
+ Stable consumers should keep the reusable workflow pinned to stable refs such as
115
+ `@v2`. The optional `buildchain-ref` input is empty by default; empty means
116
+ Buildchain resolves and executes the stable runtime selected by the workflow
117
+ shell. The full train validation protocol is documented in
118
+ [`runtime-train-validation.md`](runtime-train-validation.md).
119
+
120
+ For one-off manual validation, a trusted maintainer can run the caller workflow
121
+ with a temporary runtime override:
122
+
123
+ ```yaml
124
+ on:
125
+ workflow_dispatch:
126
+ inputs:
127
+ buildchain-ref:
128
+ description: "Temporary Buildchain runtime ref for trusted manual validation"
129
+ required: false
130
+ default: ""
131
+
132
+ jobs:
133
+ build:
134
+ uses: kungfu-systems/buildchain/.github/workflows/.build.yml@v2
135
+ with:
136
+ buildchain-ref: ${{ inputs.buildchain-ref || '' }}
137
+ ```
138
+
139
+ Allowed override refs are deliberately narrow:
140
+
141
+ | Ref form | Meaning |
142
+ | --- | --- |
143
+ | `train/v2/v2.3/<capability>` | Temporary capability train under the active minor line |
144
+ | `refs/heads/train/v2/v2.3/<capability>` | Explicit branch ref for the same train |
145
+ | `<40-character SHA>` | Exact immutable Buildchain runtime commit |
146
+
147
+ Override requests fail closed unless the event is `workflow_dispatch` and the
148
+ actor has write, maintain, or admin permission on the caller repository.
149
+ Pull requests, including same-repository pull requests and fork-originated pull
150
+ requests, cannot use `buildchain-ref` override. This keeps automated PR builds on
151
+ the stable runtime surface.
152
+
153
+ Every run resolves the runtime ref to an immutable SHA before checkout. The job
154
+ summary and aggregate build summary record the workflow shell ref, requested
155
+ runtime ref, resolved runtime ref, runtime SHA, stability class, trust decision,
156
+ and rollback ref. Train refs are development validation refs: they do not move
157
+ `v2`, `vX.Y`, `vX.Y-alpha`, npm dist-tags, or production release refs, and they
158
+ must not be pinned as long-term production dependencies.
159
+
160
+ Runtime override validates Buildchain runtime scripts, CLI code, local actions,
161
+ config parsing, and lifecycle behavior. It cannot validate changes that require
162
+ the outer reusable workflow YAML itself to change, such as new jobs,
163
+ permissions, workflow outputs, or matrix topology. Those changes need a canary
164
+ workflow path or a temporary explicit workflow ref.
165
+
166
+ When a Buildchain maintainer asks for downstream validation, the expected
167
+ request is:
168
+
169
+ ```text
170
+ Buildchain train ready: buildchain-ref=train/v2/v2.3/<capability>.
171
+ Keep uses: ...@v2; run workflow_dispatch with that buildchain-ref and report the runtime evidence summary.
172
+ ```
173
+
174
+ After validation succeeds, the Buildchain change should continue through the
175
+ normal mainline and release path. Do not treat the train as a pending merge
176
+ item; it is only a temporary fast-use, diagnostic, and rollback channel. It may
177
+ remain for a retention window after release, with old trains handled by a
178
+ separate periodic cleanup task.
179
+
111
180
  ## Workflow Outputs
112
181
 
113
182
  The reusable workflow exposes the resolved contract:
@@ -120,8 +189,15 @@ The reusable workflow exposes the resolved contract:
120
189
  | `linux-container-enabled` | `true` when Linux platforms are routed through a job container |
121
190
  | `linux-container-image` | Resolved digest-pinned Linux job container image |
122
191
  | `build-summary-artifact` | Uploaded aggregate summary artifact name |
192
+ | `build-diagnostics-summary-artifact` | Uploaded aggregate diagnostics summary artifact name |
123
193
  | `build-summary-json` | Compact aggregate JSON with platform count, file count, and byte total |
194
+ | `build-diagnostics-summary-json` | Compact aggregate diagnostics JSON with platform, lifecycle warning/error, diagnostics contract warning, and sidecar manifest warning totals |
124
195
  | `trusted-event` | `true` when the event is trusted enough to reach build runners |
196
+ | `buildchain-runtime-ref` | Runtime ref selected after applying the empty-default or override policy |
197
+ | `buildchain-runtime-sha` | Immutable Buildchain runtime commit used by all runtime checkouts |
198
+ | `buildchain-runtime-class` | `stable`, `alpha`, `train`, `exact-sha`, or `development` |
199
+ | `buildchain-runtime-override` | `true` when a non-empty `buildchain-ref` override was accepted |
200
+ | `buildchain-runtime-trust-decision` | Runtime override trust decision |
125
201
  | `publish-channel` | Resolved publish channel requested by the caller |
126
202
  | `publish-allowed` | `true` only when this event/ref may publish after verification |
127
203
  | `publish-reason` | Human-readable reason for the publish gate decision |
@@ -133,10 +209,29 @@ The reusable workflow exposes the resolved contract:
133
209
  | `publish-source-consumer-version` | Consumer package version parsed from source refs |
134
210
  | `release-manifest-json` | Resolved release manifest including source lock, version state, and anchor data |
135
211
 
136
- The aggregate summary is intentionally an artifact as well as an output. GitHub
212
+ The aggregate summaries are intentionally artifacts as well as outputs. GitHub
137
213
  Actions matrix outputs are not a reliable place to carry every platform's full
138
214
  manifest, so Buildchain uploads each platform manifest and then emits one
139
- aggregate summary artifact after the matrix completes.
215
+ aggregate build summary artifact after the matrix completes. Buildchain uploads
216
+ `diagnostics-summary.json` as a separate aggregate diagnostics summary artifact,
217
+ a compact rollup of each platform's small diagnostics upload. The rollup keeps
218
+ per-platform runner facts, checked tool versions/missing tools, package
219
+ manager/cache directory details, compiler-cache availability, lifecycle timing,
220
+ process sampler context, and links back to the exact platform artifacts. Each
221
+ platform diagnostics upload includes `diagnostics.json`,
222
+ `diagnostics-manifest.json`, the lifecycle `events.jsonl`, and process sampler
223
+ sidecars when enabled, so slow-build diagnosis does not require downloading the
224
+ binary platform artifact or the aggregate build summary. The sidecar manifest
225
+ records the uploaded diagnostics files with bytes and sha256 hashes. Each
226
+ `diagnostics.json` also records the related binary artifact name, manifest
227
+ artifact name, diagnostics artifact name, diagnostics sidecar manifest path, and
228
+ platform id in `links`, so a reviewer can navigate from the small diagnostics
229
+ artifact back to the exact platform outputs when deeper inspection is needed.
230
+ The workflow output `build-diagnostics-summary-json` includes
231
+ `diagnosticsContractWarningCount` and `diagnosticsManifestWarningCount` so
232
+ release jobs can detect drifting diagnostics JSON contracts and missing or
233
+ drifting diagnostics sidecar manifests without downloading the per-platform
234
+ diagnostics artifacts first.
140
235
 
141
236
  ## Publish Gate
142
237
 
@@ -240,6 +335,38 @@ If the branch tip no longer matches the manifest SHA, the publish job must fail
240
335
  closed. Moving a gate branch creates a new publish decision and should produce a
241
336
  new build run.
242
337
 
338
+ Anchored/manual package release jobs should also make the Buildchain promotion
339
+ action validate that publication is entering through the same
340
+ `publish-gate/{alpha,release,major}` source-lock contract before any package
341
+ publish side effect:
342
+
343
+ ```yaml
344
+ - name: Promote release ref and publish npm package set
345
+ uses: kungfu-systems/buildchain/actions/promote-buildchain-ref@v2
346
+ with:
347
+ sha: ${{ needs.build.outputs.publish-source-sha }}
348
+ target-ref: release/v22/v22.22
349
+ require-publish-source-lock: 'true'
350
+ publish-source-ref: ${{ needs.build.outputs.publish-source-ref }}
351
+ publish-source-sha: ${{ needs.build.outputs.publish-source-sha }}
352
+ publish-source-locked: ${{ needs.build.outputs.publish-source-locked }}
353
+ ```
354
+
355
+ `target-ref` stays the Buildchain channel promotion target, such as
356
+ `alpha/v22/v22.22`, `release/v22/v22.22`, or `publish-gate/major`.
357
+ `publish-source-ref` is the reviewed source-lock branch that authorized this
358
+ specific package publication. For alpha and release package publications, the
359
+ source-lock branch must point at the exact channel-line commit that promotion is
360
+ validating; it is not a replacement for `target-ref`.
361
+
362
+ This keeps the version bump commit, publish authorization, and auditable publish
363
+ entrypoint on the Buildchain source-lock protocol. The CLI form
364
+ `buildchain publish-source validate-anchored-release --json` is still useful for
365
+ custom publish scripts, but the preferred GitHub Actions gate is the promotion
366
+ action input above. A publish job that still runs directly from `alpha/*` or
367
+ `release/*` channel branches fails this check because those refs are channel
368
+ state, not publish-gate decisions.
369
+
243
370
  ## Package-Set Publish Plan
244
371
 
245
372
  Projects that publish multiple packages should treat package publication as a
@@ -281,6 +408,28 @@ with:
281
408
  verify-command: ctest --test-dir build --output-on-failure
282
409
  ```
283
410
 
411
+ The reusable build workflow samples the build lifecycle by default and carries
412
+ the generated summary into the final verify diagnostics. Callers can override
413
+ the sidecar path or disable sampling:
414
+
415
+ ```yaml
416
+ with:
417
+ sample-process-tree: true
418
+ process-summary-path: .buildchain/diagnostics/process-summary.json
419
+ process-sample-interval-ms: 15000
420
+ requested-parallelism: 20
421
+ ```
422
+
423
+ When `sample-process-tree` is true, Buildchain wraps either `build-command` or
424
+ the configured `lifecycle.build` stage with `buildchain sample process-tree`.
425
+ The path is relative to the checked-out workspace and is read again during the
426
+ final verify lifecycle. Custom workflows can still write their own sampler
427
+ summary and pass `process-summary-path`; Buildchain reads the file after the
428
+ lifecycle command finishes, so it may be produced during the same invocation.
429
+ When the build stage is optional, the reusable workflow treats the default
430
+ sampler path as optional during verify; an explicitly supplied
431
+ `process-summary-path` remains required.
432
+
284
433
  For custom workflows, use the action directly:
285
434
 
286
435
  ```yaml
@@ -400,7 +549,7 @@ the publish gate: pull requests remain non-publishing events.
400
549
  `fixtures/libnode-shaped` is the contract fixture. It has:
401
550
 
402
551
  - `package.json` version state;
403
- - `buildchain.toml` with `install`, `build`, and `verify`;
552
+ - `buildchain.toml` with `install`, `build`, `verify`, and `publish`;
404
553
  - cross-platform Node scripts that create small `dist/` outputs;
405
554
  - `Build Surface Fixture` workflow coverage.
406
555