@kungfu-tech/buildchain 2.4.10-alpha.1 → 2.4.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/docs/cli.md CHANGED
@@ -365,10 +365,14 @@ transaction that promotes release refs:
365
365
  workflow and do not publish.
366
366
 
367
367
  The promotion workflow uses npm Trusted Publishing through GitHub Actions OIDC.
368
- It runs on a GitHub-hosted runner with `id-token: write`, generates the
369
- version-state commit, runs `lifecycle.verify`, runs `lifecycle.publish`, writes
370
- Buildchain publish evidence, validates that evidence, and only then moves exact
371
- tags and floating refs.
368
+ It runs on a GitHub-hosted runner with `id-token: write`, but it does not
369
+ manually run the release-candidate resolver or promote action. Buildchain's own
370
+ dogfood path calls the declarative `release-candidate-promote.yml` wrapper with
371
+ channel, target ref/SHA, PR-stage workflow, artifact, status-check, and passport
372
+ inputs. The wrapper generates the version-state commit, runs
373
+ `lifecycle.verify`, runs `lifecycle.publish`, writes Buildchain publish
374
+ evidence, validates that evidence, and only then moves exact tags and floating
375
+ refs.
372
376
 
373
377
  ```bash
374
378
  node scripts/npm-publish-transaction.mjs
@@ -59,7 +59,9 @@ Buildchain implements the same governance loop with:
59
59
 
60
60
  - `.github/workflows/release-verify.yml` for PR verification;
61
61
  - `.github/workflows/buildchain-ref-promotion.yml` for post-verify ref
62
- promotion;
62
+ promotion; this workflow dogfoods the declarative
63
+ `release-candidate-promote.yml` wrapper and does not hand-wire resolver,
64
+ artifact download, publish-gate, or promote action steps;
63
65
  - `actions/promote-buildchain-ref` for branch, tag, version-state, and
64
66
  governance checks;
65
67
  - package-manager adapters that can update version state for pnpm, npm, and
@@ -305,9 +307,10 @@ When debugging or extending release behavior, read in this order:
305
307
  1. `docs/release-flow.md`
306
308
  2. `.github/workflows/release-verify.yml`
307
309
  3. `.github/workflows/buildchain-ref-promotion.yml`
308
- 4. `actions/promote-buildchain-ref/README.md`
309
- 5. `actions/promote-buildchain-ref/src/`
310
- 6. `docs/migration-inventory.md`
310
+ 4. `.github/workflows/release-candidate-promote.yml`
311
+ 5. `actions/promote-buildchain-ref/README.md`
312
+ 6. `actions/promote-buildchain-ref/src/`
313
+ 7. `docs/migration-inventory.md`
311
314
 
312
315
  That path gives the policy first, the workflow trigger second, and the action
313
316
  implementation last.
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@kungfu-tech/buildchain",
3
- "version": "2.4.10-alpha.1",
3
+ "version": "2.4.10",
4
4
  "private": false,
5
5
  "description": "Buildchain Release Passport, release governance, CLI toolkit, and site facts.",
6
6
  "repository": "https://github.com/kungfu-systems/buildchain",
@@ -200,13 +200,23 @@ for (const forbiddenSnippet of [
200
200
  }
201
201
  for (const requiredSnippet of [
202
202
  "id-token: write",
203
- "registry-url: \"https://registry.npmjs.org/\"",
204
- "publish-transaction: \"true\"",
203
+ "actions: read",
204
+ "uses: ./.github/workflows/release-candidate-promote.yml",
205
+ "target-sha: ${{ github.event.workflow_run.head_sha || inputs.sha || github.sha }}",
206
+ "publish-required-artifacts-json: \"[]\"",
205
207
  ]) {
206
208
  if (!buildchainRefPromotionWorkflow.includes(requiredSnippet)) {
207
209
  throw new Error(`buildchain ref promotion workflow missing npm transaction snippet: ${requiredSnippet}`);
208
210
  }
209
211
  }
212
+ for (const forbiddenSnippet of [
213
+ "run: node scripts/release-candidate-resolver.mjs",
214
+ "uses: ./actions/promote-buildchain-ref",
215
+ ]) {
216
+ if (buildchainRefPromotionWorkflow.includes(forbiddenSnippet)) {
217
+ throw new Error(`buildchain ref promotion workflow must use the declarative wrapper, found manual snippet: ${forbiddenSnippet}`);
218
+ }
219
+ }
210
220
  for (const requiredSnippet of [
211
221
  "distTag || (pkg.version.includes(\"-\") ? \"alpha\" : \"latest\")",
212
222
  "\"publish\", \"--dry-run\", \"--access\", \"public\"",