Skip to content

Package-release provenance and dirty-input guard

Summary

The release package command must make package provenance unambiguous. It should record the selected main source accurately and reject dirty source inputs that would make app/build/test/tooling provenance unclear.

Acceptance Criteria

  • [x] package-release records the app source variant, branch, and commit used for the package.
  • [x] package-release rejects dirty relevant source/doc inputs before writing release assets.
  • [x] Package manifests identify build and tooling commits used by the package.
  • [x] Packaging tests or focused command evidence cover the dirty-input guard.

Validation

  • 2026-05-13: build commit 24b5b04 added dirty-input rejection before packaging and expanded release manifests with app, build, build-tests, and tooling provenance.
  • 2026-05-13: python -m pytest tests\test_release.py -q passed.
  • 2026-05-13: python -m emule_workspace validate passed.
  • 2026-05-13: python -m emule_workspace package-release --config Release --platform x64 --release-version 0.7.3 passed.
  • SHA256: 3f12e40a33fc02ef9f7b4e7858a7e450ef0524d26eabc72f05d28dc47b47079e
  • 2026-05-13: python -m emule_workspace package-release --config Release --platform ARM64 --release-version 0.7.3 passed with the existing ARM64 warning profile.
  • SHA256: 5f4a3735a765a64cb0dea0a488d0ffd9e7d97ecf502d8859997c4e2cc26cb1c3