Release automation is tag-driven: set the version in each repo, merge, push a
v* tag that matches that version, then CI publishes artifacts.
Contract milestone names (for example the v0.1 local verifier contract in
docs/v0.1-local-contract.md) describe the spec/tools behavior freeze, not
the SemVer on every package. Package versions below are what registries and tags
use today.
| Repo | Version source | Published as |
|---|---|---|
intentproof-tools |
Git tag only | GitHub Release archives (intentproof, intentproof-verify) |
intentproof-spec |
package.json 1.0.0 |
GitHub Release spec bundle + signed manifest |
intentproof-sdk-node |
package.json 0.2.1 |
npm @intentproof/sdk |
intentproof-sdk-python |
pyproject.toml 0.2.1 |
PyPI intentproof |
intentproof-sdk-go |
SDKVersion + Git tag v0.2.0 |
Go module via proxy |
homebrew-tap |
Formula version field |
Manual bump after tools release |
Matrix *_version labels in intentproof-spec are tuple bookkeeping strings;
they may differ from registry SemVer until you align them on a release bump.
-
Ensure
mainpasses CI andSPEC_REFmatches the spec tuple. -
Tag with the verifier release SemVer (example first stable:
v0.2.0if that is the chosen tools line — not necessarilyv0.1.0):git tag v0.2.0 git push origin v0.2.0
-
release-binaries.ymlruns GoReleaser and Cosign signing (seerelease-signing.md).
Dry-run without publishing a GitHub Release:
gh workflow run release-binaries.yml -f release_ref=refs/heads/mainAutomated tap PRs previously used INTENTPROOF_HOMEBREW_TAP_TOKEN; that is
not part of the restored slim pipeline. After a tools GitHub Release exists:
-
In
homebrew-tap, run (or adapt) the renderer from a tools checkout:gh release view v0.2.0 --repo IntentProof/intentproof-tools --json assets > /tmp/assets.json python3 scripts/render-homebrew-formulas.py \ --release-tag v0.2.0 \ --assets-json /tmp/assets.json \ --output-dir Formula -
Open a PR on
IntentProof/homebrew-tapwith the formula changes.
Tag must match package.json (currently 1.0.0 → v1.0.0):
git tag v1.0.0 && git push origin v1.0.0release-spec.yml needs SPEC_INTEGRITY_PRIVATE_KEY for manifest signing on
tag releases.
| Repo | Tag example | Workflow |
|---|---|---|
intentproof-sdk-node |
v0.2.1 |
release-npm.yml |
intentproof-sdk-python |
v0.2.1 |
release-pypi.yml |
intentproof-sdk-go |
v0.2.0 |
release-go.yml |
Release jobs use the same conformance gates as CI (pinned spec via tools
SPEC_REF). The workflow syncs npm version from the tag on pack; PyPI uses the
version in pyproject.toml — ensure it matches the tag before pushing.
npm and PyPI use OIDC trusted publishers on tag pushes.
- Spec
v1.0.0only if integrity manifest / schemas changed since last tuple. - Tools
v0.2.0(or your chosen verifier SemVer) + manual Homebrew PR. - SDK tags matching each
package.json/pyproject.toml/ module tag. - Update
pins.v1.json/ matrix if normative spec content or SDK SHAs move.