Skip to content

release: backfill v0.7.0 changelog and release notes#562

Merged
EffortlessSteven merged 1 commit into
mainfrom
release/v0.7.0-changelog-backfill
May 10, 2026
Merged

release: backfill v0.7.0 changelog and release notes#562
EffortlessSteven merged 1 commit into
mainfrom
release/v0.7.0-changelog-backfill

Conversation

@EffortlessSteven

Copy link
Copy Markdown
Member

Summary

Backfill the v0.7.0 changelog, surface the scanner-safe bundle workflow in the README, and add a concrete release-body draft so gh release create has hand-written narrative instead of an auto-generated Other Changes fallback.

The v0.7.0 entry that landed in #561 was scoped to the freeze itself. This PR expands it to cover what actually shipped between v0.6.0 and v0.7.0, modeled on the v0.6.0 entry's style.

Changes

  • CHANGELOG.md — expanded [0.7.0] - 2026-05-10:
    • Added now covers bundle --profile scanner-safe, bundle --profile oidc, verify-bundle, inspect-bundle, export k8s / export vault-kv-json, scanner-safe negative JWK/JWKS and token shapes, the negative_payload_shapes facade example, public-surface promise map and cargo xtask public-surface guard, release-evidence runner / scanner-safe / OIDC bundle proofs, targeted-mutation lane and nightly mutation, RIPR PR exposure, mutation survivor ledger, scheduled performance evidence workflow and expanded benchmark coverage, Codecov advisory workflow, uselesskey-test-support fallible-helpers crate, panic-safety policy stack, fixture failure atlas, scanner-safe bundle reference, test-evidence-lanes guide, and v0.7.0 release governance docs.
    • Changed documents the MSRV bump (1.92 -> 1.95) and Rust 1.95 lint floor, plus the JWK / token / core / X.509 fold into owner crates with compatibility shims, advisory-blocked dependency floors, and the workspace-wide migration to fallible test helpers.
    • Fixed captures the earlier April-cycle codex bug fixes (PEM truncate UTF-8 boundary, WebAuthn u16::MAX field encoding, pkcs11-mock label normalization, webhook label JSON escaping, uppercase 0X seed prefix, no-default-features core-factory tests, xtask pr resilience, BDD matrix isolation, etc).
  • README.md — added a reproducible fixture bundles + handoff row to Pick The Lane First and a new Scanner-safe bundles and exports section showing bundle / verify-bundle / inspect-bundle / export k8s / export vault-kv-json / bundle --profile oidc. Headline v0.7.0 feature was previously invisible from the README.
  • docs/release/v0.7.0-category-notes.md — added a Draft release body section with hand-written markdown ready for gh release create. Covers the bundle workflow, OIDC pack, negative payload shapes, public-surface and compatibility shims, evidence lanes, MSRV bump, claim boundary, and evidence links.

No source or behavior changes.

Validation

  • cargo xtask docs-sync --check — passed
  • cargo xtask typos — passed
  • cargo xtask no-blob — passed
  • git diff --check — clean (no whitespace/conflict markers)
  • All v0.7.0 release-evidence gates remain green from release: prove v0.7.0 publish candidate #561 (target/release-evidence/summary.md).

Test plan

  • CI green
  • Reviewer confirms changelog accurately reflects merged PRs since v0.6.0 (feat: ship cheap fixture lanes and release controls #405 onward)
  • Reviewer confirms README scanner-safe bundle section reads as a starting point, not a reference
  • Reviewer confirms release-body draft is suitable for gh release create

…visibility

Expand the v0.7.0 entry to reflect the full release: scanner-safe bundle
workflow, OIDC contract pack, scanner-safe negative JWK/JWKS and token
fixtures, public-surface promise map with compatibility shims, evidence
lanes (RIPR, targeted/nightly mutation, perf, release proofs), MSRV bump,
and earlier-cycle bug fixes.

Add a "Scanner-safe bundles and exports" section and a corresponding lane
row to README.md so the headline v0.7.0 feature is discoverable from the
top-level docs surface.

Add a concrete release-body draft to docs/release/v0.7.0-category-notes.md
so `gh release create` has hand-written narrative rather than the
auto-generated "Other Changes" fallback caused by unlabeled merged PRs.

No source or behavior changes.
@gemini-code-assist

Copy link
Copy Markdown

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

@chatgpt-codex-connector

Copy link
Copy Markdown

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, add credits to your account and enable them for code reviews in your settings.

@coderabbitai

coderabbitai Bot commented May 10, 2026

Copy link
Copy Markdown

Review Change Stack
No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 6e4485bc-4798-4e3b-91cc-54c095b45094

📥 Commits

Reviewing files that changed from the base of the PR and between ce02b18 and 26d6ab2.

📒 Files selected for processing (3)
  • CHANGELOG.md
  • README.md
  • docs/release/v0.7.0-category-notes.md

Summary by CodeRabbit

  • Documentation
    • Updated CHANGELOG with detailed v0.7.0 release entry (May 10, 2026), including new workflow, verification, and export capabilities.
    • Added scanner-safe fixture bundle workflow guidance to README with CLI commands for generating, verifying, inspecting, and exporting fixtures.
    • Added comprehensive release notes draft covering scanner-safe bundles, OIDC/JWKS support, and resolved determinism and encoding issues.

Walkthrough

This PR updates release documentation for v0.7.0, expanding CHANGELOG entries with narrative, features, and fixes; adding README guidance for scanner-safe bundle workflows and CLI commands; and providing a complete formal release announcement body for publication.

Changes

v0.7.0 Release Documentation

Layer / File(s) Summary
Release Notes Structure
CHANGELOG.md
Expanded v0.7.0 narrative describing scanner-safe fixture platform and bundle workflow; added comprehensive lists under Added (new features, CLI commands, tooling), Changed (MSRV, namespace consolidations, dependencies), and new Fixed (encoding, boundary, resiliency issues).
User Documentation & Lane Guidance
README.md
Added "reproducible fixture bundles + handoff" lane entry; introduced new "Scanner-safe bundles and exports" section documenting uselesskey-cli bundle/verify-bundle/inspect-bundle/export workflow, oidc profile, and references to manifest/receipt/OIDC validation documentation.
Release Announcement Body
docs/release/v0.7.0-category-notes.md
Appended draft release body for gh release create including What's new feature bullets, toolchain upgrade (Rust 1.92 → 1.95), claim boundary disclaimer, and concrete evidence artifact list.

🎯 1 (Trivial) | ⏱️ ~5 minutes

Poem

🐰 A release note hops with glee,
Bundle workflows, safe and free,
Rust climbs higher, fixes blend,
v0.7.0, let's transcend! 🚀

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately and concisely summarizes the main change: backfilling the v0.7.0 changelog and release notes documentation across three files.
Description check ✅ Passed The description comprehensively explains the changeset, detailing what was added to each file, the rationale, and validation steps performed.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch release/v0.7.0-changelog-backfill

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@EffortlessSteven EffortlessSteven merged commit 310a70f into main May 10, 2026
5 checks passed
@EffortlessSteven EffortlessSteven deleted the release/v0.7.0-changelog-backfill branch May 10, 2026 21:39
EffortlessSteven added a commit that referenced this pull request May 11, 2026
Both v0.7.0 publish attempts via `cargo xtask publish` failed:

1. First attempt (tag at #562 merge): `uselesskey-core-seed` packaged
   before `uselesskey-core` because PUBLISH_CRATES listed compat shims
   before owner crates. Fixed in #565.
2. Second attempt (tag at #565 merge): `uselesskey-core` packaged but
   failed because its dev-dep `uselesskey-test-support` (workspace
   entry has `version = "0.7.0"`) is not in PUBLISH_CRATES at all.

Both failures are the same class of bug: a hand-maintained linear
PUBLISH_CRATES order that drifts out of sync with cargo metadata when
deps move. The user built `shipper` for exactly this — it computes a
deterministic DAG from cargo metadata, reconciles against registry
truth, retries transient errors, and persists state under `.shipper/`
so interrupted runs can resume.

Switch both `release.yml` and `publish-retry.yml` to:

- `cargo install shipper --locked --version "0.3.0-rc.2"`
- `shipper plan` (emit JSON plan into `.shipper/`)
- `shipper preflight --policy safe`
- `shipper publish --policy safe --readiness-method both --max-attempts 12 --max-delay 15m`
- Upload `.shipper/` state as artifacts (plan + final)

`publish-retry.yml` adds a `shipper resume --resume-from <crate>` path
when `inputs.resume_from` is set, and uses `shipper plan --format text`
as the dry-run preview.

Token continues to come from `secrets.CARGO_REGISTRY_TOKEN`. OIDC via
`crates-io-auth-action` is a separate follow-up.

## Recovery for the in-flight v0.7.0

3 crates are at 0.7.0 on crates.io (`uselesskey-core-hmac-spec`,
`uselesskey-jwk`, `uselesskey-core-jwk`); 50 remain at 0.6.0. After
this PR merges, dispatch `Publish Retry` on `v0.7.0` with `dry_run:
true` to preview, then dispatch again non-dry-run. Shipper reconciles
against the registry before any cargo activity, so the 3 already-
published crates will be skipped.

## Future work

- Adopt `rust-lang/crates-io-auth-action` OIDC token flow.
- Drop the hand-maintained `PUBLISH_CRATES` constant in `xtask/src/main.rs`
  once shipper handles all paths.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant