Releases
All releases are automatically generated by the application’s CI/CD pipeline upon merge events. A brief explanation of the CI/CD steps is provided below:
flowchart TD
Merge[Push to main] --> Lint[1. Lint]
Lint --> Sec[2. Security scan]
Sec --> Tests[3. Unit tests]
Merge --> LogOff[4a. Logging default off]
Merge --> ActOff[4b. Activity tracking default off]
Tests --> Release[5. Draft release]
LogOff --> Release
ActOff --> Release
Release --> Publish[Developer publishes → immutable]
Lint
Runs pre-commit run --all-files, enforcing Black, flake8 and secret scanning across the full
working tree.
Security Scan
Trivy scans the repository filesystem for known package vulnerabilities, committed secrets, and misconfigurations. The action is pinned to a commit SHA rather than a mutable tag for added security. For the runtime supply chain controls (dependency hash pinning, uv binary verification, and AI model integrity), see Supply Chain Integrity.
aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25
Results are uploaded to the GitHub Security tab as SARIF. Any CRITICAL or
HIGH findings fail the job and interrupt the pipeline.
Unit Tests
Installs the Python package with dev and LLM dependencies (.[dev,llm]) and runs high coverage tests suite. Integration, slow, memory, and stress marked tests are excluded, but run by the developer offline.
Privacy Guards
Two jobs run in parallel to ensure the application’s logging and tracking capabilities are disabled by default:
4a. Logging default off — asserts LoggingConfigModel.enable_logs defaults
to False in vocalance/app/config/logging_config.py.
4b. Activity tracking default off — asserts ActivityTrackingConfig.enabled
defaults to False in vocalance/app/config/app_config.py.
A build that flips either default to True fails here and cannot produce a
release.
Draft Release
Runs on push to main only and:
Assembles
vocalance-v{VERSION}.zip:vocalance/ application source vocalance.py entry point pyproject.toml uv.lock pinned, hashed dependency tree README.md DISCLAIMER.md NOTICES/ third-party licence disclosures
Computes
vocalance-v{VERSION}.zip.sha256viasha256sum.Creates a draft GitHub release tagged
v{VERSION}, attaching:vocalance-v{VERSION}.zipvocalance-v{VERSION}.zip.sha256setup.ps1— standalone installer scriptcleanup.ps1— standalone uninstaller script
A developer then reviews the draft, writes the release notes, and publishes. Once published, the release is immutable: it cannot be edited or deleted.