Releases

All releases are automatically generated by the application’s CI/CD pipeline upon merge events. A brief explanation of the CI/CD steps is provided below:

        flowchart TD
    Merge[Push to main] --> Lint[1. Lint]
    Lint --> Sec[2. Security scan]
    Sec --> Tests[3. Unit tests]
    Merge --> LogOff[4a. Logging default off]
    Merge --> ActOff[4b. Activity tracking default off]
    Tests --> Release[5. Draft release]
    LogOff --> Release
    ActOff --> Release
    Release --> Publish[Developer publishes → immutable]
    

Lint

Runs pre-commit run --all-files, enforcing Black, flake8 and secret scanning across the full working tree.

Security Scan

Trivy scans the repository filesystem for known package vulnerabilities, committed secrets, and misconfigurations. The action is pinned to a commit SHA rather than a mutable tag for added security. For the runtime supply chain controls (dependency hash pinning, uv binary verification, and AI model integrity), see Supply Chain Integrity.

aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25

Results are uploaded to the GitHub Security tab as SARIF. Any CRITICAL or HIGH findings fail the job and interrupt the pipeline.

Unit Tests

Installs the Python package with dev and LLM dependencies (.[dev,llm]) and runs high coverage tests suite. Integration, slow, memory, and stress marked tests are excluded, but run by the developer offline.

Privacy Guards

Two jobs run in parallel to ensure the application’s logging and tracking capabilities are disabled by default:

4a. Logging default off — asserts LoggingConfigModel.enable_logs defaults to False in vocalance/app/config/logging_config.py.

4b. Activity tracking default off — asserts ActivityTrackingConfig.enabled defaults to False in vocalance/app/config/app_config.py.

A build that flips either default to True fails here and cannot produce a release.

Draft Release

Runs on push to main only and:

  • Assembles vocalance-v{VERSION}.zip:

    vocalance/   application source
    vocalance.py entry point
    pyproject.toml
    uv.lock      pinned, hashed dependency tree
    README.md
    DISCLAIMER.md
    NOTICES/     third-party licence disclosures
    
  • Computes vocalance-v{VERSION}.zip.sha256 via sha256sum.

  • Creates a draft GitHub release tagged v{VERSION}, attaching:

    • vocalance-v{VERSION}.zip

    • vocalance-v{VERSION}.zip.sha256

    • setup.ps1 — standalone installer script

    • cleanup.ps1 — standalone uninstaller script

A developer then reviews the draft, writes the release notes, and publishes. Once published, the release is immutable: it cannot be edited or deleted.