[codex] Guard package readiness before release

[Fieldnote-Echo]

Summary

Stacked on #180.

This lane hardens the package-readiness gate before the release stack moves toward dry-run/publish work:

• adds root crate documentation = "https://docs.rs/ordvec" metadata;
• adds a manifest-crate cargo publish --dry-run --locked step after manifest .crate byte-identity verification and before the crates.io OIDC credential is minted;
• extends release publish invariants to run cargo package --list for both publishable crates and assert required/forbidden package contents;
• validates packaged README relative links resolve inside each .crate;
• pins the CI manifest-package deferral contract for the expected lockstep resolver failure before ordvec 0.4.0 exists on crates.io;
• extends signed-release invariants to require the manifest publish dry-run ordering.

Scout / Review

Read-only package scout found two medium gaps:

• package contents were not machine-checked;
• ordvec-manifest had no post-core publish dry-run before minting OIDC.

Adversarial review found one low-severity shell brittleness issue: the signed-release dry-run command check was too argument-order-specific. Remediated with an order-insensitive awk check while leaving Python's structured shlex command parsing in place.

Validation

python3 -m py_compile tests/release_publish_invariants.py
bash tests/release_publish_invariants.sh
bash tests/release_signed_release_invariants.sh
cargo package -p ordvec --locked --allow-dirty
cargo check -p ordvec --locked
git diff --check

Note: full cargo package -p ordvec-manifest --locked remains intentionally deferred until ordvec 0.4.0 exists on crates.io; CI and release invariants now pin that deferral and require release.yml to package/publish-dry-run the manifest crate only after publish-crate succeeds.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[gemini-code-assist]

Code Review

This pull request introduces comprehensive validation checks for release and publish invariants, including verifying packaged files, checking for forbidden prefixes, validating README links, and ensuring proper sequencing of dry-run publish steps in CI workflows. The review feedback highlights opportunities to improve robustness and correctness: guarding against a potential AttributeError if exc.stderr is None during subprocess failures, handling directory links in the README verification since cargo package --list only returns files, and enhancing the shell command parser to robustly handle inline environment variables and chained commands.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[qodo-code-review]

Review Summary by Qodo

Guard package readiness with content validation and dry-run checks

✨ Enhancement 🧪 Tests

Walkthroughs

Description

• Adds package content validation for ordvec and ordvec-manifest crates
• Validates README relative links resolve within packaged .crate files
• Adds manifest crate publish dry-run before OIDC credential minting
• Pins CI manifest-package deferral contract and ordering invariants
• Adds documentation URL metadata to root crate Cargo.toml

Diagram

flowchart LR
  A["Package Content Validation"] --> B["Required Files Check"]
  A --> C["Forbidden Prefixes Check"]
  A --> D["README Link Validation"]
  B --> E["ordvec & ordvec-manifest"]
  C --> E
  D --> E
  E --> F["CI Workflow Guards"]
  F --> G["Manifest Dry-Run Ordering"]
  G --> H["Before OIDC Minting"]
  I["Release Workflow"] --> J["Manifest Publish Dry-Run"]
  J --> K["After Byte-Identity"]
  J --> H

Loading

File Changes

1. tests/release_publish_invariants.py ✨ Enhancement +224/-9

Package content validation and dry-run ordering checks

• Adds cargo_package_files() function to extract packaged file lists
• Implements check_required_package_files() to validate required files exist
• Implements check_forbidden_package_prefixes() to reject unwanted paths
• Implements check_packaged_readme_links() to validate README link targets
• Adds check_package_contents() to validate both ordvec and ordvec-manifest packages
• Adds check_ci_package_guards() to verify CI workflow manifest deferral contract
• Refactors cargo_command_words() to return all matching commands instead of boolean
• Updates check_publish_crate_job() to track publish dry-run steps and enforce ordering
• Adds require_publish_dry_run parameter to mandate dry-run before OIDC minting
• Adds CI_WORKFLOW_PATH environment variable support

tests/release_publish_invariants.py

---

2. tests/release_signed_release_invariants.sh 🧪 Tests +10/-0

Manifest dry-run ordering and step validation

• Adds manifest pre-publish byte-identity verification step check
• Adds manifest publish dry-run step validation
• Adds manifest OIDC credential minting step check
• Uses order-insensitive awk pattern to verify dry-run command presence
• Validates dry-run executes after byte-identity verification
• Validates dry-run executes before OIDC credential minting

tests/release_signed_release_invariants.sh

---

3. .github/workflows/release.yml ✨ Enhancement +2/-0

Add manifest publish dry-run validation step

• Adds "Validate manifest publish dry-run" step in publish-manifest-crate job
• Executes cargo publish -p ordvec-manifest --dry-run --locked before OIDC minting
• Positioned after byte-identity verification and before credential minting

.github/workflows/release.yml

---

View more (1)

4. Cargo.toml 📝 Documentation +1/-0

Add documentation URL metadata

• Adds documentation = "https://docs.rs/ordvec" metadata field to root crate

Cargo.toml

---

[qodo-code-review]

Code Review by Qodo

🐞 Bugs (0) 📘 Rule violations (0) 📎 Requirement gaps (0)

Great, no issues found!

Qodo reviewed your code and found no material issues that require review

[Fieldnote-Echo]

Addressed the package-readiness parser/link review findings in 8631e4e.

What changed:

• Guarded CalledProcessError.stderr before .strip() in package-content checks.
• Allowed README links to packaged directories when any packaged file exists under the linked directory.
• Hardened cargo command detection to handle shell separators (&&, ||, ;) and leading environment assignments before cargo.

Validation:

• python3 -m py_compile tests/release_publish_invariants.py
• bash tests/release_publish_invariants.sh
• parser self-check for env-prefixed/separator-separated cargo commands
• bash tests/release_signed_release_invariants.sh
• cargo package -p ordvec --locked --allow-dirty
• cargo check -p ordvec --locked
• git diff --check