Releases¶
We use date-based releases (YYYYMMDD-HHMMSS) created through a semi-automated pipeline:
- check-updates.yaml runs weekly to detect new Python/dependency versions and creates a PR
- pr-build.yaml validates the PR by building all Python versions
- A maintainer reviews and merges the PR
- A maintainer triggers release.yaml to publish the new release
Each release includes:
Verifying Downloads¶
Release artifacts include Sigstore build attestations proving they were built by this repo's GitHub Actions (not uploaded manually). Verify with:
Each release includes checksums.txt with SHA256 hashes:
curl -LO https://github.com/metaist/cosmo-python/releases/latest/download/checksums.txt
curl -LO https://github.com/metaist/cosmo-python/releases/latest/download/python-3.14.2-cosmo.com
sha256sum -c checksums.txt --ignore-missing
Release Manifest¶
The manifest is a CycloneDX 1.5 SBOM tracking all versions across releases.
Programmatic download:
curl -sL https://github.com/metaist/cosmo-python/releases/latest/download/manifest.cdx.json -o manifest.cdx.json
VERSION=$(jq -r '.metadata.properties[] | select(.name=="cosmo:default:python") | .value' manifest.cdx.json)
curl -Lo python.com $(jq -r --arg v "$VERSION" '.components[] | select(."bom-ref"=="cosmo-python@\($v)") | .externalReferences[0].url' manifest.cdx.json)
chmod +x python.com
./python.com --version
Manifest Properties Reference¶
Metadata properties¶
| Property | Description |
|---|---|
cosmo:default:python |
Default Python version (e.g., 3.14.2) |
cosmo:latest:python:3.x |
Latest patch for a minor version |
Component properties (cosmo-python binaries)¶
| Property | Description |
|---|---|
cosmo:attestation:repo |
GitHub repo for gh attestation verify |
cosmo:release |
Release tag this binary was built in |
Component properties (upstream sources)¶
| Property | Description |
|---|---|
cosmo:eol |
End of life date (YYYY-MM) |
cosmo:status |
Release status (bugfix, security) |
cosmo:gpg |
GPG fingerprint for verification |
cosmo:sigstore:identity |
Sigstore signer identity |
cosmo:sigstore:issuer |
Sigstore OIDC issuer |