Omnis HelixGenome IDE
← Docs
Helix CLI docs
Browse Helix CLI docs

Release Engineering and Build Provenance

Objective: every installer/zip we ship is reproducible, auditable, and bound to source via hashes, SBOMs, and attestations.

Build chain (source → artifact)

  1. Deterministic build inputs: pinned requirements*.txt / uv.lock, fixed pyinstaller spec, and reproducible plugin packages (sorted zip, fixed timestamps).
  2. Local + CI parity: tools/release_local.sh <artifact...> mirrors the GitHub Actions packaging steps to produce SHA256SUMS.txt, BUILD_META.txt, and SBOMs.
  3. SBOMs: generated with syft per artifact; attached to releases (SBOM-*.spdx.json).
  4. Build metadata: BUILD_META.txt captures tag, commit, Python, platform, and sha256 for each artifact.

Attestations and signatures

  • Hashes: SHA256 for every installer/zip; published in SHA256SUMS.txt and verified in Release Verification.
  • Signatures: detached GPG signatures for SHA256SUMS.txt, BUILD_META.txt, release-provenance.intoto.json, and SBOMs when signing keys are available (CI and local script support GPG_PRIVATE_KEY + GPG_PASSPHRASE + GPG_PUBLIC_KEY_FINGERPRINT).
  • Provenance: release-provenance.intoto.json binds source commit → builder → artifacts, and release-signing-public-key.asc plus release-signing-key-fingerprint.txt let offline verifiers pin the signing identity.

Installers and package signing

  • PyInstaller zips (Linux/Windows/macOS) are signed via the hash/signature chain above; plugin packages remain signed with Ed25519 (SIGNATURE.ed25519).
  • Optional: OS-level signing can be applied in CI (Windows Authenticode; macOS codesign/notarization) when secrets are configured; the resulting bytes are captured by SHA256SUMS.txt.
  • OMNIS_HELIX_PLUGIN_REQUIRE_SIGNED=1 is recommended in packaged Studio builds so user-installed plugins honor the trust store.

Verified install flow (offline-friendly)

  1. Download artifacts + SHA256SUMS.txt.asc, BUILD_META.txt.asc, release-provenance.intoto.json, release-provenance.intoto.json.asc, release-signing-public-key.asc, and release-signing-key-fingerprint.txt from the release.
  2. gpg --verify SHA256SUMS.txt.asc SHA256SUMS.txt (if signature present).
  3. sha256sum -c SHA256SUMS.txt.
  4. Verify signatures and provenance with tools/verify_release_signatures.py and tools/verify_release_provenance.py (see Release Verification).
  5. Run canonical conformance pack: ./tools/conformance.sh using the installed binaries (headless flags allowed).

Patch and release cadence

  • Weekly patch train; emergency security releases as needed (see SECURITY.md).
  • Every release tag must publish: artifacts, SHA256SUMS (+asc), BUILD_META (+asc), provenance statement (+asc), SBOMs (+asc), signing key export, and conformance results (log or artifact hash).

Supply-chain coverage

  • Dependencies pulled from locked hashes; wheels validated during build where upstream publishes hashes.
  • Registries/indexes consumed over HTTPS; installers can be mirrored offline via tools/release_local.sh to regenerate provenance locally.