Helix StudioGenome IDE
← Docs
Helix CLI docs
Browse Helix CLI docs

Release Engineering and Build Provenance

Objective: every installer/zip we ship is reproducible, auditable, and bound to source via hashes, SBOMs, and attestations.

Build chain (source → artifact)

  1. Deterministic build inputs: pinned requirements*.txt / uv.lock, fixed pyinstaller spec, and reproducible plugin packages (sorted zip, fixed timestamps).
  2. Local + CI parity: tools/release_local.sh <artifact...> mirrors the GitHub Actions packaging steps to produce SHA256SUMS.txt, BUILD_META.txt, and SBOMs.
  3. SBOMs: generated with syft per artifact; attached to releases (SBOM-*.spdx.json).
  4. Build metadata: BUILD_META.txt captures tag, commit, Python, platform, and sha256 for each artifact.

Attestations and signatures

  • Hashes: SHA256 for every installer/zip; published in SHA256SUMS.txt and verified in docs/RELEASE_VERIFY.md.
  • Signatures: detached GPG signatures for SHA256SUMS.txt, BUILD_META.txt, and SBOMs when signing keys are available (CI and local script support GPG_PRIVATE_KEY + GPG_PASSPHRASE).
  • Planned: SLSA-style provenance statement binding source commit → builder → artifacts; emitted alongside hashes once builder metadata pipeline is wired.

Installers and package signing

  • PyInstaller zips (Linux/Windows) and macOS dmg are signed via the hash/signature chain above; plugin packages remain signed with Ed25519 (SIGNATURE.ed25519).
  • HELIX_STUDIO_PLUGIN_REQUIRE_SIGNED=1 is recommended in packaged Studio builds so user-installed plugins honor the trust store.

Verified install flow (offline-friendly)

  1. Download artifacts + SHA256SUMS.txt[.sig] from the release.
  2. gpg --verify SHA256SUMS.txt.sig SHA256SUMS.txt (if signature present).
  3. sha256sum -c SHA256SUMS.txt.
  4. Verify SBOM matches your local scan (see docs/RELEASE_VERIFY.md).
  5. Run canonical conformance pack: ./tools/conformance.sh using the installed binaries (headless flags allowed).

Patch and release cadence

  • Weekly patch train; emergency security releases as needed (see SECURITY.md).
  • Every release tag must publish: artifacts, SHA256SUMS (+sig), SBOMs, BUILD_META, and conformance results (log or artifact hash).

Supply-chain coverage

  • Dependencies pulled from locked hashes; wheels validated during build where upstream publishes hashes.
  • Registries/indexes consumed over HTTPS; installers can be mirrored offline via tools/release_local.sh to regenerate provenance locally.