Release And Growth Checklist¶
Use this checklist before publishing a ca9 release or promoting a new docs update.
Pre-release¶
pytest -q
python -m ruff check src tests scripts
python -m ruff format --check src tests scripts
python -m mkdocs build --strict -d /tmp/ca9-mkdocs-site
Check package metadata:
Automated release¶
The release workflow is manual by design: a maintainer chooses the SemVer version, then GitHub Actions handles the version bump, verification, tag, GitHub release, and PyPI publish.
One-time PyPI setup:
- Configure PyPI Trusted Publisher for
duriantaco/ca9. - Use workflow name
release.yml. - Use environment
pypi.
Before running the workflow:
- Add a
CHANGELOG.mdsection for the target version, such as## [0.2.0] - 2026-04-26. - Commit and push the release candidate changes to
main. - Confirm there is no existing
vX.Y.Ztag for the target version.
Run the release:
The workflow validates SemVer, writes the version into pyproject.toml, ca9.__version__, and docs structured data, runs tests/lint/docs build, builds the package, commits the version bump, tags vX.Y.Z, creates the GitHub release, and publishes to PyPI.
Metadata¶
- Confirm
pyproject.tomlversion andca9.__version__match. - Confirm PyPI project URLs point to docs, source, issues, and changelog.
- Confirm README examples match the current CLI.
- Confirm SARIF and OpenVEX output use the current tool version.
SEO¶
- Confirm
site_urland canonical repository links are correct inmkdocs.yml. - Confirm the homepage title and description include "Python CVE reachability analysis" naturally.
- Confirm integration pages exist for Snyk, Dependabot, Trivy, pip-audit, OSV, SARIF, OpenVEX, SBOM, MCP, and CI/CD.
- Build docs and submit the generated sitemap in Google Search Console after deployment.
GitHub¶
Add or verify repository topics:
cvescareachability-analysisopenvexsarifpython-securityosv
Artifacts¶
For a release candidate, generate representative artifacts: