Release And Growth Checklist¶
Use this checklist before publishing a ca9 release or promoting a new docs update.
Pre-release¶
pytest -q
python -m ruff check src tests scripts
python -m ruff format --check src tests scripts
python -m mkdocs build --strict -d /tmp/ca9-mkdocs-site
Check package metadata:
Automated release¶
ca9 uses Release Please for automatic versioning. Contributors merge PRs with semantic titles, and Release Please opens or updates the release PR from commits on main.
One-time setup:
- Configure PyPI Trusted Publisher for
duriantaco/ca9. - Use workflow file
release.yml. - Use environment
pypi. - Prefer a
RELEASE_PLEASE_TOKENsecret so release PRs can satisfy required checks; the workflow falls back toGITHUB_TOKEN.
PR title format:
Examples:
feat(inventory): add npm package-lock reader
fix(scanner): preserve npm package names
docs(release): document automated publishing
Release flow:
- Pushes to
mainrun.github/workflows/release.yml. - Release Please updates
CHANGELOG.md,pyproject.toml,src/ca9/__init__.py, docs structured metadata, and the release manifest. - A maintainer reviews and merges the Release Please PR.
- Release Please creates the
vX.Y.Ztag and GitHub release. - The publish job checks tag provenance and version consistency, runs tests/lint/docs build, builds the package, and publishes to PyPI.
- If publish needs a safe retry after a GitHub release exists, manually dispatch
release.ymlwithref=vX.Y.Z.
Baseline:
- The release manifest starts from the existing
v0.3.1GitHub release to avoid duplicate tag creation. - Future versions are derived from semantic commit history after the bootstrap SHA.
Metadata¶
- Confirm
pyproject.tomlversion andca9.__version__match. - Confirm PyPI project URLs point to docs, source, issues, and changelog.
- Confirm README examples match the current CLI.
- Confirm SARIF and OpenVEX output use the current tool version.
SEO¶
- Confirm
site_urland canonical repository links are correct inmkdocs.yml. - Confirm the homepage title and description include "Python CVE reachability analysis" naturally.
- Confirm integration pages exist for Snyk, Dependabot, Trivy, pip-audit, OSV, SARIF, OpenVEX, SBOM, MCP, and CI/CD.
- Build docs and submit the generated sitemap in Google Search Console after deployment.
GitHub¶
Add or verify repository topics:
cvescareachability-analysisopenvexsarifpython-securityosv
Artifacts¶
For a release candidate, generate representative artifacts: