Release candidate qualification¶
This path proves repository and package readiness before a release tag exists and without publishing anything.
The workflow is .github/workflows/release-candidate.yml.
What it proves¶
The workflow:
- resolves the package version and checked-out source SHA;
- validates the synthetic candidate tag
v<project.version>against release metadata and the changelog; - runs the coverage and strict documentation gates;
- builds the wheel and source distribution exactly once;
- validates package metadata and wheel contents;
- installs and exercises that exact wheel on Python 3.10, 3.11, and 3.12;
- emits candidate, distribution-manifest, per-Python qualification, and final-verdict artifacts.
What it cannot do¶
The workflow has read-only repository permissions. It does not request an OIDC token and does not:
- create or move a tag;
- publish to PyPI or TestPyPI;
- create a GitHub Release;
- attest a public release;
- mark external publishing settings as verified;
- authorize publication.
Every candidate status and verdict artifact contains:
external_settings_verified=false
publish_authorized=false
publication_attempted=false
tag_created=false
Run it¶
It runs automatically when relevant release surfaces change in a pull request and again when those changes reach main. A maintainer may also run Release Candidate Qualification manually from GitHub Actions.
Expected artifact names:
release-candidate-distributions
release-candidate-qualification-py3.10
release-candidate-qualification-py3.11
release-candidate-qualification-py3.12
release-candidate-verdict
Promotion boundary¶
A green qualification run is repository evidence, not publication proof. Before creating v1.1.0, a maintainer must independently verify:
- the protected GitHub environment is named
pypiand has the intended reviewers and deployment rules; - the PyPI Trusted Publisher is bound to owner
sherif69-sa, repositoryDevS69-sdetkit, workflowrelease.yml, and environmentpypi.
Only the tagged .github/workflows/release.yml path may request publishing authority. Public release completion still requires Trusted Publishing, attestations, public-index digest/install verification, and creation of the GitHub Release after PyPI verification.