[codex] Add manifest crate release OIDC path

[Fieldnote-Echo]

Summary

This extends the unified release workflow so ordvec-manifest is a first-class lockstep crates.io package alongside the core ordvec crate.

• adds a separate build-manifest-crate artifact/SBOM job
• includes the manifest .crate in GitHub attestation, SLSA hash subjects, and draft Release assets
• adds a separate publish-manifest-crate job that runs after publish-crate, mints its own crates.io OIDC token, and proves pre/post publish byte identity
• updates release invariants so CI fails if the manifest crate is omitted from release assets, attestation/SLSA paths, or crates.io byte-identity coverage
• updates release docs, README, and threat-model wording for the lockstep manifest crate release model

Notes

This is stacked on #168 (codex/manifest-publishability-dryrun). The manifest build artifact uses cargo package -p ordvec-manifest --locked --no-verify before publish because a bumped lockstep manifest crate depends on a core ordvec version that is not on crates.io until publish-crate succeeds. The gated publish-manifest-crate job then runs the normal verified package step after ordvec has published and byte-compares it to the attested artifact before minting its own OIDC token.

Validation

• bash tests/release_publish_invariants.sh
• bash tests/release_signed_release_invariants.sh
• /tmp/ordvec-actionlint/actionlint .github/workflows/release.yml .github/workflows/ci.yml
• cargo publish -p ordvec --dry-run --locked
• cargo package -p ordvec-manifest --locked --no-verify
• cargo publish -p ordvec-manifest --dry-run --locked
• cargo test -p ordvec-manifest --no-default-features
• cargo test -p ordvec-manifest
• cargo test -p ordvec-manifest --features sqlite
• cargo test -p ordvec-manifest --all-features
• cargo check -p ordvec-manifest --no-default-features
• cargo fmt --all --check
• git diff --check

[gemini-code-assist]

Code Review

This pull request updates the release pipeline documentation and invariant tests to support the lockstep publishing of the new ordvec-manifest crate alongside the core ordvec crate. Feedback on the changes suggests improving the robustness of the invariant tests: specifically, updating the awk step-parsing logic in release_signed_release_invariants.sh to reset context on any list item start, and using regular expressions with flexible whitespace matching instead of exact substring matches in release_publish_invariants.py.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[Fieldnote-Echo]

Addressed the two invariant robustness findings in 6919037.

Changes:

• tests/release_signed_release_invariants.sh: job_downloads_artifact_to_path now resets on any step list item and requires actions/download-artifact, matching artifact name, and matching path in the same step.
• tests/release_publish_invariants.py: cargo package/publish detection now parses executable shell command lines, handles line continuations and -p/--package, and avoids matching comments or echo text.

Validation:

• bash tests/release_signed_release_invariants.sh
• bash tests/release_publish_invariants.sh
• python3 -m py_compile tests/release_publish_invariants.py
• /tmp/ordvec-actionlint/actionlint .github/workflows/release.yml .github/workflows/ci.yml
• git diff --check

[Fieldnote-Echo]

/agentic_review

[qodo-code-review]

Code Review by Qodo

🐞 Bugs (0) 📘 Rule violations (0) 📎 Requirement gaps (0)

Great, no issues found!

Qodo reviewed your code and found no material issues that require review

Previous review results

Review updated until commit 6919037

Results up to commit 6919037

🐞 Bugs (0) 📘 Rule violations (0) 📎 Requirement gaps (0)

Great, no issues found!

Qodo reviewed your code and found no material issues that require review

[qodo-code-review]

Review Summary by Qodo

Add manifest crate release OIDC path with byte-identity verification

✨ Enhancement

Walkthroughs

Description

• Add manifest crate release OIDC path with separate build-manifest-crate and
  publish-manifest-crate jobs
• Harden release invariant parsing with shell_logical_lines() and has_cargo_command() helpers
• Include manifest .crate in GitHub attestation, SLSA subjects, and draft Release assets
• Ensure manifest crate publishes after core ordvec with byte-identity verification
• Update release docs and threat model for lockstep manifest crate release model

Diagram

flowchart LR
  build["build-crate + build-manifest-crate"]
  attest["attest + combine-hashes"]
  draft["release-assets-draft"]
  pub_core["publish-crate"]
  pub_manifest["publish-manifest-crate"]
  pub_pypi["publish-pypi"]
  undraft["publish-github-release"]
  
  build --> attest
  build --> draft
  attest --> draft
  draft --> pub_core
  draft --> pub_manifest
  draft --> pub_pypi
  pub_core --> pub_manifest
  pub_core --> undraft
  pub_manifest --> undraft
  pub_pypi --> undraft

Loading

File Changes

1. tests/release_publish_invariants.py ✨ Enhancement +103/-29

Refactor publish invariant checks for dual crate jobs

• Extract shell logical line parsing into shell_logical_lines() to handle multi-line continuations
• Add has_cargo_package_arg() to detect -p/--package arguments in cargo commands
• Add has_cargo_command() to verify specific cargo subcommands with package and --locked flags
• Refactor check_publish_crate() into parameterized check_publish_crate_job() to validate both
 publish-crate and publish-manifest-crate jobs
• Add check_publish_crates() wrapper to validate both crate publish jobs and their dependency
 ordering

tests/release_publish_invariants.py

---

2. tests/release_publish_invariants.sh ✨ Enhancement +2/-2

Add manifest crate SBOM to gitignore checks

• Add ordvec-manifest/ordvec-manifest.cdx.json to gitignore verification for generated SBOMs
• Update comment to reflect multiple generated SBOMs instead of just two

tests/release_publish_invariants.sh

---

3. tests/release_signed_release_invariants.sh ✨ Enhancement +82/-35

Add manifest crate to signed-release invariants

• Add build-manifest-crate to release pipeline diagram and job dependency checks
• Add job_downloads_artifact_to_path() helper function to verify artifact downloads to specific
 paths
• Verify attest and combine-hashes jobs download dist-manifest-crate artifact
• Verify build-manifest-crate uses cargo package --no-verify before core crate publishes
• Add check_crate_publish_job() helper to validate both publish-crate and
 publish-manifest-crate byte-identity checks
• Verify publish-manifest-crate needs publish-crate for lockstep ordering
• Update comments to reflect three registry publish jobs instead of two

tests/release_signed_release_invariants.sh

---

View more (5)

4. .github/workflows/ci.yml ✨ Enhancement +12/-8

Update CI for manifest crate pre-publish packaging

• Update comment to clarify manifest crate uses cargo package --no-verify instead of --dry-run
• Change manifest crate CI step from cargo publish --dry-run to `cargo package --no-verify
 --locked`
• Update release-guard job comments to reflect dual Rust crate byte-identity verification

.github/workflows/ci.yml

---

5. .github/workflows/release.yml ✨ Enhancement +181/-37

Add manifest crate build and publish jobs

• Add new build-manifest-crate job that packages manifest crate with --no-verify and generates
 SBOM
• Update attest and combine-hashes jobs to depend on and download build-manifest-crate
 artifact
• Add new publish-manifest-crate job that runs after publish-crate with byte-identity
 verification
• Update publish-github-release to depend on publish-manifest-crate in addition to
 publish-crate
• Update workflow comments and descriptions to reflect dual Rust crate release model

.github/workflows/release.yml

---

6. README.md 📝 Documentation +2/-2

Update manifest crate release documentation

• Update manifest verifier description to clarify lockstep versioning and separate package gate

README.md

---

7. RELEASING.md 📝 Documentation +64/-46

Document manifest crate release process

• Update release process to include ordvec-manifest as a lockstep published crate
• Add ordvec-manifest Trusted Publisher configuration instructions for crates.io
• Clarify that three registry publish jobs require approval (two crates.io, one PyPI)
• Explain manifest crate --no-verify packaging and post-publish byte-identity verification
• Update verification steps to check both ordvec and ordvec-manifest on crates.io

RELEASING.md

---

8. THREAT_MODEL.md 📝 Documentation +14/-11

Update threat model for dual crate publishing

• Update threat model to reflect two crates.io publish jobs with ordered execution
• Clarify that each Rust publish job proves pre- and post-publish byte identity
• Update residual risk discussion to reference "all publishes" instead of "both publishes"
• Revise future work section to focus on deployment-specific manifest trust policies

THREAT_MODEL.md

---

[qodo-code-review]

Code review by qodo was updated up to the latest commit 6919037