Skip to content

RB-038 - Build and verify HybridOps.Core release bundles

  • Purpose: Build the public HybridOps.Core release bundle and verify it against an isolated runtime before cutting a release. Owner: Platform engineering

  • Trigger: Release candidate build, pre-tag validation, or source-to-runtime drift check.

  • Impact: If skipped, a tag may publish an artifact that does not install cleanly or that behaves differently from the source tree.

  • Severity: P2 Pre-reqs: python3, pip, tar, and a current hybridops-core checkout.

  • Rollback strategy: Remove the generated bundle under dist/releases/.

Context

HybridOps.Core is released as a bundle, not just as a Python wheel.

The release artifact must carry the runtime payload as shipped:

  • hyops/
  • modules/
  • packs/
  • blueprints/
  • tools/
  • install.sh

The supported release chain is:

  1. build the bundle from hybridops-core
  2. verify the bundle through pkg/verify_release.sh
  3. publish the exact verified artifact

GitHub Actions now runs the reusable HybridOps.Core Quality workflow before bundle build and publication. The blocking checks are Python compile/import integrity, Ansible syntax, and Terraform fmt/validate/tflint. Repo-wide ansible-lint is present as an advisory job until the remaining legacy role debt is removed.

Steps

1) Build the release bundle from source

From the hybridops-core repository root:

./pkg/build_release.sh

To build with an explicit label:

HYOPS_RELEASE_LABEL=0.1.0 ./pkg/build_release.sh

Expected result: dist/releases/ contains:

  • hybridops-core-<label>.tar.gz
  • hybridops-core-<label>.tar.gz.sha256

If the build host has a tight temporary filesystem, the builder emits a warning before it starts staging the release payload. Use TMPDIR to redirect staging to a larger filesystem when needed.

2) Verify the bundle through an isolated install

From the same hybridops-core checkout:

./pkg/verify_release.sh \
  dist/releases/hybridops-core-<label>.tar.gz

This verification checks:

  • the bundle extracts cleanly
  • the shipped checksum manifest matches the extracted payload
  • install.sh installs into an isolated runtime root
  • installed hyops runs without relying on the source checkout
  • the installed payload matches the shipped checksum manifest

Expected result: verifier exits successfully and prints the isolated runtime root.

Verification

The release bundle is ready for tag or publication when all of the following are true:

  • pkg/build_release.sh produced the expected tarball and checksum.
  • pkg/verify_release.sh succeeded.
  • the exact verified tarball is the one being published.

References