Release Checklist¶

Use this checklist before and after cutting a release from main.

Before Tagging¶

Confirm main branch protection matches the Rust-native required checks.
```
make verify-branch-protection
```
Run the local merge-equivalent gates.
```
make verify-assurance
make ci
```
Exercise the checked-in release packaging path.
```
make smoke-release
make release-emulate
```
Confirm the docs/download surface still builds and link-checks cleanly.
```
make docs-check
```

Confirm the security assurance report can be generated for the candidate.

python3 scripts/security_assurance_gate.py \
  --json-out dist/security-assurance-report.json \
  --markdown-out dist/security-assurance-report.md

If you are validating an already-published tag, verify the public release surface directly.
```
make verify-published-release TAG=paranoid-passwd-v3.5.2
```

Verify that the release workflow produced every expected CLI and GUI artifact plus checksums.txt, including Linux .deb packages and the macOS GUI .dmg images.
Verify that payload-layout validation passed for every archive, .dmg, and Debian package, not just the host-runnable smoke artifacts.
Verify there are no stale browser-era or otherwise unexpected assets attached to the release.
Verify GitHub attestation for at least one downloaded artifact from each packaging family you ship.
Re-run installer validation against the published release surface if needed.
Confirm Homebrew, Scoop, and Chocolatey manifests were generated and published through their PR flow.

The first release after a pipeline change should be treated as a canary:

If any of those fail, treat the release pipeline as untrusted until the failure is fixed and the validation path passes again.