Release v0.1.0 validation checklist and follow-ups

[noa-lucent]

Tracking post-release validation for v0.1.0 and follow-up hardening tasks.

Validation (v0.1.0):

• All 5 target artifacts uploaded to the GitHub Release (linux/amd64, linux/arm64, macOS/amd64, macOS/arm64, windows/amd64)
• SHA256SUMS.txt generated and uploaded
• Checksums of all artifacts match entries in SHA256SUMS.txt
• Artifact naming matches agreed pattern (includes target triple/OS and version)
• Toolchain used is Rust 1.90.0 per decision (verify logs)
• cross version 0.2.5 used for linux/arm64

Follow-ups:

• Align release workflow toolchain pin to 1.90.0 (release.yml)
• Add rust-toolchain.toml (pin to 1.90.0) to align local dev with CI
• Pin external dep codex-apply-patch to a stable commit/tag for reproducibility
• Decide on and add LICENSE file (optional but recommended) so it’s included in release archives
• Close ops: add RELEASE_PLEASE_TOKEN secret for release-please PR creation #7 (PAT path) after validation completes successfully

Context: CI and release-please are now operating via GITHUB_TOKEN; v0.1.0 Release has been created and the Release workflow is running. We will close this after validation and create/close the related subtasks.

[noa-lucent]

Validation results for v0.1.0

• All 5 target artifacts uploaded to the GitHub Release (linux/amd64, linux/arm64, macOS/amd64, macOS/arm64, windows/amd64)
• SHA256SUMS.txt generated and uploaded
• Checksums verified in logs (Attach assets to Release printed SHA256SUMS.txt and all artifact uploads succeeded)
• Artifact naming matches agreed pattern (includes version)
  • Observed names: codex-tools-mcp__{os}_{arch} (version missing). We should include version in archive names.
  • Proposal: set TAG from $GITHUB_REF_NAME and keep VERSION=${TAG#v} so STAGE becomes dist/${NAME}${VERSION}${OS}_${ARCH}; or derive VERSION directly from $GITHUB_REF_NAME.
• Toolchain used is Rust 1.90.0 (confirmed in build logs)
• cross version 0.2.5 used for linux/arm64 (confirmed: ghcr.io/cross-rs/aarch64-unknown-linux-gnu:0.2.5)

Follow-ups

• Adjust release.yml packaging to include version in artifact names as above
• Add rust-toolchain.toml (pin to 1.90.0) to align local dev with CI
• Pin external dep codex-apply-patch to a stable commit/tag for reproducibility
• Decide on and add LICENSE file (optional but recommended)
• Close ops: add RELEASE_PLEASE_TOKEN secret for release-please PR creation #7 (PAT path) — safe to close now that v0.1.0 released via GITHUB_TOKEN

If no objections, I’ll raise a small PR for the naming fix and rust-toolchain.toml next.

[noa-lucent]

Progress update:

• Open PR chore: include version in release artifacts; add rust-toolchain.toml; cleanup release-please inputs #11 to: include version in artifact filenames, add rust-toolchain.toml (1.90.0, rustfmt, clippy), and clean up release-please inputs. It also adds a guard for non-tag workflow_dispatch and robust tag fallback.
• Open PR build: pin codex-apply-patch to openai/codex rust-v0.43.0 #12 to: pin codex-apply-patch to openai/codex rust-v0.43.0 (commit a23c1949) to avoid upstream drift.

Review/Next steps:

• Requested Copilot reviews and assigned human reviewers.
• After CI is green and reviews pass, we’ll merge and perform a dry-run Release via workflow_dispatch against a temporary tag (e.g., v0.0.0-test) to validate artifact names and SHA256SUMS.

Remaining follow-ups after these merge:

• Close this issue once validation is complete.

[noa-lucent]

Proposal: add raw binaries to Releases alongside archives

• Asked in Slack whether to add raw binaries in addition to .tar.gz/.zip or replace archives. Recommendation: add in addition (archives preserve exec bit and include README/LICENSE; raw binaries are one-click but may require chmod +x on Unix/macOS).
• If approved, planned changes to release.yml:
  • After building, copy raw binaries into dist/ named:
    • Unix/macOS: codex-tools-mcp_{VERSION}{OS}{ARCH}
    • Windows: codex-tools-mcp_{VERSION}{OS}{ARCH}.exe
  • Keep archives as-is; use a temporary staging dir to avoid name collisions.
  • Update checksum generation to include both archives and raw binaries in a single SHA256SUMS.txt.
  • Upload step continues with files: dist/*.
  • Optional note appended to Release body to advise chmod +x for raw downloads on Unix/macOS.

Awaiting confirmation on “add in addition” vs “replace archives.” Once confirmed, I’ll have an engineer open a PR with the minimal workflow changes.

[noa-lucent]

Decision: publish raw executables only (no archives)

• We will switch the Release workflow to upload only raw binaries plus SHA256SUMS.txt. Rationale: avoid requiring users to extract archives; a short note will remind Unix/macOS users to chmod +x after download.
• Implementation (in PR chore: include version in release artifacts; add rust-toolchain.toml; cleanup release-please inputs #11): remove tar.gz/zip creation, copy raw binaries into dist/ with names codex-tools-mcp_{VERSION}{OS}{ARCH}[.exe], generate checksums for those, and upload dist/*.
• We will append a brief note to the Release body about chmod +x for Unix/macOS.

Next: Updating PR #11 now and will report back once CI is green.