View attestation details
April 27, 2026 Β· View on GitHub
π Riksdagsmonitor β Release Process Guide
π¦ Auditable Releases with Full Supply-Chain Provenance
π SLSA Attestations Β· SBOM (SPDX) Β· SHA-256 Β· Dual S3 + GitHub Pages Deployment
π Document Owner: CEO | π Version: 1.0 | π
Last Updated: 2026-02-18 (UTC)
π Review Cycle: Per release | π’ Owner: Hack23 AB (Org.nr 559534-7807) | π·οΈ Classification: π’ Public
This guide describes how to create releases for Riksdagsmonitor with full attestations and documentation-as-code.
Table of Contents
- Overview
- Release Workflow
- Triggering a Release
- Release Artifacts
- Documentation as Code
- Security & Attestations
- Deployment
- Verification
- Troubleshooting
Overview
Riksdagsmonitor follows a comprehensive release process that includes:
- β Automated testing (unit + E2E)
- β Documentation generation (API, coverage, E2E reports)
- β SLSA Build Provenance attestations
- β SBOM (Software Bill of Materials) generation
- β Dual deployment (S3/CloudFront + GitHub Pages)
- β npm package publishing with provenance
- β Automated release notes
Release Workflow
The release workflow consists of 3 jobs:
1. Prepare Job
Purpose: Build, test, and generate all documentation
Steps:
- Set up test environment (Xvfb, Chrome, dependencies)
- Install npm dependencies
- Build application with Vite
- Run unit tests with coverage
- Run E2E tests with Cypress
- Clean old documentation
- Generate API documentation (JSDoc)
- Generate dependency tree
- Copy test reports to docs/
- Create documentation index (docs/index.html)
- Update sitemap.xml and regenerate localized sitemap HTML pages (
sitemap.html+ 13sitemap_<lang>.htmlvariants, all news articles date-sorted) - Deploy documentation to GitHub Pages
Duration: ~10-15 minutes
2. Build Job
Purpose: Create release artifacts with attestations
Steps:
- Build production application
- Create release zip file
- Generate SHA-256 checksum
- Generate SBOM (SPDX format)
- Create build provenance attestation
- Create SBOM attestation
- Upload artifacts
Duration: ~5 minutes
3. Release Job
Purpose: Create GitHub release, publish npm package, and deploy to production
Steps:
- Download build and security artifacts
- Generate release notes with Release Drafter
- Create GitHub Release with all artifacts
- Build and publish npm package with provenance
- Extract build to repository root
- Deploy to S3/CloudFront with cache headers
- Invalidate CloudFront cache
- Display deployment summary
Duration: ~5-10 minutes
Total Workflow Duration: ~20-30 minutes
Triggering a Release
Option 1: Manual Release (Recommended)
- Go to Actions β Release with Attestations β Run workflow
- Enter version (e.g.,
v1.0.0) - Select prerelease flag (if applicable)
- Click "Run workflow"
This will:
- Update package.json version
- Create and push a git tag
- Trigger the full release workflow
Option 2: Tag-based Release
- Create and push a version tag:
git tag v1.0.0 git push origin v1.0.0
This will automatically trigger the release workflow.
Version Numbering
Follow Semantic Versioning:
- Major (v2.0.0): Breaking changes
- Minor (v1.1.0): New features (backward compatible)
- Patch (v1.0.1): Bug fixes (backward compatible)
Release Artifacts
Each release includes the following artifacts:
Application Artifacts
-
riksdagsmonitor-vX.Y.Z.zip- Production build- Minified and optimized for production
- All HTML, CSS, JS, and assets
- Ready for deployment
-
riksdagsmonitor-vX.Y.Z.zip.sha256- Checksum- SHA-256 hash for integrity verification
npm Package
-
riksdagsmonitor@X.Y.Z- Shared types and utilities- Published to npm with provenance attestation
- TypeScript type definitions for theme, chart, and dashboard types
- Theme system (dark/light cyberpunk theme, party colors, chart palettes)
- Chart.js factory and responsive utilities
- Data loading with fallback, caching, and retry
- DOM utilities, error boundaries, and fallback UI
npm install riksdagsmonitorimport { DARK_THEME_COLORS, LIGHT_THEME_COLORS, getActiveThemeColors, getPartyColor, CHART_PALETTE, BREAKPOINTS, } from 'riksdagsmonitor';
Security Artifacts
-
riksdagsmonitor-vX.Y.Z.spdx.json- SBOM- Software Bill of Materials in SPDX format
- Complete dependency inventory
- License information
-
riksdagsmonitor-vX.Y.Z.zip.intoto.jsonl- Build Provenance- SLSA Build Provenance attestation
- Verifiable build metadata
- Supply chain security
-
riksdagsmonitor-vX.Y.Z.spdx.json.intoto.jsonl- SBOM Attestation- Attestation for the SBOM
- Cryptographically signed
Documentation as Code
All documentation is generated during the release and committed to the docs/ directory:
Generated Documentation
docs/
βββ index.html # Documentation hub (landing page)
βββ .nojekyll # Bypass Jekyll processing
βββ api/ # JSDoc API documentation
β βββ index.html
β βββ global.html
β βββ ...
βββ coverage/ # Vitest coverage reports
β βββ index.html # Interactive coverage viewer
β βββ lcov.info
β βββ coverage-final.json
βββ test-results/ # Vitest test results
βββ cypress/ # Cypress E2E test reports
βββ dependencies/ # npm dependency tree
β βββ dependency-tree.json
β βββ dependency-tree.txt
βββ diagrams/ # Architecture diagrams
Accessing Documentation
- Documentation Hub: https://riksdagsmonitor.com/docs/
- API Documentation: https://riksdagsmonitor.com/docs/api/
- Test Coverage: https://riksdagsmonitor.com/docs/coverage/
- E2E Reports: https://riksdagsmonitor.com/docs/cypress/
- Dependencies: https://riksdagsmonitor.com/docs/dependencies/
Security & Attestations
SLSA Build Provenance
Every release includes SLSA Build Provenance attestations that:
- Prove the artifact was built by GitHub Actions
- Include build metadata (commit SHA, workflow, runner)
- Are cryptographically signed and verifiable
SBOM (Software Bill of Materials)
Every release includes an SBOM in SPDX format that:
- Lists all dependencies (direct + transitive)
- Includes version information
- Provides license details
- Enables vulnerability tracking
Verification
Verify attestations using the GitHub CLI:
# Install GitHub CLI
brew install gh
# Verify build provenance
gh attestation verify riksdagsmonitor-v1.0.0.zip -R Hack23/riksdagsmonitor
# View attestation details
gh attestation view riksdagsmonitor-v1.0.0.zip -R Hack23/riksdagsmonitor
Checksum Verification
Verify artifact integrity:
# Download artifacts
wget https://github.com/Hack23/riksdagsmonitor/releases/download/v1.0.0/riksdagsmonitor-v1.0.0.zip
wget https://github.com/Hack23/riksdagsmonitor/releases/download/v1.0.0/riksdagsmonitor-v1.0.0.zip.sha256
# Verify checksum
sha256sum -c riksdagsmonitor-v1.0.0.zip.sha256
Deployment
Dual Deployment Strategy
Every release is deployed to two locations:
1. Primary: AWS S3/CloudFront
- URL: https://riksdagsmonitor.com
- Infrastructure: S3 bucket + CloudFront CDN
- Benefits:
- Global CDN (low latency worldwide)
- Custom cache headers (1 hour HTML, 1 year assets)
- CloudFront edge locations
- 99.9% SLA
2. Backup: GitHub Pages
- URL: https://hack23.github.io/riksdagsmonitor (via main branch)
- Infrastructure: GitHub Pages
- Benefits:
- Free hosting
- Automatic SSL
- Version control integration
- Disaster recovery
Cache Strategy
Optimized cache headers for performance:
- HTML files:
max-age=3600, must-revalidate(1 hour) - CSS/JS/Images:
max-age=31536000, immutable(1 year) - Metadata (XML/JSON):
max-age=86400(1 day) - Documentation:
max-age=86400(1 day)
CloudFront Invalidation
After deployment, CloudFront cache is invalidated (/*) to ensure fresh content.
Verification
After a release, verify:
1. GitHub Release
- Release created at https://github.com/Hack23/riksdagsmonitor/releases
- All artifacts uploaded
- Release notes generated
- Attestations available
2. Primary Deployment (S3/CloudFront)
- Visit https://riksdagsmonitor.com
- Verify application loads
- Check version in footer or version.txt
- Test key functionality
3. Backup Deployment (GitHub Pages)
- Visit GitHub Pages URL
- Verify application loads
- Compare with primary deployment
4. Documentation
- Visit https://riksdagsmonitor.com/docs/
- Check API documentation
- Review coverage report
- Verify E2E test reports
5. Attestations
# Verify build provenance
gh attestation verify riksdagsmonitor-v1.0.0.zip -R Hack23/riksdagsmonitor
# Should output: β Verification succeeded!
Troubleshooting
Build Failure
Symptom: Prepare job fails during build or tests
Common Causes:
- Test failures (unit or E2E)
- Build errors (Vite)
- Missing dependencies
Solution:
- Review workflow logs
- Fix failing tests or build errors
- Test locally:
npm run build && npm test && npm run e2e - Re-trigger release
Attestation Generation Failure
Symptom: Build job fails during attestation generation
Common Causes:
- Missing OIDC permissions
- Artifact not found
- SBOM generation failure
Solution:
- Verify
id-token: writeandattestations: writepermissions - Check artifact was uploaded correctly
- Review SBOM action logs
S3 Deployment Failure
Symptom: Release job fails during S3 sync
Common Causes:
- AWS credentials expired
- S3 bucket not accessible
- CloudFront distribution not found
Solution:
- Verify AWS OIDC role configuration
- Check S3 bucket exists and is accessible
- Verify CloudFront distribution ID
Documentation Not Generated
Symptom: docs/ directory empty or incomplete
Common Causes:
- JSDoc generation failed
- Coverage report not created
- Test reports missing
Solution:
- Review prepare job logs
- Check for errors in documentation generation steps
- Verify all scripts in package.json are correct
Release Notes Not Generated
Symptom: Release notes are empty or incorrect
Common Causes:
- .github/release-drafter.yml misconfigured
- Labels missing on PRs
- Release Drafter action failed
Solution:
- Verify .github/release-drafter.yml exists
- Check PR labels match release-drafter.yml categories
- Review Release Drafter action logs
Best Practices
Before Release
- β Ensure all tests pass locally
- β Review CHANGELOG or recent PRs
- β Update version in package.json (if manual release)
- β Tag commit with descriptive message
- β Notify team of upcoming release
After Release
- β Verify deployment on both primary and backup
- β Test key functionality
- β Review documentation
- β Announce release to stakeholders
- β Monitor for issues
Security Checklist
- All GitHub Actions pinned to SHA
- Harden-runner enabled
- OIDC authentication for AWS (no long-lived credentials)
- Least privilege permissions
- Attestations generated and verifiable
- SBOM included
- CodeQL scanning passed
- Dependency scanning passed
- Secret scanning passed
References
Maintained by: Hack23 AB
License: Apache License 2.0
Support: https://github.com/Hack23/riksdagsmonitor/issues
π Hack23 Ecosystem
| π Platforms | π¦ Open-Source Projects | π‘οΈ Governance & Standards |
|---|---|---|
|
π³οΈ Riksdagsmonitor β Swedish Parliament intelligence πͺπΊ EU Parliament Monitor β European coverage π΅οΈ Citizen Intelligence Agency β political-data engine π Hack23 AB β corporate site π° Hack23 Blog β engineering & policy πΌ Hack23 on LinkedIn |
π³οΈ Hack23/riksdagsmonitor π΅οΈ Hack23/cia πͺπΊ Hack23/euparliamentmonitor π Hack23/european-parliament-mcp β Hack23/cia-compliance-manager π₯ Hack23/black-trigram π Hack23/homepage |
π‘οΈ Hack23 ISMS-PUBLIC β public ISMS π Information Security Policy π€ AI Policy π§ͺ Secure Development Policy π― Threat Modeling Policy β οΈ Vulnerability Management π·οΈ Classification Framework |
π³οΈ Empower citizens Β· π Strengthen democratic accountability Β· π΅οΈ Illuminate the political process
Β© 2008β2026 Hack23 AB (Org.nr 559534-7807) Β· Maintainer: James Pether SΓΆrling, CISSP CISM