Verifies that git status is clean for all pathspecs that ship in the Hex
tarball plus test/**.
Runs as the first step of every publish path (canonical release-please flow, manual-recovery workflow, and per-push CI) so a release cannot ship files that were not reviewed and merged.
This gate exists because v1.2 shipped a partial tarball when uncommitted
files did not travel to the release tag. See
.planning/milestones/v1.2-MILESTONE-AUDIT.md for the incident narrative.
Usage
mix verify.workspace_cleanThe task takes no arguments. Per decision D-04, there is no escape-hatch flag or environment variable — the friction is the feature. Real emergencies require commenting out the workflow step in a PR.
Summary
Functions
Returns the pathspec list used by run/1 — derived from
mix.exs package.files (D-01) plus "test" (D-05).
Pure classifier for git status --porcelain output.
Functions
@spec build_pathspecs() :: [String.t()]
Returns the pathspec list used by run/1 — derived from
mix.exs package.files (D-01) plus "test" (D-05).
Exposed publicly for testability.
@spec classify(String.t(), integer(), non_neg_integer()) :: {:ok, String.t()} | {:dirty, String.t()} | {:git_error, String.t()}
Pure classifier for git status --porcelain output.
Split out of run/1 so tests can exercise each branch without a real git
subprocess (mirrors the Mix.Tasks.Verify.ReleaseParity.compute/2 seam).
Returns one of:
{:ok, message}— clean tree (empty output, exit 0){:dirty, paths}— uncommitted or untracked files present (non-empty output, exit 0){:git_error, err}—git statusitself failed (non-zero exit)