tkhq · r-n-o · Feb 23, 2026 · Feb 19, 2026
@@ -4,4 +4,10 @@
 
 ## Pre merge check list
 
-- [ ] Update CHANGELOG.MD
+- [ ] Call out updates and breaking changes via [conventional commits](https://www.conventionalcommits.org/en/v1.0.0/)
+- [ ] Communicate verification flow breaking changes especially thoroughly. If any of the following answers are no, then this is a verification flow breaking change:
+    - Can enclaves in a previous QOS version still key forward to this new version?
+    - Can previous versions of QOS verify attestations from this new version?
+    - Can manifests generated by a previous version still be parsed by this one?
+    - Can previous approvals still be verified against a manifest (i.e. is this a non-breaking change to the manifest signing payload)?
+    - Can a previous version of QOS still perform a boot standard on an enclave of this version?
@@ -0,0 +1,79 @@
+name: Release-plz
+
+permissions:
+  pull-requests: write
+  issues: write # needed for labels
+  contents: write
+
+on:
+  pull_request:
+    types: [ closed ]
+    branches: [ main ]
+
+jobs:
+  # Release unpublished packages.
+  release-plz-release:
+    name: Release-plz release
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    # This environment gives access to CARGO_REGISTRY_TOKEN, and requires approval
+    environment: release 
+    # only trigger this job if the push to main is from a merged PR with a "release" label
+    if: >
+      github.repository_owner == 'tkhq' &&
+      github.event.pull_request.merged == true &&
+      contains(github.event.pull_request.labels.*.name, 'release')
+    permissions:
+      contents: write
+    steps:
+      - name: git checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          # `fetch-depth: 0` is needed to clone all the git history, which is necessary to
+          # release from the latest commit of the release PR.
+          fetch-depth: 0
+      - name: install Rust
+        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 #v1
+        with:
+          toolchain: stable
+          components: clippy,rustfmt
+      - name: Run release-plz
+        uses: release-plz/action@f708778669256143d984cce4b23592637532e040 # v0.5.127
+        with:
+          command: release
+          manifest_path: src/Cargo.toml
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}
+
+  # Create a PR with the new versions and changelog, preparing the next release.
+  release-plz-pr:
+    name: Release-plz PR
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    if: ${{ github.repository_owner == 'tkhq' }}
+    permissions:
+      contents: write
+      pull-requests: write
+    concurrency:
+      group: release-plz-${{ github.ref }}
+      cancel-in-progress: false
+    steps:
+      - name: git checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          # `fetch-depth: 0` is needed to clone all the git history, which is necessary to
+          # determine the next version and build the changelog.
+          fetch-depth: 0
+      - name: install Rust
+        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 #v1
+        with:
+          toolchain: stable
+          components: clippy,rustfmt
+      - name: Run release-plz
+        uses: release-plz/action@f708778669256143d984cce4b23592637532e040 # v0.5.127
+        with:
+          command: release-pr
+          manifest_path: src/Cargo.toml
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -44,8 +44,9 @@ resolver = "2"
 
 [workspace.package]
 rust-version = "1.88"
-version = "0.1.0"
+version = "0.5.0"
 edition = "2021"
+license = "AGPL-3.0-only"
 
 [workspace.lints.rust]
 missing_docs = "warn"
@@ -100,14 +101,14 @@ zeroize = { version = "1.8", default-features = false }
 
 # Internal workspace dependencies
 integration = { path = "integration" }
-qos_client = { path = "qos_client", default-features = false }
-qos_core = { path = "qos_core", default-features = false }
-qos_crypto = { path = "qos_crypto", default-features = false }
-qos_hex = { path = "qos_hex", default-features = false }
-qos_host = { path = "qos_host", default-features = false }
-qos_net = { path = "qos_net", default-features = false }
-qos_nsm = { path = "qos_nsm", default-features = false }
-qos_p256 = { path = "qos_p256" }
+qos_client = { path = "qos_client", version = "0.5.0", default-features = false }
+qos_core = { path = "qos_core", version = "0.5.0", default-features = false }
+qos_crypto = { path = "qos_crypto", version = "0.5.0", default-features = false }
+qos_hex = { path = "qos_hex", version = "0.5.0", default-features = false }
+qos_host = { path = "qos_host", version = "0.5.0", default-features = false }
+qos_net = { path = "qos_net", version = "0.5.0", default-features = false }
+qos_nsm = { path = "qos_nsm", version = "0.5.0", default-features = false }
+qos_p256 = { path = "qos_p256", version = "0.5.0" }
 qos_test_primitives = { path = "qos_test_primitives" }
 
 # Option for the future: build all QOS applications with additional runtime checks

@@ -3,7 +3,11 @@ name = "qos_client"
 version.workspace = true
 edition.workspace = true
 rust-version.workspace = true
-publish = false
+license.workspace = true
+description = "Multipurpose CLI client for interacting with QuorumOS enclaves and related operations"
+repository = "https://github.com/tkhq/qos"
+keywords = ["quorumos", "enclave", "nitro", "attestation", "client"]
+categories = ["command-line-utilities"]
 
 [lints]
 workspace = true

@@ -3,7 +3,11 @@ name = "qos_core"
 version.workspace = true
 edition.workspace = true
 rust-version.workspace = true
-publish = false
+license.workspace = true
+description = "Core components and logic for QuorumOS applications"
+repository = "https://github.com/tkhq/qos"
+keywords = ["quorumos", "enclave", "nitro", "tee", "quorum"]
+categories = ["os"]
 
 [lints]
 workspace = true

@@ -3,7 +3,11 @@ name = "qos_crypto"
 version.workspace = true
 edition.workspace = true
 rust-version.workspace = true
-publish = false
+license.workspace = true
+description = "Cryptographic primitives for use with QuorumOS"
+repository = "https://github.com/tkhq/qos"
+keywords = ["quorumos", "shamir", "secret-sharing", "threshold", "cryptography"]
+categories = ["cryptography"]
 
 [lints]
 workspace = true

@@ -3,7 +3,11 @@ name = "qos_hex"
 version.workspace = true
 edition.workspace = true
 rust-version.workspace = true
-publish = false
+license.workspace = true
+description = "Utilities for encoding and decoding hex strings"
+repository = "https://github.com/tkhq/qos"
+keywords = ["quorumos", "hex", "encoding"]
+categories = ["encoding"]
 
 [lints]
 workspace = true

@@ -3,7 +3,11 @@ name = "qos_net"
 version.workspace = true
 edition.workspace = true
 rust-version.workspace = true
-publish = false
+license.workspace = true
+description = "Socket to TCP proxy for QuorumOS enclave network access"
+repository = "https://github.com/tkhq/qos"
+keywords = ["quorumos", "enclave", "nitro", "proxy", "vsock"]
+categories = ["network-programming"]
 
 [lints]
 workspace = true

@@ -3,7 +3,11 @@ name = "qos_nsm"
 version.workspace = true
 edition.workspace = true
 rust-version.workspace = true
-publish = false
+license.workspace = true
+description = "AWS Nitro Secure Module attestation endpoints and types"
+repository = "https://github.com/tkhq/qos"
+keywords = ["quorumos", "nitro", "enclave", "attestation", "aws"]
+categories = ["cryptography"]
 
 [lints]
 workspace = true

@@ -3,7 +3,11 @@ name = "qos_p256"
 version.workspace = true
 edition.workspace = true
 rust-version.workspace = true
-publish = false
+license.workspace = true
+description = "Signing and encryption utilities for P-256 keys"
+repository = "https://github.com/tkhq/qos"
+keywords = ["quorumos", "p256", "ecdsa", "ecdh", "encryption"]
+categories = ["cryptography"]
 
 [lints]
 workspace = true

@@ -0,0 +1,81 @@
+[workspace]
+pr_labels = ["release"]
+# See https://release-plz.dev/docs/config#the-release_always-field
+release_always = false
+changelog_path = "../CHANGELOG.md"
+
+# See https://release-plz.dev/docs/extra/single-changelog#all-packages
+[changelog]
+body = """
+
+## `{{ package }}` - [{{ version }}]{%- if release_link -%}({{ release_link }}){% endif %} - {{ timestamp | date(format="%Y-%m-%d") }}
+{% for group, commits in commits | group_by(attribute="group") %}
+### {{ group | upper_first }}
+{% for commit in commits %}
+{%- if commit.scope -%}
+- *({{commit.scope}})* {% if commit.breaking %}[**breaking**] {% endif %}{{ commit.message }}{%- if commit.links %} ({% for link in commit.links %}[{{link.text}}]({{link.href}}) {% endfor -%}){% endif %}
+{% else -%}
+- {% if commit.breaking %}[**breaking**] {% endif %}{{ commit.message }}
+{% endif -%}
+{% endfor -%}
+{% endfor -%}
+"""
+
+[[package]]
+name = "qos_client"
+changelog_update = true
+publish = true
+version_group = "qos"
+
+[[package]]
+name = "qos_core"
+changelog_update = true
+publish = true
+version_group = "qos"
+
+[[package]]
+name = "qos_crypto"
+changelog_update = true
+publish = true
+version_group = "qos"
+
+[[package]]
+name = "qos_hex"
+changelog_update = true
+publish = true
+version_group = "qos"
+
+[[package]]
+name = "qos_net"
+changelog_update = true
+publish = true
+version_group = "qos"
+
+[[package]]
+name = "qos_p256"
+changelog_update = true
+publish = true
+version_group = "qos"
+
+[[package]]
+name = "qos_nsm"
+changelog_update = true
+publish = true
+version_group = "qos"
+
+# Unpublished packages
+
+[[package]]
+name = "integration"
+publish = false
+changelog_update = false
+
+[[package]]
+name = "qos_test_primitives"
+publish = false
+changelog_update = false
+
+[[package]]
+name = "qos_host"
+changelog_update = false
+publish = false