From 9bfa3862c641990f6e12eceeb2001297480487ba Mon Sep 17 00:00:00 2001
From: Simon Michael <simon@joyful.com>
Date: Fri, 31 Oct 2025 09:22:44 -1000
Subject: [PATCH] ;doc:ghrelnotes, RELEASING: plan for immutable github
 releases

---
 doc/RELEASING.md |  1 +
 doc/ghrelnotes   | 10 ++++++++++
 2 files changed, 11 insertions(+)

diff --git a/doc/RELEASING.md b/doc/RELEASING.md
index 4fb64c3c7..288352bd0 100644
--- a/doc/RELEASING.md
+++ b/doc/RELEASING.md
@@ -156,6 +156,7 @@ It should be improved each time it is used.
       `just ghbin-download` <!-- (or if throttled: `just ghbin-open`, download to tmp/, unzip the unix ones) -->  
       `just ghrel-bin-upload VER`  
   - github release published  
+      decide if release should be immutable (artifacts attached, all correct ?) then adjust repo settings  
       review,
       publish
   - github nightly release updated  
diff --git a/doc/ghrelnotes b/doc/ghrelnotes
index e715fbd11..4e5aae7a6 100755
--- a/doc/ghrelnotes
+++ b/doc/ghrelnotes
@@ -53,6 +53,16 @@ If you have [eget](https://github.com/zyedidia/eget), that's a convenient way to
 eget simonmichael/hledger --all
 ```
 
+From hledger 1.51 on, the github releases are immutable, and can be verified as follows:
+
+```
+gh --version  # ensure you have github CLI 2.81.0+
+gh release verify $REL  # check the $REL github release is immutable
+curl -fLO https://github.com/simonmichael/hledger/releases/download/$REL/hledger-linux-x64.tar.gz  # eg
+gh release verify-asset $REL ./hledger-linux-x64.tar.gz  # check the tarball is correct
+tar xzv -f hledger-linux-x64.tar.gz -C/usr/local/bin hledger hledger-ui hledger-web
+```
+
 Otherwise:
 
 </xdetails>