Devani distribution is deliberately boring: a zip file, a checksum, and an XML feed.
The feed
https://devani.io/latest.xml is the single source of release truth:
<version>2.3.0</version>
<download_url>https://devani.io/releases/devani-cms-2.3.0.zip</download_url>
<checksum_sha256>…</checksum_sha256>
The feed is notify-only. Sites poll it to display an update notice; nothing installs automatically, ever. Publishing a new release is therefore always a non-breaking act — installs change only when their admin applies the update from the System Update page, which verifies the download against the published checksum first.
What's in a release zip
The complete application, as readable source — the devani/ app directory plus the scaffolding a fresh site needs. What you download is what runs; there is no compiled or minified-only component. Updates replace application files and never touch a site's content tree or storage.
Consumers of the feed
- Every install's update notice.
- The one-command installer (fetches URL + checksum, verifies before extracting).
- The devani.io download button (rewrites itself to the current version client-side).
Versioning practice
Semantic-ish: patch releases for fixes, minor for features (2.2.0 commerce, 2.3.0 Stripe-only + performance), and security releases labeled explicitly in their notes — those are the ones to apply promptly.