Also, if remote_url is omitted, should sha also be omitted?

Hm, I had assumed users interested in provenance are already using some type of version control, but maybe we can't force that either.

About the dash in CFEP 03, see

please keep sha as mandatory ... some packages may not have the remote_url to not expose private repositories to the public, but the sha is this helpful for internal audits / attestations to check that e.g. the sha actually exists / was reviewed as part of an PR / triggered a CI run etc.

I am writing this to describe the current conventions, not to impose on how packages should be built. I think that should be decided by packaging organizations separately. I plan to submit a CFEP for conda-forge where we do "require these fields in CI pipelines, as recommended by CEP XYZ".

Someone using conda-build to share an artifact with their research lab internally may not need to care about whether the recipe is version controlled or what a git hash is.

The name flow_run_id originates from Anaconda's current build system. I wish that we could use something more generic and meaningful. But I guess the boat has sailed already? Or do you foresee a future where CF would be willing to change this to something else (on our side at Anaconda, this is very easy to do).

We can change it easily too, but then we will have to maintain two ways of accessing this metadata because the already stamped artifacts won't be rebuilt. I think flow_run_id is sufficiently generic. I always read it as "(work)flow run ID".

flow_run_id is constantly used for defaults and conda-forge and the naming was accepted on both sites in the past ... have a look into this PR ... you can see it that PR that every CI system (Azure, Travis, Github,...) name their variable containing the ID differently ... flow_run_id was/is meant to be agnostic and the value prefix tells what automation/ci/flow/workflow system was used.