diff --git a/.github/workflows/release-scheduled.yaml b/.github/workflows/release-scheduled.yaml deleted file mode 100644 index a3541d964..000000000 --- a/.github/workflows/release-scheduled.yaml +++ /dev/null @@ -1,41 +0,0 @@ -name: release - -on: - schedule: - - cron: '0 0 * * *' # daily at 00:00 - workflow_dispatch: - -permissions: - contents: read - -jobs: - release: - name: release - runs-on: ubuntu-latest - - permissions: - contents: write - - steps: - - name: Harden Runner - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 - with: - egress-policy: audit - - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - name: Check if any changes since last tag - id: check - run: | - git fetch --tags - if [ -z "$(git tag --points-at HEAD)" ]; then - echo "Nothing points at HEAD, bump a new tag" - echo "bump=yes" >> $GITHUB_OUTPUT - else - echo "A tag already points to head, don't bump" - echo "bump=no" >> $GITHUB_OUTPUT - fi - - name: Bump patch version and push tag - uses: mathieudutour/github-tag-action@a22cf08638b34d5badda920f9daf6e72c477b07b # v6.2 - if: steps.check.outputs.bump == 'yes' - with: - github_token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 31831410d..f63c4e754 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -1,13 +1,13 @@ -name: Create Release +name: Release on: - push: - tags: - - 'v*' # Push events to matching v*, i.e. v1.0, v20.15.10 + schedule: + - cron: '0 0 * * 1' # every Monday at 00:00 UTC + workflow_dispatch: jobs: - cli: - name: Release the CLI + release: + name: Release runs-on: ubuntu-latest # https://docs.github.com/en/actions/reference/authentication-in-a-workflow @@ -22,69 +22,57 @@ jobs: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - name: Check if any changes since last tag + id: check + run: | + git fetch --tags + if [ -z "$(git tag --points-at HEAD)" ]; then + echo "Nothing points at HEAD, so we need a new tag+release." + echo "need_release=yes" >> $GITHUB_OUTPUT + else + echo "A tag already points to head, no need for a new tag+release." + echo "need_release=no" >> $GITHUB_OUTPUT + fi + + - name: Bump version and push tag + id: create_tag + uses: mathieudutour/github-tag-action@a22cf08638b34d5badda920f9daf6e72c477b07b # v6.2 + if: steps.check.outputs.need_release == 'yes' + with: + github_token: ${{ secrets.GITHUB_TOKEN }} + + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + if: steps.check.outputs.need_release == 'yes' + with: + ref: ${{ steps.create_tag.outputs.new_tag }} + - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 + if: steps.check.outputs.need_release == 'yes' with: go-version-file: './go.mod' check-latest: true + # Cosign is used by goreleaser to sign release artifacts. - uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 + if: steps.check.outputs.need_release == 'yes' - uses: goreleaser/goreleaser-action@9ed2f89a662bf1735a48bc8557fd212fa902bebf # v6.1.0 + if: steps.check.outputs.need_release == 'yes' with: version: latest install-only: true # Federate to create a token to authenticate with the homebrew-tap repository. - uses: octo-sts/action@6177b4481c00308b3839969c3eca88c96a91775f # v1.0.0 + if: steps.check.outputs.need_release == 'yes' id: octo-sts with: scope: chainguard-dev/homebrew-tap identity: melange - name: Release + if: steps.check.outputs.need_release == 'yes' run: make release env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} HOMEBREW_TAP_GITHUB_TOKEN: ${{ steps.octo-sts.outputs.token }} - - ko-build: - name: Release melange image - runs-on: ubuntu-latest - needs: - - cli - - # https://docs.github.com/en/actions/reference/authentication-in-a-workflow - permissions: - id-token: write - packages: write - contents: read - - env: - KO_DOCKER_REPO: ghcr.io/${{ github.repository }} - COSIGN_YES: "true" - - steps: - - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 - with: - egress-policy: audit - - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 - with: - go-version-file: './go.mod' - check-latest: true - - - uses: ko-build/setup-ko@3aebd0597dc1e9d1a26bcfdb7cbeb19c131d3037 # v0.7 - - - uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 - - - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 - with: - registry: ghcr.io - username: ${{ github.repository_owner }} - password: ${{ github.token }} - - - name: Publish/Sign melange image - run: | - make sign-image diff --git a/release.md b/release.md index f57f37d9c..9a9884e82 100644 --- a/release.md +++ b/release.md @@ -1,45 +1,19 @@ # Melange Release Process -## Patch releases - -The most common type of release of Melange is a patch release. Generally we should aim to do these as often as necessary to release _backward compatible_ changes, especially to release updated dependencies to fix vulnerabilities. - To cut a release: -- go to https://github.com/chainguard-dev/melange/releases/new -- click "Choose a tag" then "Find or create a new tag" -- type a new patch version tag for the latest minor version - - for example, if the latest version is `v0.5.5`, create a patch release `v0.5.6` -- click "Create new tag: v0.X.Y on publish" - - you can leave the release title empty -- click "Generate release notes" - - make any editorial changes to the release notes you think are relevant -- make sure "Set as the latest release" is checked -- click **"Publish release"** - -### Monitor the release automation - -Once the tag is pushed, the [`Create Release` action](https://github.com/chainguard-dev/melange/actions/workflows/release.yaml) -will attach the appropriate release artifacts and update release notes. - -At the time of this writing, the release job takes 20 to 30 minutes to execute. - -Make any editorial changes to the release notes you think are necessary. -You may want to highlight certain changes or remove items that aren't interesting. - -Once the `Release` action has been completed successfully, find your release on -the [releases page](https://github.com/chainguard-dev/melange/releases) -## Minor releases +1. Go to https://github.com/chainguard-dev/melange/actions/workflows/release.yaml. +2. Click on the `Run workflow` button. +3. In the dropdown, ensure that the `main` branch is selected. +4. In the dropdown, click on the `Run workflow` button. +5. Wait for the workflow to complete successfully. -Occasionally there are large or breaking changes to Melange that we want to highlight with a new minor release. -A minor release should be cut shortly after a breaking change is made, so that regular patch releases don't release breaking changes. +### Useful things to know -The process for cutting a release is exactly the same as above, except that you should pick a new minor version. +#### Detecting whether a new release is needed -For example, if the latest version is `v0.5.5`, create a minor release `v0.6.0`. +The release workflow checks to see if there are any changes since the last release. If there are no changes, the workflow will end execution early and not create a new release. -## Homebrew +#### Automatic triggering -Our release pipeline automate the process to update our [homebrew tap](https://github.com/chainguard-dev/homebrew-tap/blob/main/Formula/melange.rb), -but it does not update the [Homebrew-core upstream repository](https://github.com/Homebrew/homebrew-core/blob/master/Formula/m/melange.rb) for that one -we need to open a manual Pull Request. +In addition to being triggerable manually (as described at the top of this document), the workflow also runs automatically every night. Just like with manual triggering, if there are no new changes since the last release, the workflow will end early without creating a new release.