PR Maven CLI releases are driven by Git tags.
Use this process together with the MVP acceptance checklist for v0.x releases. For the Stage 3 target release, also use the v0.3.0 release acceptance checklist.
For the first MVP release record, see the v0.1.0 release snapshot.
Before creating a release tag:
-
mainis synchronized withorigin/main. - No release-blocking pull request is open.
-
go test ./...passes locally. -
scripts/test.shorscripts/test.ps1passes when practical for the release environment. - CI has passed on the release commit, including
All CI checks. - JSON output from
demo/multi-module-failureis parseable. -
schema/prmaven-report.schema.jsonmatches the generated report contract. - README examples, usage docs, installation docs, and release docs point at the current repository.
- Demo and fixture docs describe committed Maven report artifacts.
- Release workflow exists for Linux, macOS, and Windows packages.
- SHA-256 checksum generation is enabled.
- SPDX JSON SBOM generation is enabled for every release package.
- GitHub artifact attestation generation is enabled for release packages and checksums.
- GitHub SBOM attestation generation is enabled for release packages.
- The tag version will be embedded in
prmaven version.
After the release workflow completes:
- The GitHub release exists for the pushed tag.
- Linux amd64 and arm64 tarballs are attached.
- macOS amd64 and arm64 tarballs are attached.
- Windows amd64 zip is attached.
- A
.sha256file exists for every package. - A
.sbom.spdx.jsonfile exists for every package. - A
.sbom.spdx.json.sha256file exists for every package SBOM. - GitHub artifact attestations exist for every package and checksum file.
- GitHub SBOM attestations bind package archives to their SBOM files.
- Release notes were generated.
- Ensure
mainis green. - Choose a semantic version such as
v0.1.0. - Create and push a signed annotated tag:
git tag -s v0.1.0 -m "PR Maven CLI v0.1.0"
git tag -v v0.1.0
git push origin v0.1.0Signed tags require a local GPG, SSH, or S/MIME signing key configured in Git and added to GitHub. Do not store release signing private keys in repository secrets.
Release tags should be signed annotated tags created from a local maintainer machine.
Preferred command:
git tag -s v0.1.0 -m "PR Maven CLI v0.1.0"
git tag -v v0.1.0Operational rules:
- The signing private key must stay outside the repository and outside GitHub Actions secrets.
- The release owner should verify the tag locally before pushing it.
- GitHub should show the pushed tag as verified when the signing public key is configured on the maintainer account.
- If an emergency
v0.xrelease must be cut without a signing key, document the exception in the release notes and replace it with signed tags for normal releases.
The release workflow will:
- build Linux, macOS, and Windows binaries;
- package archives;
- generate SHA-256 checksums;
- generate SPDX JSON SBOM files and SBOM checksums;
- generate GitHub artifact attestations for package archives and checksum files;
- generate GitHub SBOM attestations that bind package archives to their SBOM files;
- create a GitHub release;
- generate release notes from GitHub metadata.
Release artifacts are attested with GitHub artifact attestations.
After downloading a package or checksum file, verify its provenance with:
gh attestation verify prmaven-v0.1.0-linux-amd64.tar.gz -R pr-cli/pr-maven-cli
gh attestation verify prmaven-v0.1.0-linux-amd64.tar.gz.sha256 -R pr-cli/pr-maven-cli
gh attestation verify prmaven-v0.1.0-linux-amd64.sbom.spdx.json -R pr-cli/pr-maven-cliUse the matching file name for the target platform and release version.
Validate the SBOM checksum with:
sha256sum -c prmaven-v0.1.0-linux-amd64.sbom.spdx.json.sha256sh scripts/build.sh dist dev
./dist/prmaven versionOn Windows PowerShell:
.\scripts\build.ps1 -Version dev
.\dist\prmaven.exe versionRelease builds embed the tag in the CLI:
prmaven versionDevelopment builds report dev unless a script or workflow passes a specific version.