RELEASE_CHECKLIST.md

Release Checklist

Overview

This document describes the checklist to publish a release for Ratify CLI via GitHub workflow.

Release Process

• Check if there are any security vulnerabilities fixed and security advisories published before a release. Security advisories should be linked on the release notes.
• Determine a SemVer2-valid version prefixed with the letter v for release. For example, version="v2.0.0-alpha.1".
• If there is a new release in ratify-go that is required for Ratify CLI, submit a PR to update the dependency versions in the go.mod and go.sum files.
• Create another PR to update the Ratify CLI version with a single commit. The commit message MUST follow conventional commit rules and could be bump: tag and release $version. Record the digest of that commit as <commit_digest>. This PR is also used to vote on the new release. Add links to the change logs and repo-level maintainer list in the PR's description. The PR title could be bump: tag and release $version. Make sure to get a majority of approvals from the repo-level maintainers before releasing it. This PR should be merged using Create a merge commit method in GitHub.
• After the voting PR is merged, execute git clone git@github.com:ratify-project/ratify-cli.git to clone the repository to your local file system.
• Enter the cloned repository and execute git checkout <commit_digest> to switch to the specified branch based on the voting result.
• Create a tag by running git tag -s -am $version $version.
• Run git tag and ensure the desired tag name in the list looks correct, then push the new tag directly to the repository by running git push origin $version.
• Wait for the completion of the GitHub action release-github.
• Check the new draft release, revise the release description, and publish the release.
• Announce the new release in the Ratify Project community.