From efc53fc78ec4b2486b1a83b87dd244634c71a6a5 Mon Sep 17 00:00:00 2001 From: asraa Date: Fri, 21 Oct 2022 15:37:12 -0500 Subject: [PATCH] docs: update release.md docs to describe a pre-release (#314) * update docs Signed-off-by: Asra Ali --- RELEASE.md | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/RELEASE.md b/RELEASE.md index f799ac05d..3ac063fbc 100644 --- a/RELEASE.md +++ b/RELEASE.md @@ -18,7 +18,25 @@ Major and minor releases are released directly from the `main` branch. Patch ver ### New major or minor release -Create a new tag for the official generator via [slsa-framework/slsa-verifier/releases/new](https://github.com/slsa-framework/slsa-verifier/releases/new). +### Dry-Run + +Create a release candidate for the official slsa-verifier via [slsa-framework/slsa-verifier/releases/new](https://github.com/slsa-framework/slsa-verifier/releases/new). + +Use a pre-release name denoted with a hypen `vX.Y.Z-rc` (do not use a pre-release check, the e2e tests will ignore these). By creating a pre-release version, the release flow and e2e tests can be validated committing to the final version. Because Go module downloads are deterministic through the public GOPROXY, this helps ensure that the final released Go module is immutable: a final release version should not be deleted. + +Set the title to `vX.Y.Z-rc`. + +Click `Publish release`. + +This will trigger a release workflow: wait until it completes and generates the binary and the provenance. + +Do **NOT** submit any more code between now and the final release. + +Ensure that the release is successful and provenance can be verified properly. Then, either manually trigger or wait for a nightly scheduled run of all [example-package e2e tests](https://github.com/slsa-framework/example-package/tree/main/.github/workflows) and ensure that all tests are passing. + +If both of these steps succeed, then move on to the [Final Release](#final-release). + +### Final Release Use a "canonical" semantic version without metadata `vX.Y.Z`.