1# Release
2
3This directory contain the files and scripts to run a Rekor release.
4
5# Cutting a Rekor Release
6
71. Release notes: Create a PR to update and review release notes in CHANGELOG.md.
8
9Check merged pull requests since the last release and make sure enhancements, bug fixes, and authors are reflected in the notes.
10
11You can get a list of pull requests since the last release by substituting in the date of the last release and running:
12
13```
14git log --pretty="* %s" --after="YYYY-MM-DD"
15```
16
17and a list of authors by running:
18
19```
20git log --pretty="* %an" --after="YYYY-MM-DD" | sort -u
21```
22
232. Open a Pull Request to update CHANGELOG.md
24
253. Tag the repository
26
27**WARNING**: Tags should not be updated to a new ref or deleted/recreated after creation. Go provides a [checksum database](https://sum.golang.org/)
28that persists an immutable mapping between version and ref, and updating the tag will break clients that have already downloaded the release.
29
30```shell
31$ export RELEASE_TAG=<release version, eg "v2.0.2">
32$ git tag -s ${RELEASE_TAG} -m "${RELEASE_TAG}"
33$ git push upstream ${RELEASE_TAG}
34```
35
36Note that `upstream` should be the upstream `sigstore/rekor` repository. You may have to change this if you've configured remotes.
37
384. Then go to the `Actions` tab and click on the [Cut Release workflow](https://github.com/sigstore/rekor/actions/workflows/cut-release.yml). Note you need
39to be in [this list](https://github.com/sigstore/sigstore/blob/main/.github/workflows/reusable-release.yml#L45) to trigger this workflow.
40
41Click to run a workflow and insert the following parameters ("Cosign" is correct, this refers to the artifact signing key):
42
43 - `Release tag`: the tag that use pushed for the release
44 - `Key ring for cosign key`: the value is `release-cosign`
45 - `Key name for cosign key`: the value is `cosign`
46
47That will trigger a CloudBuild job and will run the release using `goreleaser`, which will publish images to
48`gcr.io` and `ghcr.io`, and the binaries will be available in the GitHub release.
49
50If you have permissions to access the project, you can follow the CloudBuild job in the `projectsigstore`(https://console.cloud.google.com/cloud-build/builds?project=projectsigstore) GCP Project.
51
52As the last step of the CloudBuild job, `goreleaser` will create a `draft release` in GitHub.
53
545. Navigate to the `Draft Release` in the Github repository. Click the `Publish Release` button to make the Release available.
55
56You might want/need to add any extra notes/breaking changes notices, upgrade paths.
57
586. Post on the `#general` and `#rekor` Slack channels.
59
607. If it's a significant release, send an announcement email to sigstore-dev@googlegroups.com mailing list.
View as plain text