-
Notifications
You must be signed in to change notification settings - Fork 70
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: Stephen Augustus <foo@auggie.dev>
- Loading branch information
1 parent
559d544
commit 5f384be
Showing
1 changed file
with
22 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
# Releasing the scorecard GitHub Action | ||
|
||
This is a draft document to describe the release process for the scorecard | ||
GitHub Action. | ||
|
||
(If there are improvements you'd like to see, please comment on the | ||
[tracking issue](https://github.com/ossf/scorecard-action/issues/33) or issue a | ||
pull request to discuss.) | ||
|
||
- [steps:](#steps) | ||
|
||
## steps: | ||
|
||
1. cut a scorecard release and wait for a container image to be created and tagged with new release. Note the hash of the container as `CH1`. Note: we do not need a scorecard release, we can use any stable version we want. | ||
2. update the hash pin in our [dockerfile](https://github.com/ossf/scorecard-action/blob/main/.github/Dockerfile#L26) to use the container hash `CH1` from step 1. Once the PR is merged, note the GitHub's commit hash as `GH2`. | ||
~~3. [manually trigger](https://docs.github.com/en/actions/managing-workflow-runs/manually-running-a-workflow) the workflow to generate our container image. Note the hash of the container image generated as `CH3`. It can be found [here](https://github.com/ossf/scorecard-action/pkgs/container/scorecard-action) using the manifest's "digest"`.~~ | ||
~~4. update the container image hash we use in [action.yaml:L45](https://github.com/ossf/scorecard-action/blob/main/action.yaml#L45), using the hash `CH3` from step 3. Once the PR is merged, note the GitHub's commit hash as `GH4`.~~ | ||
5. test the new hash in a test repo we own. If successful, continue. | ||
6. cut release for the action - the hash of the tagged release should be `GH2`. | ||
7. send a PR to [starter-workflows/code-scanning/scorecards.yml](https://github.com/actions/starter-workflows/tree/main/code-scanning/scorecards.yml) to update the hash to `GH2` from step 4. | ||
8. merge a PR to update our documentation's example workflow to use `GH2`. | ||
9. verify on the market place that the workflow example contains `GH2`. (the marketplace uses main branch) |