-
Notifications
You must be signed in to change notification settings - Fork 70
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: Stephen Augustus <foo@auggie.dev>
- Loading branch information
1 parent
559d544
commit a3a78e0
Showing
1 changed file
with
115 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,115 @@ | ||
# Releasing the scorecard GitHub Action | ||
|
||
This is a draft document to describe the release process for the scorecard | ||
GitHub Action. | ||
|
||
(If there are improvements you'd like to see, please comment on the | ||
[tracking issue](https://github.com/ossf/scorecard-action/issues/33) or issue a | ||
pull request to discuss.) | ||
|
||
- [Tracking](#tracking) | ||
- [Preparing the release](#preparing-the-release) | ||
- [Update the scorecard version](#update-the-scorecard-version) | ||
- [Drafting release notes](#drafting-release-notes) | ||
- [Release](#release) | ||
- [Create a tag](#create-a-tag) | ||
- [Create a GitHub release](#create-a-github-release) | ||
- [Update the starter workflow](#update-the-starter-workflow) | ||
- [Announce](#announce) | ||
|
||
## Tracking | ||
|
||
As the first task, a Release Manager should open a tracking issue for the | ||
release. | ||
|
||
We don't currently have a template for releasing, but the following | ||
[issue](https://github.com/ossf/scorecard-action/issues/97) is a good example | ||
to draw inspiration from. | ||
|
||
We're not striving for perfection with the template, but the tracking issue | ||
will serve as a reference point to aggregate feedback, so try your best to be | ||
as descriptive as possible. | ||
|
||
## Preparing the release | ||
|
||
This section covers changes that need to be issued as a pull request and should | ||
be merged before releasing the scorecard GitHub Action. | ||
|
||
### Update the scorecard version | ||
|
||
_NOTE: As the scorecard GitHub Action is based on scorecard, you may want to publish a new release of scorecard to ensure the next release of the GitHub Action has the most up-to-date functionality. This is not strictly required. The only requirement is that we use a stable scorecard version which is at or above the current version used for this action._ | ||
|
||
For the rest of document, let `CH1` be the hash of the scorecard image you | ||
intend to use for this release. | ||
|
||
See [here](https://github.com/orgs/ossf/packages?repo_name=scorecard) for | ||
scorecard images. | ||
|
||
(We'll use `0bc9576b3efbda7b38febbf0a1e1b9546894f9650aaead9ccb5edc7dade86552` | ||
as `CH1` in any examples below.) | ||
|
||
Now that you have `CH1`, update the digest in the [Dockerfile](Dockerfile) to use `CH1`. | ||
|
||
Example: | ||
|
||
```Dockerfile | ||
FROM gcr.io/openssf/scorecard:v100.0.0@sha256:0bc9576b3efbda7b38febbf0a1e1b9546894f9650aaead9ccb5edc7dade86552 as base | ||
``` | ||
|
||
Create a pull request with this change. | ||
|
||
Once the PR is merged, note the GitHub commit hash. | ||
We'll refer to this as `GH2` below. | ||
|
||
## Drafting release notes | ||
|
||
<!-- TODO(release): Provide details --> | ||
|
||
## Release | ||
|
||
### Create a tag | ||
|
||
Locally, create a signed tag based on `GH2`: | ||
|
||
```console | ||
git remote update | ||
git checkout `GH2` | ||
git tag -s -m "v100.0.0" v100.0.0 | ||
git push <upstream> --tags | ||
``` | ||
|
||
### Create a GitHub release | ||
|
||
Create a | ||
[GitHub release](https://github.com/ossf/scorecard-action/releases/new) using | ||
the tag you've just created. | ||
|
||
Release title: `<tag>` | ||
|
||
The release notes will be the notes you drafted in the previous step. | ||
|
||
Ensure the following fields are up to date: | ||
|
||
- Security contact email | ||
- Primary Category | ||
- Another Category — optional | ||
|
||
Click `Publish release`. | ||
|
||
## Update the starter workflow | ||
|
||
1. Open a pull request in the | ||
[starter workflows repo](https://github.com/actions/starter-workflows/tree/main/code-scanning/scorecards.yml) | ||
to update the action's digest to `GH2`. | ||
|
||
1. Update our documentation's example workflow to use `GH2`. | ||
|
||
1. Verify on | ||
[GitHub Marketplace](https://github.com/marketplace/actions/ossf-scorecard-action) | ||
that the workflow example contains `GH2`. | ||
|
||
_NOTE: GitHub Marketplace uses the default branch as reference documentation_ | ||
|
||
## Announce | ||
|
||
<!-- TODO(release): Provide details --> |