-
Notifications
You must be signed in to change notification settings - Fork 4
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
c23c2d5
commit 11011a8
Showing
1 changed file
with
55 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,55 @@ | ||
| +++ | ||
| title = "Releasing" | ||
| +++ | ||
|
|
||
| This project uses [release-please] to automate changelog updates per release. Due to security restrictions[^1] in the | ||
| `nutanix-cloud-native` GitHub organisation, the release process is a little more complex than just using the | ||
| [release-please-action]. | ||
|
|
||
| When a release has been cut, a new release PR can be created manually using the `release-please` CLI locally. This needs | ||
| to be run by someone with write permissions to the repository. Installation of the `release-please` CLI is done via: | ||
|
|
||
| ```bash | ||
| npm install release-please -g | ||
| ``` | ||
|
|
||
| Then create the `release-please` branch and PR: | ||
|
|
||
| ```bash | ||
| release-please release-pr --repo-url nutanix-cloud-native/cluster-api-runtime-extension --token "$(gh auth token)" | ||
| ``` | ||
|
|
||
| This will create the branch and release PR. From this point on until a release is ready, the `release-please-action` | ||
| will keep the PR up to date (GHA workflows are only not allowed to create the original PR, they can keep the PR up to | ||
| date). | ||
|
|
||
| When a release is ready, the commits in the release PR will need to be signed (again, this is a security requirement). | ||
| To do this, check out the PR branch locally: | ||
|
|
||
| ```bash | ||
| gh pr checkout <RELEASE_PR_NUMBER> | ||
| ``` | ||
|
|
||
| Sign the previous commit: | ||
|
|
||
| ```bash | ||
| git commit --gpg-sign --amend | ||
| ``` | ||
|
|
||
| And force push: | ||
|
|
||
| ```bash | ||
| git push --force-with-lease | ||
| ``` | ||
|
|
||
| The PR will then need the standard 2 reviewers and will then be auto-merged, triggering the release jobs to run and push | ||
| relevant artifacts and images. | ||
|
|
||
| [^1]: Specifically, GitHub Actions workflows are not allowed to create or approve PRs due to a potential security flaw. | ||
| See [this blog post][cider-sec] for more details, as well as the [Security Hardening for GitHub Actions | ||
| docs][gha-security-hardening]. | ||
|
|
||
| [release-please]: https://github.com/googleapis/release-please/ | ||
| [release-please-action]: https://github.com/google-github-actions/release-please-action | ||
| [cider-sec]: https://medium.com/cider-sec/bypassing-required-reviews-using-github-actions-6e1b29135cc7 | ||
| [gha-security-hardening]: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions |