This is a draft document to describe the release process for the scorecard GitHub Action.
(If there are improvements you'd like to see, please comment on the tracking issue or issue a pull request to discuss.)
As the first task, a Release Manager should open a tracking issue for the release.
We don't currently have a template for releasing, but the following issue is a good example to draw inspiration from.
We're not striving for perfection with the template, but the tracking issue will serve as a reference point to aggregate feedback, so try your best to be as descriptive as possible.
This section covers changes that need to be issued as a pull request and should be merged before releasing the scorecard GitHub Action.
NOTE: As the scorecard GitHub Action is based on scorecard, you may want to publish a new release of scorecard to ensure the next release of the GitHub Action has the most up-to-date functionality. This is not strictly required. The only requirement is that we use a stable scorecard version which is at or above the current version used for this action.
For the rest of document, let CH1
be the hash of the scorecard image you
intend to use for this release.
See here for scorecard images.
(We'll use 0bc9576b3efbda7b38febbf0a1e1b9546894f9650aaead9ccb5edc7dade86552
as CH1
in any examples below.)
Now that you have CH1
, update the digest in the Dockerfile to use CH1
.
Example:
FROM gcr.io/openssf/scorecard:v100.0.0@sha256:0bc9576b3efbda7b38febbf0a1e1b9546894f9650aaead9ccb5edc7dade86552 as base
Create a pull request with this change.
Once the PR is merged, note the GitHub commit hash.
We'll refer to this as GH2
below.
Locally, create a signed tag based on GH2
:
git remote update
git checkout `GH2`
git tag -s -m "v100.0.0" v100.0.0
git push <upstream> --tags
Create a GitHub release using the tag you've just created.
Release title: <tag>
The release notes will be the notes you drafted in the previous step.
Ensure the following fields are up to date:
- Security contact email
- Primary Category
- Another Category — optional
Click Publish release
.
-
Open a pull request in the starter workflows repo to update the action's digest to
GH2
. -
Update our documentation's example workflow to use
GH2
. -
Verify on GitHub Marketplace that the workflow example contains
GH2
.NOTE: GitHub Marketplace uses the default branch as reference documentation