This document describes the versioning scheme and release processes for Ratify.
The specification release process was created using content and verbiage from the following specifications:
- ORAS Artifact Specification Releases
- ORAS Developer Guide
- Mystikos Release Management
- Gatekeeper Release Management
The Ratify project follows semantic versioning beginning with version v0.1.0. Pre-release versions may be specified with a dash after the patch version and the following specifiers (in the order of release readiness):
alpha1,alpha2, etc.beta1,beta2, etc.rc1,rc2,rc3, etc.
Example pre-release versions include v0.1.0-alpha1, v0.1.0-beta2, v0.1.0-rc3. Pre-release versions are not required and stages can be bypassed (i.e. an alpha release does not require a beta release). Pre-releases must be in order and gaps are not allowed (i.e. the only releases that can follow rc1 are the full release or rc2).
-
Most e2e-scenarios for cli, K8s, and Azure are covered by the Ratify e2e tests. Please refer to this document for the current supported and unsupported tests. Please perform manual prerelease validations for the unsupported tests list here
-
If the format of the data returned for external data calls has changed, validate change is also reflected in
httpserver/types.go. -
Delete all dev images generated since the previous release under the
ratify-devandratify-crds-devpackages. Each dev image tag is prefixed withdevfollowed by the date of creation and then the abbreviated 7 character commit SHA (e.g a build generated on March 8, 2023 from main branch with commit SHA4cf98388ef33c587ef86b82e05cb0f7de2da2ea8would be taggeddev.20230308.4cf9838). The most recent images are also tagged with a rolling taglatest. -
Delete all dev helm charts since the previous release under the
ratify-chart-dev/ratifypackages. Each helm chart is published with a semantic version compatible tag0-devfollowed by the date of creation and then the abbreviated 7 character commit SHA (e.g a chart generated on March 8, 2023 from main branch with commit SHA4cf98388ef33c587ef86b82e05cb0f7de2da2ea8would be tagged0-dev.20230308.4cf9838). The most recent dev chart is also tagged with the rolling tag0-dev. -
Copy contents from
dev.helmfile.yamltohelmfile.yaml&dev.high-availability.helmfile.yamltohigh-availability.helmfile.yaml. You MUST update/remove values marked by comments in the files. Thedevprefixed helmfiles are treated as staging files that are up to date with new changes on main branch. The primaryhelmfile.yamlandhigh-availability.helmfile.yamlMUST stay pinned to the current release since they are used by the quickstarts. Updatedev.helmfile.yaml&dev.high-availability.helmfile.yamlratify chart version to new release version.
This section deals with the practical considerations of versioning in Git, this repo's version control system. See the semantic versioning specification for the scope of changes allowed for each release type.
All releases will be of the form vX.Y.Z where X is the major version, Y is the minor version and Z is the patch version.
Applicable fixes, including security fixes, may be backported to supported releases, depending on severity and feasibility. Patch release are cut from branch release-X.Y. Commits can be cherry-picked from main, changes should be merged into latest supported minor release-X.Y branches once required PR requirements are met.
When a minor release is required, the release commits should be merged with the main branch when ready.
- Alpha and Beta releases will be cut from the main branch.
- For RC and stable releases, a new branch
release-X.Ywill be created frommain. - Required changes for the minor release should be PRed to the
devbranch, the change will then be cherry picked torelease-X.Yfrommain.
When a major release is required, the release commits should be merged with the main branch when ready. Major versions will usually require multiple pre-release versions. Similar to minor releases, the new branch should be created for the RC and stable release.
X.Y.Z refers to the version (git tag) of Ratify that is released.
- Prepare the release with a PR to update the chart value.
- When the
release-X.Ybranch is ready, a tag X.Y.Z should be pushed. e.g.git tag v1.1.1andgit push --tags. This will trigger a Goreleaser action that will build the binaries and creates a GitHub release:
- The release will be marked as a draft to allow an final editing before publishing.
- The release notes and other fields can edited after the action completes. The description can be in Markdown.
- The pre-release flag will be set for any release with a pre-release specifier.
- The pre-built binaries are built from commit at the head of the release branch.
- The files are named
ratify_<major>-<minor>-<patch>_<OS>_<ARCH>with.zipfiles for Windows and.tar.gzfor all others.
- The files are named
Applicable fixes, including security fixes, may be cherry-picked into the release branch, depending on severity and feasibility. Patch releases are cut from that branch as needed.
We expect to "support" n (current). "Support" means we expect users to be running that version in production. For example, when v1.2 comes out, v1.1 will no longer be supported for patches, and we encourage users to upgrade to a supported version as soon as possible.
Ratify is assumed to be compatible with GateKeeper Supported Versions and the current Kubernetes Supported Versions per Kubernetes Supported Versions policy.
For example, if Gatekeeper supported versions are v3.13 and v3.14, and Kubernetes supported versions are v1.28, v1.29, then current version of Ratify (v1.2) are assumed to be compatible with all supported Kubernetes versions (v1.28, v1.29) and Gatekeeper version(v3.13, v3.14).
After a successful release, please prepare a PR to update the chart value in dev branch. After PR gets merged, manually trigger quick start action to validate the quick start test is passing. Validate in the run logs that the version of ratify matches the latest released version.
- Ratify is configured to generate and publish dev build images based on the schedule here.
- Contributors MUST select the
Helm Chart Changeoption under theType of Changesection if there is ANY update to the helm chart that is required for proposed changes in PR. - Maintainers MUST manually trigger the "Publish Package" workflow after merging any PR that indicates
Helm Chart Change- Go to the
Actionstab for the Ratify repository - Select
publish-ghcroption from list of workflows on left pane - Select the
Run workflowdrop down on the right side above the list of action runs - Choose
Branch: main - Select
Run workflow
- Go to the
- Process to Request an off-schedule dev build be published
- Submit a new feature request issue prefixed with
[Dev Build Request] - In the the
What this PR does / why we need itsection, briefly explain why an off schedule build is needed - Once issue is created, post in the
#ratifyslack channel and tag the maintainers - Maintainers should acknowledge request by approving/denying request as a follow up comment
- Submit a new feature request issue prefixed with
- The
ratifyimage andratify-crdsimage for dev builds exist as separate packages on Github here and here. - the
repositorycrdRepositoryandtagfields must be updated in the helm chart to point to dev build instead of last released build. Please set the tag to be latest tag found at the corresponding-devsuffixed package. An example install command scaffold:
helm install ratify \
./charts/ratify --atomic \
--namespace gatekeeper-system \
--set image.repository=ghcr.io/ratify-project/ratify-dev
--set image.crdRepository=ghcr.io/ratify-project/ratify-crds-dev
--set image.tag=dev.<YYYYMMDD>.<ABBREVIATED_GIT_HASH_COMMIT>
--set-file notationCerts[0]=./test/testdata/notation.crtNOTE: the tag field is the only value that will change when updating to newer dev build images