This directory contain the files and scripts to run a cosign release.
- Release notes: Create a PR to update and review release notes in CHANGELOG.md.
- Check merged pull requests since the last release and make sure enhancements, bug fixes, and authors are reflected in the notes.
You can get a list of pull requests since the last release by substituting in the date of the last release and running:
git log --pretty="* %s" --after="YYYY-MM-DD"
and a list of authors by running:
git log --pretty="* %an" --after="YYYY-MM-DD" | sort -u
- Submit the cloudbuild Job using the following command:
$ gcloud builds submit --config <PATH_TO_CLOUDBUILD> \
--substitutions _GIT_TAG=<_GIT_TAG>,_TOOL_ORG=sigstore,_TOOL_REPO=rekor,_TOOL_REF=main,_STORAGE_LOCATION=rekor-releases,_KEY_RING=<KEY_RING>,_KEY_NAME=<KEY_NAME> \
--project <GCP_PROJECT>Where:
PATH_TO_CLOUDBUILDis the path where the cloudbuild.yaml can be found.GCP_PROJECTis the GCP project where we will run the job._GIT_TAGis the release version we are publishing, this will also create the GitHub Tag._TOOL_ORGis the GitHub Org we will use. Defaultsigstore._TOOL_REPOis the repository we will use to clone. Defaultcosign._TOOL_REFis the branch we will use to cut a release. Defaultmain._STORAGE_LOCATIONwhere to push the built artifacts. Defaultcosign-releases._KEY_RINGkey ring name of your cosign key._KEY_NAMEkey name of your cosign key._KEY_VERSIONversion of the key storaged in KMS. Default1._KEY_LOCATIONlocation in GCP where the key is storaged. Defaultglobal.
-
When the job finish, whithout issues, you should be able to see in GitHub a draft release. You now can review the release, make any changes if needed and then publish to make it an official release.
-
Send an annoucement email to
sigstore-dev@googlegroups.commailling list -
Tweet about the new release with a fun new trigonometry pun!
-
Honk!
- Add a pending new section in CHANGELOG.md to set up for the next release
- Create a new GitHub Milestone