Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Automate releases in the top level CFI repo #271

Open
eddie-knight opened this issue Oct 10, 2022 · 0 comments
Open

Automate releases in the top level CFI repo #271

eddie-knight opened this issue Oct 10, 2022 · 0 comments
Assignees
@eddie-knight
Labels
reproducible infra wg Allocated to reproducible infrastructure working group

Comments

@eddie-knight
Copy link
Contributor

Feature Request

Description of Problem:

The OpenSSF Scorecard has several requirements that are best achieved by automated releases.

The badge checks relating to releases are listed below:

  • To enable collaborative review, the project's source repository MUST include interim versions for review between releases; it MUST NOT include only final releases.
  • The project results MUST have a unique version identifier for each release intended to be used by users
  • It is SUGGESTED that the Semantic Versioning (SemVer) or Calendar Versioning (CalVer) version numbering format be used for releases. It is SUGGESTED that those who use CalVer include a micro level value.
  • It is SUGGESTED that projects identify each release within their version control system. For example, it is SUGGESTED that those using git identify each release using git tags.
  • The project MUST provide, in each release, release notes that are a human-readable summary of major changes in that release to help users determine if they should upgrade and what the upgrade impact will be. The release notes MUST NOT be the raw output of a version control log (e.g., the "git log" command results are not release notes). Projects whose results are not intended for reuse in multiple locations (such as the software for a single website or service) AND employ continuous delivery MAY select "N/A". (URL required)
  • The release notes MUST identify every publicly known run-time vulnerability fixed in this release that already had a CVE assignment or similar when the release was created. This criterion may be marked as not applicable (N/A) if users typically cannot practically update the software themselves (e.g., as is often true for kernel updates). This criterion applies only to the project results, not to its dependencies. If there are no release notes or there have been no publicly known vulnerabilities, choose N/A.

Potential Solutions:

This process can largely be automated following examples set by other open source repositories. Alternatively, the GitHub Releases UI can be supplemented with an option for configurable auto-generated release notes.

Option 1 references:

Option 2 docs:
@mcleo-d mcleo-d added the new issue New issue into the CFI backlog label Oct 21, 2022
@eddie-knight eddie-knight mentioned this issue Oct 24, 2022
Closed
@eddie-knight eddie-knight added reproducible infra wg Allocated to reproducible infrastructure working group policy wg and removed new issue New issue into the CFI backlog labels Dec 21, 2022
@eddie-knight eddie-knight changed the title Automate releases in this repo Automate releases in the top level CFI repo Dec 21, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@eddie-knight eddie-knight

Labels
reproducible infra wg Allocated to reproducible infrastructure working group
Projects
CFI - Main Project Kanban
Status: To Do
Milestone
No milestone
Development

No branches or pull requests
3 participants
@abdullahgarcia @mcleo-d @eddie-knight