cncf
[Initiative]: CNCF Project Release Guidelines
Name
CNCF Project Release Guidelines
Short description
Create guidelines, patterns, and reference implementations to help CNCF projects establish robust, secure, and repeatable release workflows.
Responsible group
TAG Operational Resilience
Does the initiative belong to a subproject?
No
Subproject name
No response
Primary contact
Jeremy Rickard
Additional contacts
Matt Young
Initiative description
This initiative is out for community feedback until Friday Sept 12th doc for review
This initiative will create a comprehensive set of guidelines, patterns, and reference implementations to help CNCF projects establish robust, secure, and repeatable release workflows. This provides a practical framework for projects to align with the CNCF's obligations under regulations like the EU's Cyber Resiliency Act (CRA).
The need for this guidance was first proposed by Karena Angell during the public TOC meeting on August 19th, 2025, in response to recurring needs identified during project due diligence. The outcome will be a valuable toolkit that empowers project maintainers to enhance security, improve transparency, and deliver software to their communities with greater confidence and predictability.
Related Initiatives
- [Initiative]: CNCF Software Supply Chain Insights · Issue #1709
- [Initiative]: CNCF Project Capabilities Badging Framework · Issue #1711
- forthcoming TAG Security Initiative that will provide relevant guidance on SBOM generation, signing, and other security artifacts {{TODO link once created}}
Scope and Goals
The scope of this initiative is to research and document guidelines covering the following topics:
- Versioning and Branching: Establish clear recommendations for versioning schemes (e.g., Semantic Versioning) and sustainable git branching strategies for release management (e.g., release branches, hotfixes).
- Release Planning and Cadence: Provide patterns for transparent release planning, public roadmapping, and establishing a predictable release cadence that is appropriate for the project and that builds Adopter trust.
- Changelogs and Release Notes: Document good practices for maintaining clear, human-readable changelogs and generating informative release notes, including the use of automation via standards like Conventional Commits.
- Automation and Tooling: Identify and provide reference examples for tooling and CI/CD pipelines (e.g., GitHub Actions, GoReleaser) to create automated, repeatable, and reliable release workflows.
- Security Artifact Integration: This initiative will coordinate with TAG Security to consume the deliverables from a to-be-created, dedicated initiative within TAG Security. That initiative will provide the formal guidance on the generation, signing, and distribution of essential security artifacts (e.g., SBOMs, VEX documents, SLSA attestations, and digital signatures), which will be integrated as a standard part of these release guidelines.
Non-Goals
- This initiative will not mandate a specific release cadence or frequency for projects.
- It will not enforce the use of any single, specific tool, instead offering a range of well-documented options.
- It will not create a strict, pass/fail compliance regime; the goal is to provide a clear framework and path to improvement, not to create a barrier.
Deliverable(s) or exit criteria
The initiative will produce a multi-faceted set of deliverables designed for practical adoption:
- A published guide on the CNCF website covering the patterns and practices for all topics defined in the Goals section.
- A collection of templates and reference implementations that projects can directly adopt or adapt to streamline their release workflows. Examples include reusable GitHub Actions and Checklists.
- A proposal for a Rubric that can be used by the [Initiative]: CNCF Project Capabilities Badging Framework · Issue #1711 for potential future "Release Practices" badge(s).
The initiative will be considered complete when these three deliverables are published and handed off to the relevant groups for maintenance.
Tracking document for meeting and progress
https://notes.cncf.io/lRijaAgCTH6d4aH26RcANA
+1.
With recent focus on the supply chain security, it is often the release process and repeatable release artifacts proving to be hurdle for many projects, in addition to release processes being tied to certain access level, limiting it to only few people, and making them a bottleneck, and causing massive delays propagating the fixes downstream. While it is a non-goal to meddle with release cadence, removing obstacles for releasing fast when needed is crucial, especially with release branches and hotfixes.
For the security artifacts, there is also similar boom in tooling, ways of working and varied expectations what should be available, guidance documentation would be very welcomed to act as an goal to strive for. For example, Metal3.io wants to improve (cough, have some) its security artifact, but each time we go to conference, there is X new tools to do SLSA attestations, SBOM generation etc. CNCF doesn't make kings, but some recommendations would go long way :)
From the TAG OR call today -
- make sure this initiative and draft is circulated for feedback with CNCF projects at all three maturity levels.
- make sure the guidelines cover the Due Diligence criteria for high quality releases, i.e. conformance with specification, expectations for contributed sub-projects to a minimum bar for release, regression testing, avoiding bugs.
I added this comment to the doc:
general wondering...:
I am wondering if there are cases where we see a obvious lack in projects that is caused by release management. or in other words.. is this really an issue?
do maintainers need this guidance? do people ask for this? or is this more compliance EU CRA etc.
or do we "just" get to this now
it might be good to do a number of "interviews" with some projects of each level to see how releases are done? Get more context of current state and all..
Vote created
@riaankleinhans has called for a vote on [Initiative]: CNCF Project Release Guidelines (#1849).
The members of the following teams have binding votes:
| Team |
|---|
| @cncf/cncf-toc-voters |
Non-binding votes are also appreciated as a sign of support!
How to vote
You can cast your vote by reacting to this comment. The following reactions are supported:
| In favor | Against | Abstain |
|---|---|---|
| 👍 | 👎 | 👀 |
Please note that voting for multiple options is not allowed and those votes won't be counted.
The vote will be open for 5months 29days 19h 12m. It will pass if at least 66% of the users with binding votes vote In favor 👍. Once it's closed, results will be published here as a new comment.
![git-vote[bot] avatar](https://avatars.githubusercontent.com/in/206179?v=4 "Published by a pub.dev verified publisher"){kind=small}
Vote status
So far 9.09% of the users with binding vote are in favor and 0.00% are against (passing threshold: 66%).
Summary
| In favor | Against | Abstain | Not voted |
|---|---|---|---|
| 1 | 0 | 0 | 10 |
Binding votes (1)
| User | Vote | Timestamp |
|---|---|---|
| TheFoxAtWork | In favor | 2025-09-04 20:29:09.0 +00:00:00 |
| @dims | Pending | |
| @rochaporto | Pending | |
| @angellk | Pending | |
| @linsun | Pending | |
| @chadbeaudin | Pending | |
| @kevin-wangzefeng | Pending | |
| @chira001 | Pending | |
| @kfaseela | Pending | |
| @jeremyrickard | Pending | |
| @kgamanji | Pending |
Non-binding votes (1)
| User | Vote | Timestamp |
|---|---|---|
| tuminoid | In favor | 2025-09-04 17:26:23.0 +00:00:00 |
Vote status
So far 9.09% of the users with binding vote are in favor and 0.00% are against (passing threshold: 66%).
Summary
| In favor | Against | Abstain | Not voted |
|---|---|---|---|
| 1 | 0 | 0 | 10 |
Binding votes (1)
| User | Vote | Timestamp |
|---|---|---|
| TheFoxAtWork | In favor | 2025-09-04 20:29:09.0 +00:00:00 |
| @dims | Pending | |
| @rochaporto | Pending | |
| @angellk | Pending | |
| @linsun | Pending | |
| @chadbeaudin | Pending | |
| @kevin-wangzefeng | Pending | |
| @chira001 | Pending | |
| @kfaseela | Pending | |
| @jeremyrickard | Pending | |
| @kgamanji | Pending |
Non-binding votes (2)
| User | Vote | Timestamp |
|---|---|---|
| tuminoid | In favor | 2025-09-04 17:26:23.0 +00:00:00 |
| manzil-infinity180 | In favor | 2025-09-05 18:32:07.0 +00:00:00 |
Vote status
So far 18.18% of the users with binding vote are in favor and 0.00% are against (passing threshold: 66%).
Summary
| In favor | Against | Abstain | Not voted |
|---|---|---|---|
| 2 | 0 | 0 | 9 |
Binding votes (2)
| User | Vote | Timestamp |
|---|---|---|
| TheFoxAtWork | In favor | 2025-09-04 20:29:09.0 +00:00:00 |
| kfaseela | In favor | 2025-09-06 15:30:52.0 +00:00:00 |
| @dims | Pending | |
| @rochaporto | Pending | |
| @angellk | Pending | |
| @linsun | Pending | |
| @chadbeaudin | Pending | |
| @kevin-wangzefeng | Pending | |
| @chira001 | Pending | |
| @jeremyrickard | Pending | |
| @kgamanji | Pending |
Non-binding votes (2)
| User | Vote | Timestamp |
|---|---|---|
| tuminoid | In favor | 2025-09-04 17:26:23.0 +00:00:00 |
| manzil-infinity180 | In favor | 2025-09-05 18:32:07.0 +00:00:00 |
Vote status
So far 27.27% of the users with binding vote are in favor and 0.00% are against (passing threshold: 66%).
Summary
| In favor | Against | Abstain | Not voted |
|---|---|---|---|
| 3 | 0 | 0 | 8 |
Binding votes (3)
| User | Vote | Timestamp |
|---|---|---|
| TheFoxAtWork | In favor | 2025-09-04 20:29:09.0 +00:00:00 |
| dims | In favor | 2025-09-07 16:08:25.0 +00:00:00 |
| kfaseela | In favor | 2025-09-06 15:30:52.0 +00:00:00 |
| @rochaporto | Pending | |
| @angellk | Pending | |
| @linsun | Pending | |
| @chadbeaudin | Pending | |
| @kevin-wangzefeng | Pending | |
| @chira001 | Pending | |
| @jeremyrickard | Pending | |
| @kgamanji | Pending |
Non-binding votes (2)
| User | Vote | Timestamp |
|---|---|---|
| tuminoid | In favor | 2025-09-04 17:26:23.0 +00:00:00 |
| manzil-infinity180 | In favor | 2025-09-05 18:32:07.0 +00:00:00 |
Vote status
So far 45.45% of the users with binding vote are in favor and 0.00% are against (passing threshold: 66%).
Summary
| In favor | Against | Abstain | Not voted |
|---|---|---|---|
| 5 | 0 | 0 | 6 |
Binding votes (5)
| User | Vote | Timestamp |
|---|---|---|
| TheFoxAtWork | In favor | 2025-09-04 20:29:09.0 +00:00:00 |
| angellk | In favor | 2025-09-08 17:37:28.0 +00:00:00 |
| dims | In favor | 2025-09-07 16:08:25.0 +00:00:00 |
| jeremyrickard | In favor | 2025-09-09 15:50:12.0 +00:00:00 |
| kfaseela | In favor | 2025-09-06 15:30:52.0 +00:00:00 |
| @rochaporto | Pending | |
| @linsun | Pending | |
| @chadbeaudin | Pending | |
| @kevin-wangzefeng | Pending | |
| @chira001 | Pending | |
| @kgamanji | Pending |
Non-binding votes (2)
| User | Vote | Timestamp |
|---|---|---|
| tuminoid | In favor | 2025-09-04 17:26:23.0 +00:00:00 |
| manzil-infinity180 | In favor | 2025-09-05 18:32:07.0 +00:00:00 |
Vote status
So far 45.45% of the users with binding vote are in favor and 0.00% are against (passing threshold: 66%).
Summary
| In favor | Against | Abstain | Not voted |
|---|---|---|---|
| 5 | 0 | 0 | 6 |
Binding votes (5)
| User | Vote | Timestamp |
|---|---|---|
| TheFoxAtWork | In favor | 2025-09-04 20:29:09.0 +00:00:00 |
| angellk | In favor | 2025-09-08 17:37:28.0 +00:00:00 |
| dims | In favor | 2025-09-07 16:08:25.0 +00:00:00 |
| jeremyrickard | In favor | 2025-09-09 15:50:12.0 +00:00:00 |
| kfaseela | In favor | 2025-09-06 15:30:52.0 +00:00:00 |
| @rochaporto | Pending | |
| @linsun | Pending | |
| @chadbeaudin | Pending | |
| @kevin-wangzefeng | Pending | |
| @chira001 | Pending | |
| @kgamanji | Pending |
Non-binding votes (2)
| User | Vote | Timestamp |
|---|---|---|
| tuminoid | In favor | 2025-09-04 17:26:23.0 +00:00:00 |
| manzil-infinity180 | In favor | 2025-09-05 18:32:07.0 +00:00:00 |
Vote status
So far 45.45% of the users with binding vote are in favor and 0.00% are against (passing threshold: 66%).
Summary
| In favor | Against | Abstain | Not voted |
|---|---|---|---|
| 5 | 0 | 0 | 6 |
Binding votes (5)
| User | Vote | Timestamp |
|---|---|---|
| TheFoxAtWork | In favor | 2025-09-04 20:29:09.0 +00:00:00 |
| angellk | In favor | 2025-09-08 17:37:28.0 +00:00:00 |
| dims | In favor | 2025-09-07 16:08:25.0 +00:00:00 |
| jeremyrickard | In favor | 2025-09-09 15:50:12.0 +00:00:00 |
| kfaseela | In favor | 2025-09-06 15:30:52.0 +00:00:00 |
| @rochaporto | Pending | |
| @linsun | Pending | |
| @chadbeaudin | Pending | |
| @kevin-wangzefeng | Pending | |
| @chira001 | Pending | |
| @kgamanji | Pending |
Non-binding votes (2)
| User | Vote | Timestamp |
|---|---|---|
| tuminoid | In favor | 2025-09-04 17:26:23.0 +00:00:00 |
| manzil-infinity180 | In favor | 2025-09-05 18:32:07.0 +00:00:00 |
Vote status
So far 54.55% of the users with binding vote are in favor and 0.00% are against (passing threshold: 66%).
Summary
| In favor | Against | Abstain | Not voted |
|---|---|---|---|
| 6 | 0 | 0 | 5 |
Binding votes (6)
| User | Vote | Timestamp |
|---|---|---|
| TheFoxAtWork | In favor | 2025-09-04 20:29:09.0 +00:00:00 |
| angellk | In favor | 2025-09-08 17:37:28.0 +00:00:00 |
| chadbeaudin | In favor | 2025-09-11 18:48:12.0 +00:00:00 |
| dims | In favor | 2025-09-07 16:08:25.0 +00:00:00 |
| jeremyrickard | In favor | 2025-09-09 15:50:12.0 +00:00:00 |
| kfaseela | In favor | 2025-09-06 15:30:52.0 +00:00:00 |
| @rochaporto | Pending | |
| @linsun | Pending | |
| @kevin-wangzefeng | Pending | |
| @chira001 | Pending | |
| @kgamanji | Pending |
Non-binding votes (2)
| User | Vote | Timestamp |
|---|---|---|
| tuminoid | In favor | 2025-09-04 17:26:23.0 +00:00:00 |
| manzil-infinity180 | In favor | 2025-09-05 18:32:07.0 +00:00:00 |
Vote status
So far 54.55% of the users with binding vote are in favor and 0.00% are against (passing threshold: 66%).
Summary
| In favor | Against | Abstain | Not voted |
|---|---|---|---|
| 6 | 0 | 0 | 5 |
Binding votes (6)
| User | Vote | Timestamp |
|---|---|---|
| TheFoxAtWork | In favor | 2025-09-04 20:29:09.0 +00:00:00 |
| angellk | In favor | 2025-09-08 17:37:28.0 +00:00:00 |
| chadbeaudin | In favor | 2025-09-11 18:48:12.0 +00:00:00 |
| dims | In favor | 2025-09-07 16:08:25.0 +00:00:00 |
| jeremyrickard | In favor | 2025-09-09 15:50:12.0 +00:00:00 |
| kfaseela | In favor | 2025-09-06 15:30:52.0 +00:00:00 |
| @rochaporto | Pending | |
| @linsun | Pending | |
| @kevin-wangzefeng | Pending | |
| @chira001 | Pending | |
| @kgamanji | Pending |
Non-binding votes (2)
| User | Vote | Timestamp |
|---|---|---|
| tuminoid | In favor | 2025-09-04 17:26:23.0 +00:00:00 |
| manzil-infinity180 | In favor | 2025-09-05 18:32:07.0 +00:00:00 |
Vote status
So far 54.55% of the users with binding vote are in favor and 0.00% are against (passing threshold: 66%).
Summary
| In favor | Against | Abstain | Not voted |
|---|---|---|---|
| 6 | 0 | 0 | 5 |
Binding votes (6)
| User | Vote | Timestamp |
|---|---|---|
| TheFoxAtWork | In favor | 2025-09-04 20:29:09.0 +00:00:00 |
| angellk | In favor | 2025-09-08 17:37:28.0 +00:00:00 |
| chadbeaudin | In favor | 2025-09-11 18:48:12.0 +00:00:00 |
| dims | In favor | 2025-09-07 16:08:25.0 +00:00:00 |
| jeremyrickard | In favor | 2025-09-09 15:50:12.0 +00:00:00 |
| kfaseela | In favor | 2025-09-06 15:30:52.0 +00:00:00 |
| @rochaporto | Pending | |
| @linsun | Pending | |
| @kevin-wangzefeng | Pending | |
| @chira001 | Pending | |
| @kgamanji | Pending |
Non-binding votes (2)
| User | Vote | Timestamp |
|---|---|---|
| tuminoid | In favor | 2025-09-04 17:26:23.0 +00:00:00 |
| manzil-infinity180 | In favor | 2025-09-05 18:32:07.0 +00:00:00 |
Vote status
So far 63.64% of the users with binding vote are in favor and 0.00% are against (passing threshold: 66%).
Summary
| In favor | Against | Abstain | Not voted |
|---|---|---|---|
| 7 | 0 | 0 | 4 |
Binding votes (7)
| User | Vote | Timestamp |
|---|---|---|
| TheFoxAtWork | In favor | 2025-09-04 20:29:09.0 +00:00:00 |
| angellk | In favor | 2025-09-08 17:37:28.0 +00:00:00 |
| chadbeaudin | In favor | 2025-09-11 18:48:12.0 +00:00:00 |
| chira001 | In favor | 2025-09-15 15:24:58.0 +00:00:00 |
| dims | In favor | 2025-09-07 16:08:25.0 +00:00:00 |
| jeremyrickard | In favor | 2025-09-09 15:50:12.0 +00:00:00 |
| kfaseela | In favor | 2025-09-06 15:30:52.0 +00:00:00 |
| @rochaporto | Pending | |
| @linsun | Pending | |
| @kevin-wangzefeng | Pending | |
| @kgamanji | Pending |
Non-binding votes (2)
| User | Vote | Timestamp |
|---|---|---|
| tuminoid | In favor | 2025-09-04 17:26:23.0 +00:00:00 |
| manzil-infinity180 | In favor | 2025-09-05 18:32:07.0 +00:00:00 |
Vote status
So far 81.82% of the users with binding vote are in favor and 0.00% are against (passing threshold: 66%).
Summary
| In favor | Against | Abstain | Not voted |
|---|---|---|---|
| 9 | 0 | 0 | 2 |
Binding votes (9)
| User | Vote | Timestamp |
|---|---|---|
| TheFoxAtWork | In favor | 2025-09-04 20:29:09.0 +00:00:00 |
| angellk | In favor | 2025-09-08 17:37:28.0 +00:00:00 |
| chadbeaudin | In favor | 2025-09-11 18:48:12.0 +00:00:00 |
| chira001 | In favor | 2025-09-15 15:24:58.0 +00:00:00 |
| dims | In favor | 2025-09-07 16:08:25.0 +00:00:00 |
| jeremyrickard | In favor | 2025-09-09 15:50:12.0 +00:00:00 |
| kevin-wangzefeng | In favor | 2025-09-16 16:00:47.0 +00:00:00 |
| kfaseela | In favor | 2025-09-06 15:30:52.0 +00:00:00 |
| kgamanji | In favor | 2025-09-16 15:09:31.0 +00:00:00 |
| @rochaporto | Pending | |
| @linsun | Pending |
Non-binding votes (2)
| User | Vote | Timestamp |
|---|---|---|
| tuminoid | In favor | 2025-09-04 17:26:23.0 +00:00:00 |
| manzil-infinity180 | In favor | 2025-09-05 18:32:07.0 +00:00:00 |
Vote closed
The vote passed! 🎉
90.91% of the users with binding vote were in favor and 0.00% were against (passing threshold: 66%).
Summary
| In favor | Against | Abstain | Not voted |
|---|---|---|---|
| 10 | 0 | 0 | 1 |
Binding votes (10)
| User | Vote | Timestamp |
|---|---|---|
| @TheFoxAtWork | In favor | 2025-09-04 20:29:09.0 +00:00:00 |
| @angellk | In favor | 2025-09-08 17:37:28.0 +00:00:00 |
| @chadbeaudin | In favor | 2025-09-11 18:48:12.0 +00:00:00 |
| @chira001 | In favor | 2025-09-15 15:24:58.0 +00:00:00 |
| @dims | In favor | 2025-09-07 16:08:25.0 +00:00:00 |
| @jeremyrickard | In favor | 2025-09-09 15:50:12.0 +00:00:00 |
| @kevin-wangzefeng | In favor | 2025-09-16 16:00:47.0 +00:00:00 |
| @kfaseela | In favor | 2025-09-06 15:30:52.0 +00:00:00 |
| @kgamanji | In favor | 2025-09-16 15:09:31.0 +00:00:00 |
| @rochaporto | In favor | 2025-09-16 17:56:20.0 +00:00:00 |
Non-binding votes (2)
| User | Vote | Timestamp |
|---|---|---|
| @tuminoid | In favor | 2025-09-04 17:26:23.0 +00:00:00 |
| @manzil-infinity180 | In favor | 2025-09-05 18:32:07.0 +00:00:00 |
