slsa-verifier icon indicating copy to clipboard operation
slsa-verifier copied to clipboard

Published 20 hours ago verified publisher icon slsa-framework

Maintaining release versions and backporting fixes

Open asraa opened this issue 2 years ago • 3 comments

c/f https://github.com/slsa-framework/slsa-verifier/pull/132

Version 1.0.0 required a fix after a Rekor change, and this backported fix needs to be added to older releases.

In order to support backports, we need to:

  • Create release branches for each release we cut
  • Determine how verification with tag/branch options will work.

If 2 branches (main and release-v1.0.0) are at the same commit, creating a release from release-v1.0.0 will trigger the workflow on the main branch. During verification, no need for --branch release-v1.0.0 and verification will pass

We can commit a changelog. wdyt?

For the e2e tests:

  • Possibly we need to enforce a policy that only the highest PATCH version be used in verification. If we do this, then we don't need to do any tag manipulation.

cc @laurentsimon

asraa avatar Jul 11 '22 17:07 asraa