This issue runs around 6 months post-GA, when v4 EOL is announced. The apiserver and frontend EOL flips are interlocked.
Step order is critical. The workflow edits on 4.14.x must happen before the branch goes read-only. Otherwise the
deprecation can never be merged.
For each of dependency-track:4.14.x and frontend:4.14.x, in this order, run the five steps below.
1. Edit _meta-build.yaml on 4.14.x
Stop publishing bare :snapshot from this branch. Optionally retag the last v4 nightly as :4-snapshot-eol for forensic
pulls. The :4-snapshot tag (from the caller-side major-version derivation, when it was carried over to the v4 branch)
continues to exist as the frozen v4 nightly. Bare :snapshot is removed from the tag set entirely.
2. Cut the final 4.14.z patch (if any)
This locks in the EOL state for v4 consumers who pin a specific version.
3. Mark 4.14.x read-only
Branch protection: no pushes, no merges, no force-pushes. Document publicly that v4 maintenance has ended.
4. Revert the major == 5 :latest guard on dependency-track:main
_meta-build.yaml returns to its pre-cutover :latest behavior. v5 takes over :latest on the next v5 GA-train release
after this revert. Apply the same revert on frontend:main.
5. Public EOL announcement
Cover both flips:
:latest is now v5.- Bare
:snapshot is deprecated. Consumers must migrate to :4-snapshot (frozen) or :5-snapshot (advancing) explicitly.
The "deprecate, not flip" choice on :snapshot is deliberate. Silently moving long-time v4 nightly consumers across a
major version on the next pull is the kind of churn this whole cutover is designed to avoid. Forcing an explicit decision
per consumer is the price of avoiding it.
This issue runs around 6 months post-GA, when v4 EOL is announced. The apiserver and frontend EOL flips are interlocked.
Step order is critical. The workflow edits on
4.14.xmust happen before the branch goes read-only. Otherwise thedeprecation can never be merged.
For each of
dependency-track:4.14.xandfrontend:4.14.x, in this order, run the five steps below.1. Edit
_meta-build.yamlon4.14.xStop publishing bare
:snapshotfrom this branch. Optionally retag the last v4 nightly as:4-snapshot-eolfor forensicpulls. The
:4-snapshottag (from the caller-side major-version derivation, when it was carried over to the v4 branch)continues to exist as the frozen v4 nightly. Bare
:snapshotis removed from the tag set entirely.2. Cut the final 4.14.z patch (if any)
This locks in the EOL state for v4 consumers who pin a specific version.
3. Mark
4.14.xread-onlyBranch protection: no pushes, no merges, no force-pushes. Document publicly that v4 maintenance has ended.
4. Revert the
major == 5:latestguard ondependency-track:main_meta-build.yamlreturns to its pre-cutover:latestbehavior. v5 takes over:lateston the next v5 GA-train releaseafter this revert. Apply the same revert on
frontend:main.5. Public EOL announcement
Cover both flips:
:latestis now v5.:snapshotis deprecated. Consumers must migrate to:4-snapshot(frozen) or:5-snapshot(advancing) explicitly.The "deprecate, not flip" choice on
:snapshotis deliberate. Silently moving long-time v4 nightly consumers across amajor version on the next pull is the kind of churn this whole cutover is designed to avoid. Forcing an explicit decision
per consumer is the price of avoiding it.