-
Notifications
You must be signed in to change notification settings - Fork 3
docs: OpenSSF Best Practices passing-level artifacts #147
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -7,6 +7,43 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 | |
|
|
||
| --- | ||
|
|
||
| ## Release Process | ||
|
|
||
| > Paste this prompt into a new Claude Code session, fill in the three placeholders, and send it to perform a release. | ||
|
|
||
| ``` | ||
| Release `{PROJECT}` to Maven Central. | ||
|
|
||
| **Step 1 — Prepare the release (do immediately):** | ||
| 1. Read the current version from `pom.xml` on `main` — it will be `{VERSION}-SNAPSHOT` | ||
| 2. Strip `-SNAPSHOT` from `pom.xml` (→ `{VERSION}`) | ||
| 3. In `README.md`, update **both**: | ||
| - The release dependency example to `{VERSION}` | ||
| - The snapshot dependency example to `{VERSION}-SNAPSHOT` (it should already match, but verify) | ||
| 4. Commit both files directly to `main` (no pull request) | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Governance Note: Direct commits to |
||
|
|
||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Missing Pre-Release Validation: The process should include an explicit step to verify all CI checks pass before tagging. Add after step 4: Step 1.5 — Verify CI: This prevents releasing with known CI failures. |
||
| **Step 2 — Wait for manual confirmation:** | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Governance Risk: This statement is ambiguous — it suggests an AI agent ("I") is performing tag/release creation, which is a significant security and governance concern. Clarify as: "After CI confirms all checks pass, manually create the The release process template must make explicit that human maintainers, not AI systems, are responsible for creating tags and publishing to Maven Central. |
||
| I will create the `v{VERSION}` tag and GitHub release manually — wait for me to confirm | ||
| the release is published on Maven Central before proceeding. | ||
|
|
||
| **Step 3 — Post-release snapshot bump (after my confirmation):** | ||
| Bump **both** files on `main`: | ||
| - `pom.xml` → `{NEXT_VERSION}-SNAPSHOT` | ||
| - `README.md` snapshot dependency example → `{NEXT_VERSION}-SNAPSHOT` | ||
|
|
||
| Commit both changes together directly to `main`. | ||
|
|
||
| **Placeholders:** | ||
|
|
||
| | Placeholder | Value | | ||
| |------------------|----------------------------------------------| | ||
| | `{PROJECT}` | *(project name)* | | ||
| | `{VERSION}` | *(release version, e.g. `1.3.0`)* | | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Version Bump Guidance: The example shows a patch-level bump ( Refer to semver.org for guidance on the next version choice. |
||
| | `{NEXT_VERSION}` | *(next snapshot base, e.g. `1.3.1`)* | | ||
| ``` | ||
|
|
||
| --- | ||
|
|
||
| ## [Unreleased] | ||
|
|
||
| ### Added | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Format Issue: Per Keep a Changelog 1.1.0, the
[Unreleased]section should be first after the header description. Consider moving this entire "Release Process" section to the bottom of the file (after the version history) to comply with the standard format. This also improves discoverability since users expect to see changes at the top.