# Release engineering

Release engineering turns main into signed, reproducible, airgap friendly
artifacts. Builds must be deterministic and verifiable offline.

Release philosophy
- Every commit on main is releasable.
- Builds are reproducible and offline friendly.
- All artifacts ship with SBOMs and signatures.

Versioning and branches
- main: nightly images
- release/X.Y: stabilization branch
- tags X.Y.Z: signed releases

Pipeline stages (high level)
- Lint, unit tests, build, container tests
- SBOM generation and provenance
- Signing and publishing
- End to end tests and notifications

Artifact signing
- Cosign for containers and bundles
- DSSE envelopes for attestations
- Optional Rekor anchoring when available

Offline update kit (OUK)
- Monthly bundle of feeds and tooling
- Signed tarball with hashes and offline token

Release checks
- Verify SBOM attachment and signatures
- Run release verifier scripts
- Smoke test offline kit

Hotfixes
- Branch from latest tag, minimal patch, retag and publish

Related references
- docs/13_RELEASE_ENGINEERING_PLAYBOOK.md
- docs/ci/*
- docs/devops/*
- docs/release/* and docs/releases/*