bc4318ef97
- Created `StellaOps.TestKit.Tests` project for unit tests related to determinism. - Implemented `DeterminismManifestTests` to validate deterministic output for canonical bytes and strings, file read/write operations, and error handling for invalid schema versions. - Added `SbomDeterminismTests` to ensure identical inputs produce consistent SBOMs across SPDX 3.0.1 and CycloneDX 1.6/1.7 formats, including parallel execution tests. - Updated project references in `StellaOps.Integration.Determinism` to include the new determinism testing library.
1.2 KiB
1.2 KiB
Release engineering
Release engineering turns main into signed, reproducible, airgap friendly artifacts. Builds must be deterministic and verifiable offline.
Release philosophy
- Every commit on main is releasable.
- Builds are reproducible and offline friendly.
- All artifacts ship with SBOMs and signatures.
Versioning and branches
- main: nightly images
- release/X.Y: stabilization branch
- tags X.Y.Z: signed releases
Pipeline stages (high level)
- Lint, unit tests, build, container tests
- SBOM generation and provenance
- Signing and publishing
- End to end tests and notifications
Artifact signing
- Cosign for containers and bundles
- DSSE envelopes for attestations
- Optional Rekor anchoring when available
- Promotion attestations capture release evidence for offline audit
Offline update kit (OUK)
- Monthly bundle of feeds and tooling
- Signed tarball with hashes and offline token
Release checks
- Verify SBOM attachment and signatures
- Run release verifier scripts
- Smoke test offline kit
Hotfixes
- Branch from latest tag, minimal patch, retag and publish
Related references
- docs/13_RELEASE_ENGINEERING_PLAYBOOK.md
- docs/ci/*
- docs/devops/*
- docs/release/* and docs/releases/*
- release/promotion-attestations.md
- release/release-notes.md