You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: RELEASE.md
+30-3
Original file line number
Diff line number
Diff line change
@@ -6,10 +6,37 @@ Official Falcosecurity rules releases are automated using GitHub Actions. Each r
6
6
7
7
In this repo, each ruleset is a standalone YAML file in the `/rules` directory (e.g. `falco_rules.yaml`, `application_rules.yaml`, ...). Each ruleset is released and versioned individually. When we release a ruleset, we do the following process:
8
8
9
-
1. Make sure that the `./github/FALCO_VERSIONS` file contains the most recent versions of Falco compatible with the given ruleset. When releasing a ruleset, the versions must be explicit stable Falco releases (e.g. not using `latest` or `master`), so that the new tag will provide an history of the Falco versions on which the ruleset was tested.
10
-
2. Determine a new version for the given ruleset (see the [section below](#versioning-a-ruleset))
9
+
1. Make sure that the `./github/FALCO_VERSIONS` file contains the most recent versions of Falco with which the given ruleset validates successfully.
10
+
- When releasing a ruleset, the versions must be explicit stable Falco releases (e.g. not using `latest` or `master`), so that the new tag will provide an history of the Falco versions on which the ruleset was tested
11
+
- If the ruleset does not validate with a stable Falco release (it can happen close to the time of a Falco release), it's ok to use a `master` version, which however needs to be patched with an additional commit [on the ruleset's release branch](#patching-a-ruleset) once the next stable Falco release gets published.
12
+
2. Determine a new version for the given ruleset (see the [section below](#versioning-a-ruleset)).
11
13
3. Create a new Git tag with the name convention `*name*-rules-*version*` (e.g. `falco-rules-0.1.0`, `application-rules-0.1.0`, ...). The naming convention is required due to this repository being a [monorepo](https://en.wikipedia.org/wiki/Monorepo) and in order to be machine-readable.
12
-
4. A GitHub action will validate the repository [registry](./registry.yaml) and release the new OCI artifact in the packages of this repository
14
+
4. A GitHub action will validate the repository [registry](./registry.yaml) and release the new OCI artifact in the packages of this repository.
15
+
16
+
## Patching a ruleset
17
+
18
+
Patches on an already-released ruleset can anytime on a per-need basis. Assuming a release Git tag in the form of `*name*-rules-*version*`, with version being in the form of `X.Y.Z` (e.g. `falco-rules-0.1.0`), the process is as follows:
19
+
20
+
1. If not already created, create a release branch starting from the first tag of the released ruleset.
21
+
a. Checkout the first ruleset release tag: e.g. `git checkout falco-rules-0.1.0`
22
+
b. Create a new branch with the naming convention `release/*name*-rules-X.Y.x`, starting from the tag: e.g. `git checkout -b release/falco-rules-0.1.x`
23
+
c. As for step #1 of the [*Releasing a ruleset section*](#releasing-a-ruleset), make sure that `./github/FALCO_VERSIONS` contains all the **stable** Falco versions with which the ruleset validates successfully, by adding an extra commit to the release branch in case changes are required.
24
+
d. Open a [PR in falcosecurity/test-infra](https://github.com/falcosecurity/test-infra/edit/master/config/config.yaml) to add `release/*name*-rules-X.Y.x` as protected branch to the `prow/config.yaml`, for example:
25
+
```yaml
26
+
rules:
27
+
branches:
28
+
main:
29
+
protect: true
30
+
...
31
+
"release/falco-rules-0.1.x":
32
+
protect: true
33
+
```
34
+
2. Open one or more PRs agains the release branch of the released ruleset.
35
+
a. Wait for all the CI checks to pass.
36
+
b. Check the automatic versioning suggestions provided by the CI (see [an example](https://github.com/falcosecurity/rules/pull/74#issuecomment-1571867580)), and make sure that **only patch changes** are present.
37
+
c. Considering the automatic versioning suggestions, and at discretion of the domain knowledge of the repository maintainers, decide whether the PR should be merged or not.
38
+
3. Bump the ruleset version **patch** number by 1 and create a new Git tag from the release branch (e.g. `falco-rules-0.1.1`).
39
+
4. A GitHub action will validate the repository [registry](./registry.yaml) and release the new OCI artifact in the packages of this repository.
0 commit comments