python-tuf/docs/RELEASE.md

Release process

Prerequisites (one-time setup)

1. Go to PyPI management page and create an API token with its scope limited to the tuf project.
2. Go to GitHub settings, create an environment called release and configure review protection.
3. In the environment create a secret called PYPI_API_TOKEN and paste the token created above.

Release

1. Ensure docs/CHANGELOG.md contains a one-line summary of each notable change since the prior release
2. Update tuf/__init__.py to the new version number A.B.C
3. Create a PR with updated CHANGELOG.md and version bumps

➔ Review PR on GitHub

4. Once the PR is merged, pull the updated develop branch locally
5. Create a signed tag for the version number on the merge commit git tag --sign vA.B.C -m "vA.B.C"
6. Push the tag to GitHub git push origin vA.B.C

A push triggers the CI workflow, which, on success, triggers the CD workflow, which builds source dist and wheel, creates a preliminary GitHub release under vA.B.C-rc, and pauses for review.

7. Run verify_release --skip-pypi locally to make sure a build on your machine matches the preliminary release artifacts published on GitHub.

➔ Review deployment on GitHub

An approval resumes the CD workflow to publish the release on PyPI, and to finalize the GitHub release (removes -rc suffix and updates release notes).

8. verify_release may be used again to make sure the PyPI release artifacts match the local build as well.
9. Announce the release on #tuf on CNCF Slack
10. Ensure POUF 1, for the reference implementation, is up-to-date