For dependency upgrades, dependabot is relied upon and news files are auto-generated in order to document such change.
The CI supports three release flows:
developmentfor snapshot releasesreleasefor stable releasesbetafor pre-releases
| Type | Purpose | Version Number Format | GitHub Release | News Files Deleted |
|---|---|---|---|---|
| Release | General Availability | <minor>.<major>.<patch> |
Yes | Yes |
| Beta | Integration Testing | <minor>.<major>.<patch>-beta.<commit number> |
Yes | No |
| Development | Development Testing | <minor>.<major>.<patch>-dev+<git hash> |
No | No |
⚠️ releases can be made from any branches but it is recommended that they are only made from themainbranch.
- Navigate to the GitHub Actions page.
- Select the Run Workflow button and type which kind of release you would like to make (i.e. release, beta or development).
The version number will be automatically calculated, based on the news files.
So that no secrets are committed back to the repository, a combination of two tools are run in CI:
- GitLeaks : Scans the git history for usual secrets (e.g. AWS keys, etc.)
- detect-secrets: Scans only the current state of the repository for anything which can look like secrets (strings with high entropy)
For the latter, False positive keys are stored in the baseline which detect-secrets checks against when it runs
To flag individual false positives add comment # pragma: allowlist secret to line with secret
To add all suspected secrets in the repository (excluding ones with an allow secret comment), run detect-secrets scan --all-files --exclude-files '.*go\.sum$' --exclude-files '.*\.html$' --exclude-files '.*\.properties$' --exclude-files 'ci.yml' --exclude-files '\.git' > .secrets.baseline
If on Windows: then change the encoding of the .secrets.baseline file to UTF-8 then convert all \ to / in the .secrets.baseline file