RELEASE.md - ipxe - Git at Google

 Release process
 ===============

 A release will be generated automatically for any version number tag
 (of the form `v*`).  Release notes will be extracted from the contents
 of the relevant section in [`CHANGELOG.md`][changelog].

 The reduced-feature Secure Boot binaries will be signed using the
 [iPXE Secure Boot CA][ipxesbca] and may be booted on a system with
 UEFI Secure Boot enabled using the [iPXE shim][ipxeshim].

 Steps
 -----

 1.  Edit the top-level [`Makefile`][makefile] to select values for
     `VERSION_MAJOR`, `VERSION_MINOR`, and `VERSION_PATCH`, and to set
     `EXTRAVERSION` to an empty string.

 2.  Edit [`CHANGELOG.md`][changelog] to create a section and link for
     the new release.

 3.  Commit these changes with a message such as:
     ```
     [release] Release version 1.2.3
     ```

 4.  Tag the commit with the correct version number, e.g.:
     ```
     git tag v1.2.3
     ```

 5.  Push the tag (and only the tag), e.g.:
     ```
     git push origin v1.2.3
     ```
     This will automatically create a [draft release][releases]
     including signed versions of the Secure Boot binaries.

 6.  If all checks on the tag succeeded, then push the master branch as
     normal:
     ```
     git push
     ```

 7.  Publish the [draft release][releases].

 8.  Edit the top-level [`Makefile`][makefile] to set `EXTRAVERSION`
     back to the value `+`.

 9.  Commit this change with a message such as:
     ```
     [release] Update version number after release
     ```

 10. Push the master branch as normal:
     ```
     git push
     ```

 Caveats
 -------

 Note that pushing the tag will trigger parts of the [build
 workflow][workflow] that are not usually run.  In particular, the UEFI
 Secure Boot signing stage will take place on a dedicated GitHub
 Actions [runner][runners] that has access to a [hardware signing
 token][ipxesbca].  There is a reasonable chance that parts of the
 workflow may fail (e.g. due to an expired code signing certificate).
 To recover from a failure, delete the tag (and the draft release, if
 it has been created).

 The signing step can be tested in isolation by pushing to the `sbsign`
 branch, without the need to run through the whole release process.

 [changelog]: CHANGELOG.md
 [ipxesbca]: https://github.com/ipxe/secure-boot-ca
 [ipxeshim]: https://github.com/ipxe/shim/releases/latest
 [makefile]: src/Makefile
 [releases]: https://github.com/ipxe/ipxe/releases
 [runners]: https://github.com/ipxe/ipxe/settings/actions/runners
 [workflow]: .github/workflows/build.yml
	Release process
	===============

	A release will be generated automatically for any version number tag
	(of the form `v*`). Release notes will be extracted from the contents
	of the relevant section in [`CHANGELOG.md`][changelog].

	The reduced-feature Secure Boot binaries will be signed using the
	[iPXE Secure Boot CA][ipxesbca] and may be booted on a system with
	UEFI Secure Boot enabled using the [iPXE shim][ipxeshim].

	Steps
	-----

	1. Edit the top-level [`Makefile`][makefile] to select values for
	`VERSION_MAJOR`, `VERSION_MINOR`, and `VERSION_PATCH`, and to set
	`EXTRAVERSION` to an empty string.

	2. Edit [`CHANGELOG.md`][changelog] to create a section and link for
	the new release.

	3. Commit these changes with a message such as:
	```
	[release] Release version 1.2.3
	```

	4. Tag the commit with the correct version number, e.g.:
	```
	git tag v1.2.3
	```

	5. Push the tag (and only the tag), e.g.:
	```
	git push origin v1.2.3
	```
	This will automatically create a [draft release][releases]
	including signed versions of the Secure Boot binaries.

	6. If all checks on the tag succeeded, then push the master branch as
	normal:
	```
	git push
	```

	7. Publish the [draft release][releases].

	8. Edit the top-level [`Makefile`][makefile] to set `EXTRAVERSION`
	back to the value `+`.

	9. Commit this change with a message such as:
	```
	[release] Update version number after release
	```

	10. Push the master branch as normal:
	```
	git push
	```

	Caveats
	-------

	Note that pushing the tag will trigger parts of the [build
	workflow][workflow] that are not usually run. In particular, the UEFI
	Secure Boot signing stage will take place on a dedicated GitHub
	Actions [runner][runners] that has access to a [hardware signing
	token][ipxesbca]. There is a reasonable chance that parts of the
	workflow may fail (e.g. due to an expired code signing certificate).
	To recover from a failure, delete the tag (and the draft release, if
	it has been created).

	The signing step can be tested in isolation by pushing to the `sbsign`
	branch, without the need to run through the whole release process.

	[changelog]: CHANGELOG.md
	[ipxesbca]: https://github.com/ipxe/secure-boot-ca
	[ipxeshim]: https://github.com/ipxe/shim/releases/latest
	[makefile]: src/Makefile
	[releases]: https://github.com/ipxe/ipxe/releases
	[runners]: https://github.com/ipxe/ipxe/settings/actions/runners
	[workflow]: .github/workflows/build.yml