ci: introduce release branches (cloudnative-pg#346)

Introduce support for multiple minor releases, each with their own
release branch.

A release branch must always originate from the trunk (`main` branch),
and corresponds to a new minor release.

Development happens on the trunk, and bug fixes are cherry-picked
in the actively supported release branches by the maintainers (this
process needs to be documented in the future, and ideally part of the
review from a maintainer).

Sometimes, bug fixes might originate in the release branch as well.
Release notes for patch/security versions are maintained in the release
branch directly.

The release scripts has been modified to work only from a release branch
(it is no longer possible to release from the trunk).

Integrate the contributors doc with instructions on the release process.

Closes cloudnative-pg#321

Signed-off-by: Marco Nenciarini <marco.nenciarini@enterprisedb.com>
Signed-off-by: Gabriele Bartolini <gabriele.bartolini@enterprisedb.com>
Signed-off-by: Leonardo Cecchi <leonardo.cecchi@enterprisedb.com>
Signed-off-by: John Long <john.long@enterprisedb.com>

Co-authored-by: Gabriele Bartolini <gabriele.bartolini@enterprisedb.com>
Co-authored-by: Leonardo Cecchi <leonardo.cecchi@enterprisedb.com>
Co-authored-by: John Long <john.long@enterprisedb.com>

Author: 4 people

.github/workflows/release-pr.yml

@@ -17,13 +17,16 @@ jobs:
       -
         name: Get tag
         run: |
-          echo "TAG=${GITHUB_REF##*/}" >> $GITHUB_ENV
+          TAG=${GITHUB_REF##*/}
+          DEST=$(echo ${TAG#v} | awk -F '[.]' '{print "release-"$1"."$2}')
+          echo "TAG=${TAG}" >> $GITHUB_ENV
+          echo "DEST=${DEST}" >> $GITHUB_ENV
       -
         name: Pull Request
         id: open-pr
         uses: repo-sync/pull-request@v2.6.2
         with:
-          destination_branch: "main"
+          destination_branch: ${{ env.DEST }}
           github_token: ${{ secrets.GITHUB_TOKEN }}
           pr_body: "Automated PR. Will trigger the ${{ env.TAG }} release when approved."
           pr_label: release

.github/workflows/release-tag.yml

@@ -6,7 +6,7 @@ on:
     types:
       - closed
     branches:
-      - main
+      - release-*
 
 jobs:
   tag:
@@ -15,29 +15,12 @@ jobs:
       -
         name: Checkout
         uses: actions/checkout@v3
-      -
-        name: Temporarily disable "include administrators" branch protection
-        if: ${{ always() && github.ref == 'refs/heads/main' }}
-        id: disable_include_admins
-        uses: benjefferies/branch-protection-bot@1.0.7
-        with:
-          access_token: ${{ secrets.REPO_GHA_PAT }}
-          branch: main
-          enforce_admins: false
       -
         name: Create tag
-        if: github.event.pull_request.merged == true && startsWith(${{ github.head_ref }}, "release/v")
+        if: github.event.pull_request.merged == true && startsWith(github.head_ref, 'release/v')
         uses: christophebedard/tag-version-commit@v1.6.2
         with:
           token: ${{ secrets.REPO_GHA_PAT }}
           version_regex: '^Version tag to ([0-9]+\.[0-9]+\.[0-9]+)'
           version_tag_prefix: v
           dry_run: false
-      -
-        name: Enable "include administrators" branch protection
-        uses: benjefferies/branch-protection-bot@1.0.7
-        if: ${{ always() && github.ref == 'refs/heads/main' }}
-        with:
-          access_token: ${{ secrets.REPO_GHA_PAT }}
-          branch: main
-          enforce_admins: ${{ steps.disable_include_admins.outputs.initial_status }}

contribute/release_procedure.md

@@ -0,0 +1,101 @@
+# Release procedure
+
+This section describes how to release a new set of supported versions of
+CloudNativePG, and should be done by one of the maintainers of the project.  It
+is a semi-automated process which requires human supervision.
+
+You can only release from a release branch, that is a branch in the
+Git repository called `release-X.Y`, i.e. `release-1.16`, which corresponds
+to a minor release.
+
+The release procedure must be repeated for all the supported minor releases,
+usually 3:
+
+- the current one (`release-X.Y`)
+- the previous one (`release-X.Y` -1)
+- the *"End of Life"* one (`release-X.Y` -2) - normally for an additional month
+  after the first release of the current minor.
+
+```diagram
+------+---------------------------------------------> main (trunk development)
+       \             \
+        \             \
+         \             \             LATEST RELEASE
+          \             \                                           ^
+           \             \----------+---------------> release-X.Y   |
+            \                                                       | SUPPORTED
+             \                                                      | RELEASES
+              \                                                     | = the two
+               \                                                    |   last
+                +-------------------+---------------> release-X.Y-1 |   releases
+                                                                    v
+```
+
+## Release branches
+
+A release branch must always originate from the *trunk* (`main` branch),
+and corresponds to a new minor release.
+
+Development happens on the trunk (`main` branch), and bug fixes are
+cherry-picked in the actively supported release branches by the maintainers.
+Sometimes, bug fixes might originate in the release branch as well.
+Release notes for patch/security versions are maintained in the release branch
+directly.
+
+## Planning the release
+
+One or two weeks before the release, you should start planning the following
+activities:
+
+- **Supported releases:** Make sure that you update the supported releases' page
+  in `docs/src/supported_releases.md` and have been approved by the maintainers
+
+- **Release notes:** Make sure release notes for the release have been updated
+  in `docs/src/release_notes.md` and have been approved by the maintainers
+
+- **Capabilities page:** in case of a new minor release, make sure that the
+  operator capability levels page has been updated in
+  `docs/src/operator_capability_levels.md` and approved by the maintainers
+
+- **Documentation:** Make sure that you update the documentation in the
+  [website project](https://github.com/cloudnative-pg/cloudnative-pg.github.io)
+  for each of the supported releases via a PR.
+
+<!-- TODO: we should create an issue template with a checklist for the release process -->
+
+## Release steps
+
+Once the code in the release branch is stable and ready to be released, you can
+proceed with the supervised process.
+
+As a maintainer, you need to repeat this process for each of the supported
+releases of CloudNativePG:
+
+1. Run `hack/release.sh X.Y.Z` (e.g. `hack/release.sh 1.16.0`)
+2. Quickly review the PR that is automatically generated by the script and
+   approve it
+3. Merge the PR, making sure that the commit message title is:
+   `Version tag to X.Y.Z`, without prefixes (e.g.: `Version tag to 1.16.0`)
+4. Wait until all [GitHub Actions](https://github.com/cloudnative-pg/cloudnative-pg/actions)
+   complete successfully.
+5. Perform manual smoke tests to verify that installation instructions work on
+   your workstation using `kind`
+
+## Helm chart release:
+
+After having created a new release of CloudNativePG you need to create a release of
+the `cloudnative-pg` and `cnpg-sandbox` charts, whose definitions can be found
+in the [cloudnative-pg/charts](https://github.com/cloudnative-pg/charts) repository.
+
+The following is a summary of the steps to be taken in that direction. The
+[RELEASE.md](https://github.com/cloudnative-pg/charts/blob/a47596cb/RELEASE.md)
+document inside the relative repo contains an in-depth discussion of the
+process.
+
+1. Copy the output of `kustomize build config/helm` to `charts/cloudnative-pg/templates/crds/crds.yaml`
+   in the [cloudnative-pg/charts](https://github.com/cloudnative-pg/charts) repository.
+2. Diff the new release version with the previous one
+   (e.g.: `vimdiff releases/cnpg-1.15.0.yaml releases/cnpg-1.15.1.yaml` using your IDE of choice)
+3. Port any diff to the templates in the helm chart accordingly
+4. Proceed with the release process described in the `RELEASE.md`
+   file in the [cloudnative-pg/charts](https://github.com/cloudnative-pg/charts) repository.

contribute/to_be_classified.md

@@ -11,27 +11,3 @@ make licenses
 ```
 
 ---
-
-## Release procedure
-
-### Initial verification
-
-- Make sure release notes for the release have been updated
-  in `docs/src/release_notes.md` and have been approved by
-  the maintainers
-- Make sure that the operator capability levels page has been
-  updated in `docs/src/operator_capability_levels.md` and approved
-  by the maintainers
-
-### Release steps
-
-The following steps assume version 1.15.0 as the one to be released. Alter the
-instructions accordingly for your version.
-
-1. Run `hack/release.sh 1.15.0`.
-2. Approve the PR that is automatically generated.
-3. Merge the PR.
-4. Wait until all [Github Actions](https://github.com/cloudnative-pg/cloudnative-pg/actions) finish.
-
----
-

docs/src/supported_releases.md

@@ -66,7 +66,7 @@ Git tags for versions are prepended with `v`.
 | Version         | Currently Supported  | Release Date      | End of Life              | Supported Kubernetes Versions | Tested, but not supported |
 |-----------------|----------------------|-------------------|--------------------------|-------------------------------|---------------------------|
 | main            | No, development only |                   |                          |                               |                           |
-| 1.15.x          | Yes                  | April 21, 2022    | October 15, 2022         | 1.21, 1.22, 1.23, 1.24        | 1.19, 1.20                |
+| 1.15.x          | Yes                  | April 21, 2022    | October 15, 2022         | 1.21, 1.22, 1.23              | 1.19, 1.20, 1.24          |
 | 1.16.x          | Yes                  | July 7, 2022      | ~ December 10, 2022      | 1.22, 1.23, 1.24              | 1.19, 1.20, 1.21          |
 
 The list of supported Kubernetes versions in the above table depends on what

hack/release.sh

@@ -1,5 +1,13 @@
 #!/usr/bin/env bash
 ##
+## CloudNativePG release script
+##
+## This shell script automates the release process for a selected
+## version of CloudNativePG. It must be invoked from a release
+## branch. For details on the release procedure, please
+## refer to the contribute/release_procedure.md file from the
+## main folder.
+##
 ## Copyright The CloudNativePG Contributors
 ##
 ## Licensed under the Apache License, Version 2.0 (the "License");
@@ -27,6 +35,7 @@ fi
 
 release_version=${1#v}
 
+# Verify we are working on a clean directory
 require_clean_work_tree () {
     git rev-parse --verify HEAD >/dev/null || exit 1
     git update-index -q --ignore-submodules --refresh
@@ -59,11 +68,12 @@ require_clean_work_tree () {
 
 require_clean_work_tree "release"
 
-if branch=$(git symbolic-ref --short -q HEAD) && [ "$branch" = 'main' ]
+# Verify that you are in a release branch
+if branch=$(git symbolic-ref --short -q HEAD) && [[ "$branch" == release-* ]]
 then
     echo "Releasing ${release_version}"
 else
-    echo >&2 "Release is not possible because you are not on 'main' branch ($branch)"
+    echo >&2 "Release is not possible because you are not on a 'release-*' branch ($branch)"
     exit 1
 fi
 
@@ -73,6 +83,7 @@ KUSTOMIZE="${REPO_ROOT}/bin/kustomize"
 mkdir -p releases/
 release_manifest="releases/cnpg-${release_version}.yaml"
 
+# Perform automated substitutions of the version string in the source code
 sed -i -e "/Version *= *.*/Is/\".*\"/\"${release_version}\"/" \
     -e "/DefaultOperatorImageName *= *.*/Is/\"\(.*\):.*\"/\"\1:${release_version}\"/" \
     pkg/versions/versions.go
@@ -90,6 +101,7 @@ cp -r config/* "${CONFIG_TMP_DIR}"
 "${KUSTOMIZE}" build "${CONFIG_TMP_DIR}/default" > "${release_manifest}"
 rm -fr "${CONFIG_TMP_DIR}"
 
+# Create a new branch for the release that originates the PR
 git checkout -b "release/v${release_version}"
 git add \
     pkg/versions/versions.go \