From ef34f9567f7afc62087f8ce5d270219eabe36aca Mon Sep 17 00:00:00 2001 From: Kevin Leyow Date: Sat, 27 Feb 2021 21:00:05 -0500 Subject: [PATCH] docs: add overview of automated releases in readme --- README.md | 32 +++++++++++++++++++++++++++++++- 1 file changed, 31 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 46bca63af..2b31fd46f 100644 --- a/README.md +++ b/README.md @@ -21,6 +21,7 @@ The following documentation represents the services, APIs and endpoints responsi - [Tests](#tests) - [Auditing Dependencies](#auditing-dependencies) - [Container Scans](#container-scans) +- [Automated Releases](#automated-releases) ## Running Locally @@ -62,7 +63,7 @@ Logs are sent to standard output by default. ## Tests -Tests include unit, functional, and integration. +Tests include unit, functional, and integration. Running the tests: @@ -111,3 +112,32 @@ For more information on anchore and anchore-cli, refer to: - [Anchore CLI](https://github.com/anchore/anchore-cli) - [Circle Orb Registry](https://circleci.com/orbs/registry/orb/anchore/anchore-engine) +## Automated Releases + +As part of our CI/CD process, we use a combination of CircleCI, standard-version +npm package and github-release CircleCI orb to automatically trigger our releases +and image builds. This process essentially mimics a manual tag and release. + +On a merge to master, CircleCI is configured to use the mojaloopci github account +to push the latest generated CHANGELOG and package version number. + +Once those changes are pushed, CircleCI will pull the updated master, tag and +push a release triggering another subsequent build that also publishes a docker image. + +### Potential problems + +* There is a case where the merge to master workflow will resolve successfully, triggering + a release. Then that tagged release workflow subsequently failing due to the image scan, + audit check, vulnerability check or other "live" checks. + + This will leave master without an associated published build. Fixes that require + a new merge will essentially cause a skip in version number or require a clean up + of the master branch to the commit before the CHANGELOG and bump. + + This may be resolved by relying solely on the previous checks of the + merge to master workflow to assume that our tagged release is of sound quality. + We are still mulling over this solution since catching bugs/vulnerabilities/etc earlier + is a boon. + +* It is unknown if a race condition might occur with multiple merges with master in + quick succession, but this is a suspected edge case.