WIP: maintenance workflow documentation

[Ocramius]

This is a stub of the release process that I was slowly putting into words.

As discussed with @carusogabriel and @Majkl578 while at PHP Central Europe, we need to get this automated, and removed from the documentation once that's done (as in: documentation just references the release tool)

TODO:

• check how this actually renders
• document code review as part of the maintenance workflow
• document dependency upgrades as part of the maintenance workflow
• document signed tags for releases

[Ocramius]

@jwage can you please talk about this workflow with @doctrine/team-mongodb-odm? I think ORM and ODM are quite different right now, but if we build an automation, we should unify the workflows.

@SenseException I marked it as WIP because it is incomplete, but I don't remember what's missing. Can you check it again, please?

[alcaeus]

We'll discuss this at the next ODM hangout.

[malarzm]

I think the biggest difference is that ODM's version description is usually linking to CHANGELOG.md which contains description of what changed (and we usually craft it manually). And I personally use github to tag a new release instead of console :)

[Ocramius]

I think the biggest difference is that ODM's version description is usually linking to CHANGELOG.md

Good one! What do we do about CHANGELOG.md? I think we should start maintaining it, especially requiring an entry in it for every relevant patch. If we can ensure that, then the release notes (and therefore the git tag message) can be inferred from the latest block in CHANGELOG.md. Should I add it to the document?

And I personally use github to tag a new release instead of console :)

We need signed tags for our releases, especially with the size of our audience. This isn't feasible via Github UI...

[malarzm]

So in ODM we always write an entry in CHANGELOG before tagging new release, they usually look like this - list there not always contains all PRs merged, because some are not worthy mentioning (i.e. docs). Sometimes we put more info to the changelog, that usually happens for a minor release (like this one).

Bugfix release notes follow this scheme (copy-paste-fix links):

Maintenance release.

Please see [changelog](https://github.com/doctrine/mongodb-odm/blob/1.2.x/CHANGELOG-1.2.md#125-2018-07-20) for a complete list of fixes.

All issues and pull requests in this release may be found under the [1.2.5 milestone](https://github.com/doctrine/mongodb-odm/issues?q=milestone%3A1.2.5).

We need signed tags for our releases, especially with the size of our audience. This isn't feasible via Github UI...

I can change my ways, no problem 👍

[Ocramius]

I can change my ways, no problem +1

I don't want to impede your work, hence my strong focus on automation in this documentation. At some point, I'd like to remove humans from the release process in this organisation.

[malarzm]

I can change my ways, no problem +1

I don't want to impede your work, hence my strong focus on automation in this documentation. At some point, I'd like to remove humans from the release process in this organisation.

That was about signing tags and not using github UI ;) FWIW I think maintaing changelog is better as it's easily grep-able.

[Majkl578]

We also talked about automating PR merges, after passed builds and approvals (and i.e. no blocking label).
Ideally we should also guard automatic merges by Roave/BackwardCompatibilityCheck that would block auto-merge (ideally as a separate CI integration, not part of the Travis build directly).

[Ocramius]

Yeah, Roave BC is a bit too strict, but we can add our (laxer) rules to CI. Also, I need to make it faster before it is introduced.

[Majkl578]

As part of this standardization, we SHOULD sync labels across all repositories and also their colors (at least all listed below). Currently it's random.

[Majkl578]

Considering that we currently mostly use MAJOR.MINOR, what is the motivation to use MAJOR.MINOR.x?

[alcaeus]

ORM, DBAL and common started using MAJOR.MINOR with 2.2, while the rest either doesn't have enough branches for it to be called a model or are using MAJOR.MINOR.x.

[jwage]

Fwiw either branch name format works with the website.

[Majkl578]

Suggested change

	Please note that tags *MUST* be signed. Unsigned releases will be
	Please note that tags **MUST** be GPG-signed by either the maintainer's or Doctrine's GPG key.
	Unsigned releases will be

As discussed, as part of automating releases. we may introduce a Doctrine GPG key that will be signed by all maintainers and internally used to create tags.

[alcaeus]

I don't like the anonymity of a shared GPG key - anyone could sign a malicious tag and hide between the shared identity. I'd advocate against that and suggest we keep signing with individual keys.

[Ocramius]

Wouldn't be anonymous: it would require trust from the doctrine maintainers

[alcaeus]

Looking at one tag, would I be able to tell which maintainer signed the tag?

[Ocramius]

No, it would be done by tooling, not by a person

[alcaeus]

Even if it's done by tooling, as long as it's triggered by a human (./bin/doctrine release a.b.c) it should be signed by that human. Otherwise, there's no significant advantage to signing with the GitHub key, except that we're maintaining our own key for the sake of it.

[Ocramius]

Key K is signed as trusted by maintainer A, B, C. Subkey K1 is deployed to a (safe) environment, where the automation takes over tagging and releasing when things are triggered. There won't be a ./bin/doctrine release a.b.c: the aim is to remove it, and completely automate releases as merges happen. Yes, that would be a lot of releases :)

[alcaeus]

I don't think that's feasible at all at the current time, hence my opposition to this. Let's take things one at a time. If we ever get to the point where we want to do a release on every merge, we can bring this up again. Until that point, let's leave the original suggestion in: people sign tags with their GPG key instead of relying on GitHubs default key.

[Ocramius]

instead of relying on GitHubs default key.

Yeah, this should never be done anyway 👍

[SenseException]

I think this should also work well for changes in the documentation.
@Ocramius Do we need to emphasize that changes in the documentation shouldn't be in the same commits as code changes? Also: New features should get a proper documentation before they can be merged.

[Ocramius]

shouldn't be in the same commits as code changes?

I don't mind if the commits overlap or not, but they should probably be in the same patch. I don't think it has to do with the maintenance workflow though: we can put it in issue/PR templates, maybe?

[morozov]

This requires an update due to doctrine/orm#7552.

[morozov]

This could be reworded to <username> for consistency with the change in git clone ....

[carusogabriel]

Gosh, I need to do some research about it, I forget :P

[Ocramius]

Folks, I can't get to work on this further in the next weeks: is anybody in @doctrine/team-documentation willing to finish this up?

[jwage]

@Ocramius I can take the ball.

[Ocramius]

@jwage thanks!

[alcaeus]

This section needs an update after the decision at the EUFOSSA hackathon. See https://github.com/doctrine/automatic-releases#todos for the process.