ipxe/RELEASE.md

Release process

A release will be generated automatically for any version number tag (of the form v*). Release notes will be extracted from the contents of the relevant section in CHANGELOG.md.

The reduced-feature Secure Boot binaries will be signed using the iPXE Secure Boot CA and may be booted on a system with UEFI Secure Boot enabled using the iPXE shim.

Steps

1. Edit the top-level Makefile to select values for VERSION_MAJOR, VERSION_MINOR, and VERSION_PATCH, and to set EXTRAVERSION to an empty string.

2. Edit CHANGELOG.md to create a section and link for the new release.

3. Commit these changes with a message such as:

   [release] Release version 1.2.3
   

4. Tag the commit with the correct version number, e.g.:

   git tag v1.2.3
   

5. Push the tag (and only the tag), e.g.:

   git push origin v1.2.3
   

   This will automatically create a draft release including signed versions of the Secure Boot binaries.

6. If all checks on the tag succeeded, then push the master branch as normal:

   git push
   

7. Publish the draft release.

8. Edit the top-level Makefile to set EXTRAVERSION back to the value +.

9. Commit this change with a message such as:

   [release] Update version number after release
   

10. Push the master branch as normal:

    git push
    

Caveats

Note that pushing the tag will trigger parts of the build workflow that are not usually run. In particular, the UEFI Secure Boot signing stage will take place on a dedicated GitHub Actions runner that has access to a hardware signing token. There is a reasonable chance that parts of the workflow may fail (e.g. due to an expired code signing certificate). To recover from a failure, delete the tag (and the draft release, if it has been created).

The signing step can be tested in isolation by pushing to the sbsign branch, without the need to run through the whole release process.