New release workflow #5444
Description
What
A new release workflow to make k6 releases safer and more reliable.
We build this new workflow on top of the existing workflows to avoid disrupting them.
Once we merge this in, we can improve it later, automate it, add more features, etc.
Why
The current release workflow is prone to errors and potential security issues:
- Manual tag creation: Creating version tags manually may lead to:
- Version mismatches between
version.goand tags - Go module proxy may cache incorrect versions
- Inconsistent release artifacts
- Version mismatches between
- No validation: No automated check to ensure the version matches the release version before the tag is pushed
- Security concerns: Vulnerable to human error and other security-sensitive issues
Solution
The new approach provides a dedicated release workflow that adds:
- Centralization:
- Only CI can create version tags
- Enforced via repository rulesets
- Eliminates manual tag creation errors
- Guardrail 1: Version Validation
- Automatically checks if
version.gomatches the specified version - Fails fast before creating any tags
- Prevents the Go module proxy from caching incorrect versions due to invalid tags
- Automatically checks if
- Guardrail 2: Access Control
- Repository ruleset restricts version tag creation (
v*) to CI only - Restricts maintainers from accidentally creating version tags
- Reduces human error and security risks
- Repository ruleset restricts version tag creation (
Workflow
flowchart TD
A[Run Release workflow] --> B{Check version}
B -->|Tag exists or Version mismatch| C[❌ Fail]
B -->|Specified version is OK| D[Create tag]
D --> E[Build workflow gets triggered for the new tag]
E --> F[🎉 Release complete]
style C fill:#ff6b6b
style F fill:#51cf66
Tasks
- Release workflow #5443
- grafana/deployment_tools#413407