Skip to content

Improving the changelog/release process (currently out-of-date and lacking security fixes) #2500

New issue
New issue
Open
Open
Improving the changelog/release process (currently out-of-date and lacking security fixes)#2500
Labels
enhancementneeds triageWaiting for discussion / prioritization by team
@primeos-work

Description

@primeos-work
primeos-work
opened on Dec 9, 2025

Hello!

  • Vote on this issue by adding a 👍 reaction
  • If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)

Issue details

The newest release of Step CA is version 0.29.0 and was released on 2025-12-03 (6 days ago at the time this issue was created): https://github.com/smallstep/certificates/releases/tag/v0.29.0

Unfortunately the CHANGELOG.md file on the master branch still states "[0.29.0] - unreleased".

Permalink to the most recent version on the master branch at the time of creating this issue:
https://github.com/smallstep/certificates/blob/5398fc7653d9a3b941acef17212d86bea122b98e/CHANGELOG.md#0290---unreleased
And on the Git tag for that release it's the same: https://github.com/smallstep/certificates/blob/v0.29.0/CHANGELOG.md

This already surprised me when I updated a Step CA instance last Friday but on Monday I learned that there's even a CVE with a severity rating of 10/10: GHSA-h8cp-697h-8c8p
IMO it would be especially important to document any security fixes in the changelog.

To follow best practices I would suggest the following improvements:

  1. The changelog is maintained more actively (one could also consider adding some requirements to CONTRIBUTING.md like mentioning/documenting major changes in PRs) and during the release process it will be ensured that the changelog is up-to-date before a new release is tagged.
  2. The changelog from CHANGELOG.md is also copied into the GitHub release notes under https://github.com/smallstep/certificates/releases (or you could alternatively link to the file)
  3. Bonus note regarding the Git flow: I see that both v0.29.0 and v0.28.4 were tagged from the master branch. Since "this project adheres to Semantic Versioning", there should ideally be a dedicated Git branch for stable releases so that you could integrate new features and other major changes into the master branches while only backporting relevant backward compatible bug fixes to the release branches for patch releases.

Last but not least I want to thank you for this awesome OSS software! Please only consider this issue a suggestion for improvement from a user perspective (/ user feedback) - I have obviously no right to demand anything.

Why is this needed?

It would improve the update experience for users and give the project an even more "professional"/reliable look.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementneeds triageWaiting for discussion / prioritization by team

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions