08 — Release Workflows
Task 8: design release workflows. How a green
mainbecomes a versioned, promoted, rollback-able production release — and a self-host artifact.
1. Versioning & changelog
- SemVer (
MAJOR.MINOR.PATCH), aligned with the public-API versioning policy (ADR-0015). - Conventional Commits drive automated version bumps + changelog generation
(release-please / semantic-release):
feat:→ minor,fix:→ patch,feat!:/BREAKING CHANGE→ major. - A Git tag
vX.Y.Zis the release identity; it never rebuilds the app image — it promotes an already-built, signed digest (07).
2. The release & promotion flow
flowchart LR
classDef m fill:#fde68a,stroke:#b45309,color:#111827;
classDef g fill:#fbcfe8,stroke:#be185d,color:#111827;
classDef e fill:#bbf7d0,stroke:#15803d,color:#111827;
classDef x fill:#fecaca,stroke:#b91c1c,color:#111827;
main["green main → digest D (signed, SBOM)"]:::m --> dev["dev (auto-sync D)"]:::e
dev -->|"release-please tag vX.Y.Z + changelog"| rc["staging: GitOps PR pins D"]:::g
rc -->|"e2e + load + soak pass"| gate{"manual approval<br/>+ sync window open?"}:::g
gate -- yes --> prod["prod: GitOps PR pins D → canary ([04])"]:::e
gate -- no --> hold["hold"]:::x
prod -->|"analysis pass"| stable["stable"]:::e
prod -->|"analysis fail"| rb["auto-abort → stable"]:::x
- Promotion = PR in the GitOps repo moving digest
Dto the next env’s values (03, ADR-0034) — reviewable + revertable. - Gates: auto dev → staging on green; manual approval (GitHub environment protection or GitOps PR review) + green staging soak/load + open sync window for staging → prod.
- Prod uses canary + automated analysis (04).
3. Rollback & hotfix
| Need | Action | Speed |
|---|---|---|
| Canary regressing | automatic abort (Argo Rollouts) | seconds |
| Bad release already at 100% | git revert the digest bump → ArgoCD re-syncs prior digest |
minutes |
| Urgent prod fix | hotfix branch off the release tag → patch release → expedited promotion (skip nonprod where justified, still canary) | fast |
| Schema issue | roll forward (expand/contract); PITR last resort (12) | — |
Because artifacts are immutable and state is in Git, rollback is revert a commit, not a fire drill.
4. Self-host release artifacts
A release publishes, in addition to the SaaS promotion:
- Versioned Helm chart to an OCI registry (05).
- Multi-arch images (already signed, 07).
- Docker Compose bundle for the
lite/standardtiers (ADR-0012). - Release notes + upgrade guide + migration notes (expand/contract steps, 04).
So self-hosters consume the same tested artifacts, versioned and signed.
5. Cadence & communication
- Trunk-based, continuous to dev; periodic (or continuous-canary) promotion to prod.
- Breaking changes follow the API policy (ADR-0015): new major, deprecation window, changelog callout.
- Freeze windows (peak/holiday) enforced via ArgoCD sync windows (06).
6. Tradeoffs / Alternatives / Scaling
Tradeoffs. Automated versioning/changelog requires commit-message discipline (Conventional Commits) — a small tax for reproducible, human-free releases. Manual prod gate trades a little speed for safety on a data-custody product.
Alternatives considered.
- Manual version bumps + handwritten changelogs: drift, human error. Rejected for automation.
- Continuous deployment straight to prod (no gate): viable once canary analysis is trusted; we start gated and can relax per-service as confidence grows.
- Rebuild per environment at release: breaks “same bytes everywhere”; rejected — we promote digests (ADR-0034).
Scaling concerns.
- Many services, independent cadences → per-service SemVer + independent GitOps PRs; the platform version is a manifest of component digests.
- Release auditability → every prod change is a signed image + a reviewed Git commit
- a Rekor entry (07) — a complete chain.
- Coordinated multi-service releases → ApplicationSet progressive syncs order them (06).
References
- release-please: https://github.com/googleapis/release-please
- Conventional Commits: https://www.conventionalcommits.org/
- ArgoCD sync windows: https://argo-cd.readthedocs.io/en/stable/user-guide/sync_windows/