This document describes the Fort Knox-grade release process for MetaGraph. This process ensures deterministic builds, comprehensive validation, and cryptographic attestation of all releases.
The MetaGraph release process follows a strict workflow designed to prevent accidental releases, ensure quality, and maintain a complete audit trail. The process is fail-fast: any issue immediately halts the release.
All development happens on feature branches:
- Branch from
mainwith descriptive names (e.g.,feat/hypergraph-traversal) - Follow conventional commit format
- Ensure all commits pass pre-commit hooks
When ready to prepare a release:
# Create release branch from main
git checkout main
git pull origin main
git checkout -b release/v0.1.0
# For release candidates
git checkout -b release/v0.1.0-rc1Release branch naming:
- Format:
release/vMAJOR.MINOR.PATCH[-PRERELEASE] - Examples:
release/v0.1.0,release/v1.0.0-rc1,release/v2.3.4-beta
Run the release preparation script:
./scripts/prepare-release.shThis script performs comprehensive validation:
- Branch Validation: Ensures you're on a
release/v*branch - Clean Worktree: No uncommitted changes or untracked files
- Version Validation: Version must be higher than latest tag and current version
- Version Consistency: All version files must match the branch version
- Clean Release Build: Full rebuild with
-DCMAKE_BUILD_TYPE=Release - Test Suite: All tests must pass with no failures
- Static Analysis: clang-tidy must report zero issues
- Security Audit: All security checks must pass
- Performance Check: No regressions beyond ±5% tolerance
If any check fails, the script exits with a specific error code:
1: Not on a release branch2: Dirty working tree3: Version mismatch in files4: Version downgrade detected5: Quality check failed6: Version files were updated (commit needed)
If the script updates version files:
git add include/metagraph/version.h CMakeLists.txt
git commit -m "chore: bump version to v0.1.0
Prepare for v0.1.0 release
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>"# Push the release branch
git push -u origin release/v0.1.0
# Create PR to main
gh pr create --base main --title "Release v0.1.0" \
--body "## Release v0.1.0
### Changes
- Feature: Hypergraph data model implementation
- Feature: Binary bundle format
- Enhancement: Thread-safe graph operations
### Validation
- [x] All tests passing
- [x] Static analysis clean
- [x] Security audit passed
- [x] Performance within tolerance
- [x] Version files updated
### Release Checklist
- [ ] Approved by @CODEOWNER
- [ ] CI/CD pipeline green
- [ ] CHANGELOG.md updated
- [ ] Migration guide (if breaking changes)
🤖 Generated with [Claude Code](https://claude.ai/code)"Only release branches can merge to main:
- PR must be approved by CODEOWNERS
- All CI checks must pass
- No direct commits to main allowed
After merging to main, CI automatically:
- Creates Git Tag:
v0.1.0signed with GPG - Builds Release Artifacts:
- Source tarball with SHA256 checksum
- Binary packages for each platform
- SBOM (Software Bill of Materials)
- Signs Artifacts: Using cosign with OIDC identity
- Creates GitHub Release: With all artifacts and signatures
- Publishes Documentation: Updates docs site
Version information is stored in:
include/metagraph/version.h: API version and build infoCMakeLists.txt: Project version for CMake
MetaGraph follows Semantic Versioning:
- MAJOR: Incompatible API changes
- MINOR: Backwards-compatible functionality
- PATCH: Backwards-compatible bug fixes
- PRERELEASE: Optional (e.g.,
-rc1,-beta)
The release script uses sort -V for proper semantic version comparison, correctly handling:
0.9.0<0.10.0(numeric comparison)1.0.0-rc1<1.0.0(pre-release ordering)2.0.0-alpha<2.0.0-beta<2.0.0
Performance baselines are machine-specific and not stored in git:
# Create baseline for your machine
./scripts/profile.sh timing
cp .ignored/timing-analysis.txt performance-baseline.txt
# Baseline is used by prepare-release.sh
# Regression > 5% will fail the releaseAll releases must pass security audit:
- Stack Canaries: Required on all binaries
- PIE/ASLR: Position Independent Executables
- FORTIFY_SOURCE: Buffer overflow protection
- Secure Flags: No executable stacks, full RELRO
- Dependency Scan: No known vulnerabilities
The pre-push hook automatically runs prepare-release.sh on release branches:
# Automatically triggered when pushing release/* branches
git push origin release/v0.1.0
# Hook runs prepare-release.sh before pushRelease workflow (/.github/workflows/release.yml):
- Triggered on push to
mainwith version tag - Builds deterministic artifacts
- Runs full test matrix
- Generates and signs SBOM
- Creates GitHub release
- Notifies maintainers
If issues are discovered post-release:
- Revert Merge: Create revert PR immediately
- Investigate: Root cause analysis
- Fix Forward: Patch on new release branch
- Expedited Release: Follow same process with higher urgency
Before starting a release:
- All planned features merged
- No open security issues
- Documentation updated
- CHANGELOG.md prepared
- Performance baseline current
- Team notification sent
During release:
- Release branch created
- prepare-release.sh passes
- Version files committed
- PR created and approved
- CI/CD pipeline green
Post-release:
- Tag created automatically
- Artifacts published
- Documentation deployed
- Announcement sent
Working tree is dirty
# Check status
git status
# Stash changes if needed
git stash
# Or commit changes
git add -A && git commit -m "..."Version mismatch
# Script will show which files need updating
# After script updates them:
git add include/metagraph/version.h CMakeLists.txt
git commit -m "chore: bump version files"Performance regression
# Update baseline if legitimate
./scripts/profile.sh timing
cp .ignored/timing-analysis.txt performance-baseline.txt
# Or investigate regression
./scripts/profile.sh memorySecurity audit failure
# Check specific failure
cat .ignored/security-audit.txt
# Common fixes:
# - Stack canaries: Add buffer operations
# - PIE: Check CMAKE_POSITION_INDEPENDENT_CODE| Code | Meaning | Resolution |
|---|---|---|
| 0 | Success | Ready to push |
| 1 | Not on release branch | Create release/v* branch |
| 2 | Dirty worktree | Commit or stash changes |
| 3 | Version mismatch | Commit updated files |
| 4 | Version downgrade | Use higher version |
| 5 | Quality check failed | Fix the specific issue |
| 6 | Files need commit | Commit version updates |
Releases are built with:
SOURCE_DATE_EPOCH: Reproducible timestamps-ffile-prefix-map: Strip build paths- Sorted inputs: Consistent file ordering
- Pinned dependencies: Exact versions
All artifacts include:
- SHA256 checksums: For integrity
- GPG signatures: For authenticity
- SBOM: Complete dependency tree
- Cosign signatures: OIDC-based signing
For critical security fixes:
- Create
hotfix/v*branch from affected tag - Apply minimal fix
- Follow standard release process
- Backport to main if applicable
The MetaGraph release process prioritizes:
- Safety: Fail-fast validation prevents bad releases
- Quality: Comprehensive checks ensure stability
- Security: Cryptographic attestation and audit trail
- Reproducibility: Deterministic builds enable verification
This Fort Knox approach ensures every release meets the highest standards of quality and security.