ci: updated branches and dev process#1704
Open
Tbaile wants to merge 3 commits into
Open
Conversation
There was a problem hiding this comment.
Pull request overview
This PR updates NethSecurity’s CI/CD and documentation to support a branch-based release flow, adding testing and stable as automated publishing branches and removing the previous tag/manual “release stable packages” workflow approach.
Changes:
- Extend
build-imageworkflow triggers totesting/stable, adjust version suffixing, and avoid overwriting existingstable/testingimage artifacts. - Remove legacy workflows for “release stable packages” and subscription syncing.
- Update docs and cleanup tooling to reflect the new version format and release process.
Reviewed changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
tools/cleanup/cleanup.py |
Updates dev-build timestamp extraction to support the new prerelease segment format. |
docs/development_process.md |
Updates the documented stable release flow to branch-merge driven publishing and revises manual release guidance. |
docs/build/index.md |
Clarifies build defaults/variable behavior wording. |
build.conf.defaults |
Removes REPO_CHANNEL default from versioned defaults. |
AGENTS.md |
Updates CI/release documentation table and stable release steps (but needs a correction for PR builds). |
.github/workflows/subscription.yml |
Removes the workflow that synced stable → subscription on a schedule. |
.github/workflows/release-stable.yml |
Removes the manual dev → stable package sync workflow. |
.github/workflows/cleanup-branch.yml |
Adjusts cleanup logic to purge PR-numbered channels and exempts testing. |
.github/workflows/build-image.yml |
Implements branch-based publishing (main→dev, testing/stable→respective channels) and conditional image artifact upload. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| podman exec -ti parceler-php php artisan repository:snapshots nethsecurity | ||
| ``` | ||
| Let's assume the latest snapshot is `2024-10-02T08:43:17+02:00`. | ||
| 2. If you want to push all the packages to all firewall without waiting the tier period, execute: |
gsanchietti
reviewed
Jun 5, 2026
| - Close related issues and milestones. | ||
| - Archive completed project-board items. | ||
| - Release NethSecurity Controller if applicable. | ||
| - Publish the user-facing announcement once the release draft is approved. |
Member
There was a problem hiding this comment.
Please, re-add both links to forums
|
|
||
| If you want to change the base URL, add the variable override you need in `98-overrides.list`, `apk` will then handle by itself the replacement. | ||
|
|
||
| This changes for image updates, to recieve the correct popup you need to update the `ns-plug.config.repository_url` variable and the `/etc/repo-channel`, this will reflect even into `apk` unless a override has been set. This can be done as the following: |
Member
There was a problem hiding this comment.
This is not clear, I really do not understand it
| ```bash | ||
| cp /etc/apk/repositories.d/customfeeds.list /etc/apk/repositories.d/customfeeds.list.ori | ||
| cat /rom/etc/apk/repositories.d/distfeeds.list | sed 's/dev/stable/g' > /etc/apk/repositories.d/customfeeds.list | ||
| echo 'set repo_channel=staging' > /etc/apk/repositories.d/98-overrides.list |
Member
There was a problem hiding this comment.
Not sure we should use staging and example, I'd use release/stable.
Use case: an Enterprise user want to install an update directly from Community repo, before it's released to Enterprise.
| ### Packages | ||
| ### Draft release from a tag | ||
|
|
||
| Tags are Git tags in the NethSecurity repository. They are created on the stable release commit, and on GitHub they are visible under the repository tags list and used as the name of the draft release. |
Member
There was a problem hiding this comment.
If I want to release a beta release, I should not create any tag, right?
Can we add an example?
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Proposal changes of dev processes
At the moment the dev process is as the following:
mainthat produces a DEV build. This dev build is used for testing onlyCurrent proposal is to automatically push the packages and images when merged to specified branches:
maindoesn't change, it's the dev branch and won't be touched, processes here happen as it always has been.prpull request also don't actually change.stagingintroducing this branch to allow us to have a staging channel for some partners and/or specified machine we want test the not ready to release packages. This will be updated by merging the content of main or cherry-picking the changes.releaserelease is to release packages to the public, release channel. This can be used to release from testing or directly from main. Once this has been released it's needed to rebase main and staging to this branch, allowing changes already merged to be synced to the other channels.When releasing to
releaseorstagingimages are not written over if they're already present in the remote channel. I've considered the need for a rewrite of the image a complete edge-case with no clear path forward at the moment. The solution to this is a manual build and manual copy. This can however be changed by adding a flag over the CI that forces the image push, not implemented at the moment.TAGS: Tags have been removed from the build process, since I've noted above the need to rewrite history if a botched build is pushed. Releases, however are needed to be made to save the sbom and manifest.
My proposal is to use TAGS just for releases and tie them up to the release branch instead of the main one.
Note: Not all documentation is up to date, if this draft goes forward I'll look into changing that, not applied at the moment due to uncertainty and changes to be applied if draft gets updated.