This doc covers how Simple Container (sc) is released, where to read
release notes, how vulnerabilities are surfaced in notes, and how the
release ↔ disclosure flow ties together.
It satisfies the OpenSSF Best Practices release_notes,
release_notes_vulns, and report_archive criteria.
| What | Where |
|---|---|
| Per-release human-readable notes | https://github.com/simple-container-com/api/releases |
| Public vulnerability advisories | https://github.com/simple-container-com/api/security/advisories |
| Public issue / PR archive (reports + responses) | https://github.com/simple-container-com/api/issues + https://github.com/simple-container-com/api/pulls?q=is%3Apr+is%3Aclosed |
Every push to main triggers .github/workflows/push.yaml. After
build + sign + publish to dist, the docker-finalize job invokes
scripts/create-github-release.sh
which calls:
gh release create "${VERSION}" "${assets[@]}" \
--repo "${GITHUB_REPOSITORY}" \
--title "v${VERSION}" \
--generate-notes \
--verify-tagThe --generate-notes flag uses GitHub's auto-generation: it walks
back to the previous tag and produces a categorised summary of merged
PRs since then, plus a "New Contributors" callout. This is not
raw git log output — it groups by PR + author + label, with PR
titles and authors hyperlinked.
Release notes are attached to each Release object alongside the signed
sidecars (.cosign-bundle, .sigstore.json, .sha256, .sbom.cdx.json).
Consumers can verify the integrity of the artifacts AND read the notes
in the same Release UI.
Security-relevant changes follow these conventions so they surface clearly in the auto-generated notes:
-
Commit subject prefix: security fixes use
fix(security):/fix(deps):(for CVE-closing dep bumps) /hotfix(...). Examples from history:fix(deps): bump docs python 3.9 → 3.12-slim + pin requests/urllib3 to patched versions(closes GHSA-gc5v-m9x4-r6x2, GHSA-mf9v-mfxr-j63j, GHSA-qccp-gfcp-xxvc)fix(deps): migrate aws-sdk-go v1 → v2 (Vulnerabilities 8→10)(addresses GO-2022-0635, GO-2022-0646)hotfix(sc.sh): drop invalid --yes flag on cosign verify-blob(production outage — installs broken since #264)
-
CVE / GHSA references: the body of every security-fix commit includes the upstream advisory IDs (
GHSA-...,CVE-...,GO-YYYY-NNNN) it closes. These show up in the release-notes summary via the linked PR. -
GitHub Security Advisories: when a security report reaches maintainers via the channels in
SECURITY.md, the fix lands via a regular PR, and the corresponding GHSA is published on https://github.com/simple-container-com/api/security/advisories. The advisory cross-links the affected version + the patch PR + the release tag, so a consumer reading the release notes can pivot to the advisory page directly. -
N/A is honest: if a given release fixed no publicly-known vulnerabilities, no vulnerability section is forced into the notes. The
--generate-notesoutput simply omits a security callout.
For a given release vYYYY.M.X:
- Open https://github.com/simple-container-com/api/releases/tag/YYYY.M.X
(note: tag has no
vprefix in our scheme; the Release title showsvfor human readability). - The auto-generated body lists every merged PR. Filter mentally for
PRs whose title starts with
fix(security),fix(deps), orhotfix(...). - Click through to any PR for the full commit body — that's where the CVE / GHSA ID lives.
- Cross-check against the advisory archive at
https://github.com/simple-container-com/api/security/advisories
for any advisory marked Published with a
Patched infield matching this release. - The dist-side tarballs at
https://dist.simple-container.com/sc-*-vYYYY.M.X.tar.gzship the same release. Verify their integrity withcosign verify-blobperSECURITY.mdbefore upgrading.
- Production releases: cut automatically on every merge to
main. Calver schemeYYYY.M.Xdriven byreecetech/version-increment@2023.10.2. There is no manual release process — every accepted change inmainships. - Preview releases: produced by
.github/workflows/branch-preview.yamlon aworkflow_dispatchtrigger from a feature branch. TaggedvYYYY.M.X-pre.SHORTSHA-preview.SHORTSHA. These do NOT create GitHub Release objects (filtered byscripts/create-github-release.sh), but their signed sidecars are still published todist.*. - Hotfixes: same flow as a regular fix. Merge to
main→ automatic release. No separate hotfix branch model. See PR #268 for the canonical hotfix example (cosign--yesflag bug).
Public issue and PR threads — including security-fix PR discussions once their corresponding advisory is published — are archived at:
- https://github.com/simple-container-com/api/issues — open + closed issues
- https://github.com/simple-container-com/api/pulls?q=is%3Apr+is%3Aclosed — closed PRs
- https://github.com/simple-container-com/api/security/advisories — Published GitHub Security Advisories
GitHub's full-text search across these surfaces makes the archive searchable without additional infrastructure.
SECURITY.md— threat model, reporting channels, disclosure cadenceCONTRIBUTING.md— contribution requirementsMAINTAINERS.md— who handles security responsesARCHITECTURE.md— system actors + trust boundaries the release pipeline operates withinDEPENDENCIES.md— dep selection + tracking that drives most of thefix(deps)security PRsROADMAP.md— where planned work + open security items surface in public