This document explains the release strategy for artifacts in this organization.
Projects create a new branch when they need to start working on 2 separate versions of the product, with the main
branch being the furthermost release.
OpenSearch typically tracks 3 releases in parallel. For example, given the last major release of 1.0, OpenSearch in this organization maintains the following active branches.
- main: The next major release, currently 2.0. This is the branch where all merges take place, and code moves fast.
- 1.x: The next minor release, currently 1.1. Once a change is merged into
main
, decide whether to backport it to1.x
. - 1.0: The current release, currently 1.0. In between minor releases, only hotfixes (e.g. security) are backported to
1.0
. The next release out of this branch will be 1.0.1.
Label PRs with the next major version label (e.g. 2.0.0
) and merge changes into main
. Label PRs that you believe need to be backported as 1.x
and 1.0
. Backport PRs by checking out the versioned branch, cherry-pick changes and open a PR against each target backport branch.
Plugins are bundled and shiped together along with OpenSearch for every release. Plugin branching follows OpenSearch core branching that will allow working on 3 releases at the same time.
Do not creating branches in the upstream repo, use your fork, for the exception of long lasting feature branches that require active collaboration from multiple developers. Name feature branches feature/<thing>
. Once the work is merged to main
, please make sure to delete the feature branch.
OpenSearch versioning follows semver.
The build number of the engine is 3-digit major.minor.patch
(e.g. 1.1.0
), while plugins use 4 digits (1.1.0.45
). See OpenSearch#1093 for a proposal to remove this difference.
Versions are incremented as soon as development starts on a given version to avoid confusion. In the examples above versions are as follows.
- OpenSearch:
main
= 2.0.0,1.x
= 1.1.0, and1.0
= 1.0.0 - job-scheduler:
main
= 1.1.0.0,1.0
= 1.0.0.0
Create tags after a release that match the version number, major.minor.patch
, without a v
prefix.
For a discussion on whether to add a prefixing v
to release tags, see #35.
Repositories create consistent release labels, such as v1.0.0
, v1.1.0
and v2.0.0
, as well as patch
and backport
. Use release labels to target an issue or a PR for a given release. See MAINTAINERS for more information on triaging issues.
See Releasing OpenSearch.
If you discover a potential security issue in this project we ask that you notify the OpenSearch Security Team by email at [email protected]. Please do not create a public GitHub issue. See SECURITY.md for more information on the security response process.
The OpenSearch Project currently performs security reviews before releasing signed artifacts. These are typically conducted for any of the following:
- Releases from a new GitHub repository, such as a new plugin or extension, client, or tool.
- Major new features added to an existing application, including significant UX or API changes.
- Changes to authentication, authorization, cryptography, or other security-impacting functions.
- New software or infrastructure deployed to support the project, such as CI/CD.
- New 3rd-party providers or vendors being used by the project.
The review process consists of building a threat model for the proposed change and optionally engaging a specialist to perform additional testing, such as a penetration testing. This process is done in parallel and in private within the project, during development, and usually takes 4-10 weeks. A repository maintainer will assess the scope of the new changes, initiate and manage a security review, provide public updates, and, if needed, communicate privately by email with the contributors. Please add a note in your pull request if you believe a security review is warranted.
Please see opensearch-project/.github#81 for a discussion on improving this and other security-related processes.
This project follows semantic versioning. Backwards-incompatible changes always result in a new major version and will never be backported. Small improvements and features will be backported to a new minor version (e.g. 1.1
). Security fixes will be backported to a new patch version (e.g. 1.0.1
).
Here are the commands we typically run to backport changes to release branches:
- Checkout the target release branch and pull the latest changes from
upstream
. In the examples below, our target release branch is1.x
.
git checkout 1.x
git pull upstream 1.x
- Create a local branch for the backport. A convenient naming convention is backport-[PR-id]-[target-release-branch].
git checkout -b backport-pr-xyz-1.x
- Cherry-pick the commit to backport. Remember to include DCO signoff.
git cherry-pick <commit-id> -s
- Push the local branch to your fork.
git push origin backport-pr-xyz-1.x
- Create a pull request for the change.