From 150bb48d0e7ff32d1dd81de840d13a5a53a4dfcf Mon Sep 17 00:00:00 2001
From: Feynman Zhou <feynmanzhou@microsoft.com>
Date: Fri, 9 Jun 2023 22:11:34 +0800
Subject: [PATCH 01/10] update RELEASE_CHECKLIST.md

Signed-off-by: Feynman Zhou <feynmanzhou@microsoft.com>
---
 RELEASE_CHECKLIST.md | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/RELEASE_CHECKLIST.md b/RELEASE_CHECKLIST.md
index d70760099..d9642aaa7 100644
--- a/RELEASE_CHECKLIST.md
+++ b/RELEASE_CHECKLIST.md
@@ -4,16 +4,18 @@
 
 This document describes the checklist to publish a release via GitHub workflow.
 
-NOTE: Make sure the dependencies in `go.mod` file are expected by the release. For example, if there are dependencies on certain version of notation library (notation-go or notation-core-go) or ORAS library (oras-go), make sure that version of library is released first, and the version number is updated accordingly in `go.mod` file.  After updating go.mod file, run `go mod tidy` to ensure the go.sum file is also updated with any potential changes.
-
 ## Release Process
 
+1. Check if there are any security vulnerabilities fixed and security advisories published before a release. Security advisories should be linked on the release notes
 1. Determine a [SemVer2](https://semver.org/)-valid version prefixed with the letter `v` for release. For example, `version="v1.0.0-alpha.1"`.
-1. Bump up the `Version` in [internal/version/version.go](internal/version/version.go#L5) and open a PR for the changes.
-1. Wait for the PR merge.
-1. Be on the main branch connected to the actual repository (not a fork) and `git pull`.  Ensure `git log -1` shows the latest commit on the main branch.
-1. Create a tag `git tag -am $version $version`
-1. `git tag` and ensure the name in the list added looks correct, then push the tag directly to the repository by `git push --follow-tags`.
+1. Create an issue to vote for the new release. Add the link of change logs and determine a specific git commit to tag on the issue description. List all repo-level maintainers and make sure have majority of approvals from the maintainers before releasing it. 
+1. If there are code changes in notation-go or notation-core-go library, follow the three steps above and cut the release for the library. Then submit a PR to update the dependency versions in notation [go.mod](go.mod) and [go.sum](go.sum). Run `go mod tidy` to ensure the `go.sum` file is also updated with any potential changes.
+1. Bump up the `Version` in [internal/version/version.go](internal/version/version.go#L5) and open a PR for the changes in notation repository. 
+1. After the version and dependencies are updated, be on the `main` branch of the notation repository (not a fork) and execute `git pull`. 
+1. Run `git log -1` to show the latest commit on the `main` branch and make sure you are on the up-to-date commit.
+1. Create a tag by running `git tag -am $version $version`.
+1. Run `git tag` and ensure the name in the list added looks correct, then push the tag directly to the repository by running `git push --follow-tags`.
 1. Wait for the completion of the GitHub action [release-github](https://github.com/notaryproject/notation/actions/workflows/release-github.yml).
 1. Check the new draft release, revise the release description, and publish the release.
+1. Update the necessary documentation in the [notaryproject.dev](https://github.com/notaryproject/notaryproject.dev) repository to reflect the changes of the release on the Notary website, includes but not limited to installation guide, user guide, banner, release blog.
 1. Announce the release in the community.

From 544df77771922f8da8cb687ed74476f871b1a614 Mon Sep 17 00:00:00 2001
From: Feynman Zhou <feynmanzhou@microsoft.com>
Date: Wed, 14 Jun 2023 16:07:58 +0800
Subject: [PATCH 02/10] update RELEASE_CHECKLIST

Signed-off-by: Feynman Zhou <feynmanzhou@microsoft.com>
---
 RELEASE_CHECKLIST.md | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/RELEASE_CHECKLIST.md b/RELEASE_CHECKLIST.md
index d9642aaa7..00ded0ae0 100644
--- a/RELEASE_CHECKLIST.md
+++ b/RELEASE_CHECKLIST.md
@@ -8,14 +8,14 @@ This document describes the checklist to publish a release via GitHub workflow.
 
 1. Check if there are any security vulnerabilities fixed and security advisories published before a release. Security advisories should be linked on the release notes
 1. Determine a [SemVer2](https://semver.org/)-valid version prefixed with the letter `v` for release. For example, `version="v1.0.0-alpha.1"`.
-1. Create an issue to vote for the new release. Add the link of change logs and determine a specific git commit to tag on the issue description. List all repo-level maintainers and make sure have majority of approvals from the maintainers before releasing it. 
-1. If there are code changes in notation-go or notation-core-go library, follow the three steps above and cut the release for the library. Then submit a PR to update the dependency versions in notation [go.mod](go.mod) and [go.sum](go.sum). Run `go mod tidy` to ensure the `go.sum` file is also updated with any potential changes.
+1. If there are code changes in notation-go or notation-core-go library, follow the two steps above and cut the release for the library. Then submit a PR to update the dependency versions in notation [go.mod](go.mod) and [go.sum](go.sum). Run `go mod tidy` to ensure the `go.sum` file is also updated with any potential changes.
 1. Bump up the `Version` in [internal/version/version.go](internal/version/version.go#L5) and open a PR for the changes in notation repository. 
-1. After the version and dependencies are updated, be on the `main` branch of the notation repository (not a fork) and execute `git pull`. 
-1. Run `git log -1` to show the latest commit on the `main` branch and make sure you are on the up-to-date commit.
-1. Create a tag by running `git tag -am $version $version`.
-1. Run `git tag` and ensure the name in the list added looks correct, then push the tag directly to the repository by running `git push --follow-tags`.
+1. Create an issue to vote for the new release. Add the link of change logs and determine a specific git commit to tag on the issue description. List all repo-level maintainers and make sure have majority of approvals from the maintainers before releasing it. 
+1. After the version and dependencies are updated, be on the `main` branch of the notation repository (not a fork) and execute `git clone https://github.com/notaryproject/notation.git`. 
+1. Enter the cloned repository and execute `git checkout <commit_digest>` to switch to the specified branch based on the voting result.
+1. Create a tag by running `git tag -s $version`.
+1. Run `git tag` and ensure the desired tag name in the list looks correct, then push the new tag directly to the repository by running `git push $version`.
 1. Wait for the completion of the GitHub action [release-github](https://github.com/notaryproject/notation/actions/workflows/release-github.yml).
 1. Check the new draft release, revise the release description, and publish the release.
-1. Update the necessary documentation in the [notaryproject.dev](https://github.com/notaryproject/notaryproject.dev) repository to reflect the changes of the release on the Notary website, includes but not limited to installation guide, user guide, banner, release blog.
+1. Update the necessary documentation in the [notaryproject.dev](https://github.com/notaryproject/notaryproject.dev) repository to reflect the changes of the release on the Notary website, includes but not limited to [installation guide](https://github.com/notaryproject/notaryproject.dev/blob/main/content/en/docs/installation/cli.md), [user guide](https://github.com/notaryproject/notaryproject.dev/tree/main/content/en/docs/how-to), [banner](https://github.com/notaryproject/notaryproject.dev/blob/main/layouts/partials/banner.html), [release blog](https://github.com/notaryproject/notaryproject.dev/tree/main/content/en/blog).
 1. Announce the release in the community.

From aa542fc1c1be960160682f769557c057e7cda990 Mon Sep 17 00:00:00 2001
From: Feynman Zhou <feynmanzhou@microsoft.com>
Date: Mon, 19 Jun 2023 09:57:38 +0800
Subject: [PATCH 03/10] update RELEASE CHECKLIST

Signed-off-by: Feynman Zhou <feynmanzhou@microsoft.com>
---
 RELEASE_CHECKLIST.md | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/RELEASE_CHECKLIST.md b/RELEASE_CHECKLIST.md
index 00ded0ae0..c086bf020 100644
--- a/RELEASE_CHECKLIST.md
+++ b/RELEASE_CHECKLIST.md
@@ -6,12 +6,12 @@ This document describes the checklist to publish a release via GitHub workflow.
 
 ## Release Process
 
-1. Check if there are any security vulnerabilities fixed and security advisories published before a release. Security advisories should be linked on the release notes
+1. Check if there are any security vulnerabilities fixed and security advisories published before a release. Security advisories should be linked on the release notes.
 1. Determine a [SemVer2](https://semver.org/)-valid version prefixed with the letter `v` for release. For example, `version="v1.0.0-alpha.1"`.
-1. If there are code changes in notation-go or notation-core-go library, follow the two steps above and cut the release for the library. Then submit a PR to update the dependency versions in notation [go.mod](go.mod) and [go.sum](go.sum). Run `go mod tidy` to ensure the `go.sum` file is also updated with any potential changes.
-1. Bump up the `Version` in [internal/version/version.go](internal/version/version.go#L5) and open a PR for the changes in notation repository. 
-1. Create an issue to vote for the new release. Add the link of change logs and determine a specific git commit to tag on the issue description. List all repo-level maintainers and make sure have majority of approvals from the maintainers before releasing it. 
-1. After the version and dependencies are updated, be on the `main` branch of the notation repository (not a fork) and execute `git clone https://github.com/notaryproject/notation.git`. 
+1. If there are code changes in notation-go or notation-core-go library, follow the two steps above and cut the release for the library. Then submit a PR to update the dependency versions in notation [go.mod](go.mod), [go.sum](go.sum), and [test/e2e/go.mod](test/e2e/go.mod). Run `go mod tidy` to ensure the `go.sum` file is also updated with any potential changes.
+1. Bump up the `Version` in [internal/version/version.go](internal/version/version.go#L5) and open a PR for the changes in the notation repository. Please make sure this PR is merged with all E2E test cases passed before starting the next step.
+1. Create an issue to vote for the new release. Add the link of change logs and determine a specific git commit to tag on the issue description. List all repo-level maintainers and make sure to have majority of approvals from the maintainers before releasing it. 
+1. After the version and dependencies are updated, on the `main` branch of the notation repository (not a fork), execute `git clone https://github.com/notaryproject/notation.git` to clone the repository to your local file system. 
 1. Enter the cloned repository and execute `git checkout <commit_digest>` to switch to the specified branch based on the voting result.
 1. Create a tag by running `git tag -s $version`.
 1. Run `git tag` and ensure the desired tag name in the list looks correct, then push the new tag directly to the repository by running `git push $version`.

From bb489c71a8a6abba21be83de79d966b21fcfbb84 Mon Sep 17 00:00:00 2001
From: Feynman Zhou <feynmanzhou@microsoft.com>
Date: Mon, 19 Jun 2023 16:46:16 +0800
Subject: [PATCH 04/10] update RELEASE CHECKLIST

Signed-off-by: Feynman Zhou <feynmanzhou@microsoft.com>
---
 RELEASE_CHECKLIST.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/RELEASE_CHECKLIST.md b/RELEASE_CHECKLIST.md
index c086bf020..a2a893b7c 100644
--- a/RELEASE_CHECKLIST.md
+++ b/RELEASE_CHECKLIST.md
@@ -8,8 +8,8 @@ This document describes the checklist to publish a release via GitHub workflow.
 
 1. Check if there are any security vulnerabilities fixed and security advisories published before a release. Security advisories should be linked on the release notes.
 1. Determine a [SemVer2](https://semver.org/)-valid version prefixed with the letter `v` for release. For example, `version="v1.0.0-alpha.1"`.
-1. If there are code changes in notation-go or notation-core-go library, follow the two steps above and cut the release for the library. Then submit a PR to update the dependency versions in notation [go.mod](go.mod), [go.sum](go.sum), and [test/e2e/go.mod](test/e2e/go.mod). Run `go mod tidy` to ensure the `go.sum` file is also updated with any potential changes.
-1. Bump up the `Version` in [internal/version/version.go](internal/version/version.go#L5) and open a PR for the changes in the notation repository. Please make sure this PR is merged with all E2E test cases passed before starting the next step.
+1. If there are code changes in notation-go or notation-core-go library, follow the two steps above and cut the release for the notation library. Then update the dependency versions in notation [go.mod](go.mod), [go.sum](go.sum), [test/e2e/go.mod](test/e2e/go.mod), and [test/e2e/go.sum](test/e2e/go.sum). Run `go mod tidy` to check if the `go.sum` file is also updated with any potential changes. Update the `Version` in [internal/version/version.go](internal/version/version.go#L5) in the forked repository. 
+1. Open a PR submit the changes to the notation repository. Please make sure this PR is merged with all E2E test cases passed before starting the next step.
 1. Create an issue to vote for the new release. Add the link of change logs and determine a specific git commit to tag on the issue description. List all repo-level maintainers and make sure to have majority of approvals from the maintainers before releasing it. 
 1. After the version and dependencies are updated, on the `main` branch of the notation repository (not a fork), execute `git clone https://github.com/notaryproject/notation.git` to clone the repository to your local file system. 
 1. Enter the cloned repository and execute `git checkout <commit_digest>` to switch to the specified branch based on the voting result.

From 211b6f90fc69e20025a645513d134ea2d0d24593 Mon Sep 17 00:00:00 2001
From: Feynman Zhou <feynmanzhou@microsoft.com>
Date: Mon, 31 Jul 2023 09:37:21 +0800
Subject: [PATCH 05/10] update release checklist

Signed-off-by: Feynman Zhou <feynmanzhou@microsoft.com>
---
 RELEASE_CHECKLIST.md | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/RELEASE_CHECKLIST.md b/RELEASE_CHECKLIST.md
index a2a893b7c..9d609fef4 100644
--- a/RELEASE_CHECKLIST.md
+++ b/RELEASE_CHECKLIST.md
@@ -10,8 +10,9 @@ This document describes the checklist to publish a release via GitHub workflow.
 1. Determine a [SemVer2](https://semver.org/)-valid version prefixed with the letter `v` for release. For example, `version="v1.0.0-alpha.1"`.
 1. If there are code changes in notation-go or notation-core-go library, follow the two steps above and cut the release for the notation library. Then update the dependency versions in notation [go.mod](go.mod), [go.sum](go.sum), [test/e2e/go.mod](test/e2e/go.mod), and [test/e2e/go.sum](test/e2e/go.sum). Run `go mod tidy` to check if the `go.sum` file is also updated with any potential changes. Update the `Version` in [internal/version/version.go](internal/version/version.go#L5) in the forked repository. 
 1. Open a PR submit the changes to the notation repository. Please make sure this PR is merged with all E2E test cases passed before starting the next step.
-1. Create an issue to vote for the new release. Add the link of change logs and determine a specific git commit to tag on the issue description. List all repo-level maintainers and make sure to have majority of approvals from the maintainers before releasing it. 
-1. After the version and dependencies are updated, on the `main` branch of the notation repository (not a fork), execute `git clone https://github.com/notaryproject/notation.git` to clone the repository to your local file system. 
+1. Create a PR to update the dependencies, such as notation-go, notation-core-go. See [PR 748](https://github.com/notaryproject/notation/pull/748) as an example.
+1. Create another PR to update the Notation CLI version. This PR is also used for voting purpose of the new release. Add the link of change logs and repo-level maintainer list in the PR's description. The PR title could be `bump: tag and release $version`. Make sure to reach a majority of approvals from the repo-level maintainers before releasing it. See [PR 748](https://github.com/notaryproject/notation/pull/748) as an example.
+1. After the version and dependencies are updated, execute `git clone https://github.com/notaryproject/notation.git` to clone the repository to your local file system.
 1. Enter the cloned repository and execute `git checkout <commit_digest>` to switch to the specified branch based on the voting result.
 1. Create a tag by running `git tag -s $version`.
 1. Run `git tag` and ensure the desired tag name in the list looks correct, then push the new tag directly to the repository by running `git push $version`.

From 15f811dbfc9659c2c2190c5d883fe1f139cea54b Mon Sep 17 00:00:00 2001
From: Feynman Zhou <feynmanzhou@microsoft.com>
Date: Thu, 3 Aug 2023 11:22:40 +0800
Subject: [PATCH 06/10] update release checklist

Signed-off-by: Feynman Zhou <feynmanzhou@microsoft.com>
---
 RELEASE_CHECKLIST.md | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/RELEASE_CHECKLIST.md b/RELEASE_CHECKLIST.md
index 9d609fef4..50afe223f 100644
--- a/RELEASE_CHECKLIST.md
+++ b/RELEASE_CHECKLIST.md
@@ -8,14 +8,16 @@ This document describes the checklist to publish a release via GitHub workflow.
 
 1. Check if there are any security vulnerabilities fixed and security advisories published before a release. Security advisories should be linked on the release notes.
 1. Determine a [SemVer2](https://semver.org/)-valid version prefixed with the letter `v` for release. For example, `version="v1.0.0-alpha.1"`.
-1. If there are code changes in notation-go or notation-core-go library, follow the two steps above and cut the release for the notation library. Then update the dependency versions in notation [go.mod](go.mod), [go.sum](go.sum), [test/e2e/go.mod](test/e2e/go.mod), and [test/e2e/go.sum](test/e2e/go.sum). Run `go mod tidy` to check if the `go.sum` file is also updated with any potential changes. Update the `Version` in [internal/version/version.go](internal/version/version.go#L5) in the forked repository. 
-1. Open a PR submit the changes to the notation repository. Please make sure this PR is merged with all E2E test cases passed before starting the next step.
-1. Create a PR to update the dependencies, such as notation-go, notation-core-go. See [PR 748](https://github.com/notaryproject/notation/pull/748) as an example.
-1. Create another PR to update the Notation CLI version. This PR is also used for voting purpose of the new release. Add the link of change logs and repo-level maintainer list in the PR's description. The PR title could be `bump: tag and release $version`. Make sure to reach a majority of approvals from the repo-level maintainers before releasing it. See [PR 748](https://github.com/notaryproject/notation/pull/748) as an example.
-1. After the version and dependencies are updated, execute `git clone https://github.com/notaryproject/notation.git` to clone the repository to your local file system.
+1. If there are code changes in notation-go or notation-core-go library, follow the two steps above and cut the release for the notation library. Then update the dependency versions in notation `go.mod` and `go.sum`
+  - [go.mod](go.mod), [go.sum](go.sum)
+  - [test/e2e/go.mod](test/e2e/go.mod), [test/e2e/go.sum](test/e2e/go.sum)
+  - [test/e2e/plugin/go.mod](test/e2e/plugin/go.mod) and [test/e2e/plugin/go.sum](test/e2e/plugin/go.sum)
+1. Run `go mod tidy` locally to check if the `go.sum` file is also updated with any potential changes. Open a PR submit the changes to the notation repository. Please make sure this PR is merged with all E2E test cases passed before starting the next step. See [PR 754](https://github.com/notaryproject/notation/pull/754) as an example.
+1. Create another PR to update the Notation CLI version with a single commit when PRs in above steps are merged. The commit message MUST follow the [conventional commit](https://www.conventionalcommits.org/en/v1.0.0/) and could be `bump: tag and release $version`. Record the digest of that commit as `<commit_digest>`. This PR is also used for voting purpose of the new release. Add the link of change logs and repo-level maintainer list in the PR's description. The PR title could be `bump: tag and release $version`. Make sure to reach a majority of approvals from the repo-level maintainers before releasing it. This PR should be merged using [Create a merge commit](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/configuring-pull-request-merges/about-merge-methods-on-github) method in GitHub. See [PR 748](https://github.com/notaryproject/notation/pull/748) as an example. 
+1. After the version and dependencies are updated by the the PRs above in the [Notation](https://github.com/notaryproject/notation.git) repository, execute `git clone https://github.com/notaryproject/notation.git` to clone the repository to your local file system.
 1. Enter the cloned repository and execute `git checkout <commit_digest>` to switch to the specified branch based on the voting result.
 1. Create a tag by running `git tag -s $version`.
-1. Run `git tag` and ensure the desired tag name in the list looks correct, then push the new tag directly to the repository by running `git push $version`.
+1. Run `git tag` and ensure the desired tag name in the list looks correct, then push the new tag directly to the repository by running `git push origin $version`.
 1. Wait for the completion of the GitHub action [release-github](https://github.com/notaryproject/notation/actions/workflows/release-github.yml).
 1. Check the new draft release, revise the release description, and publish the release.
 1. Update the necessary documentation in the [notaryproject.dev](https://github.com/notaryproject/notaryproject.dev) repository to reflect the changes of the release on the Notary website, includes but not limited to [installation guide](https://github.com/notaryproject/notaryproject.dev/blob/main/content/en/docs/installation/cli.md), [user guide](https://github.com/notaryproject/notaryproject.dev/tree/main/content/en/docs/how-to), [banner](https://github.com/notaryproject/notaryproject.dev/blob/main/layouts/partials/banner.html), [release blog](https://github.com/notaryproject/notaryproject.dev/tree/main/content/en/blog).

From a54b15cba25f055fdb3ee47f3d2a71bd68de8cb9 Mon Sep 17 00:00:00 2001
From: Feynman Zhou <feynmanzhou@microsoft.com>
Date: Mon, 7 Aug 2023 16:41:57 +0800
Subject: [PATCH 07/10] update RELEASE CHECKLIST

Signed-off-by: Feynman Zhou <feynmanzhou@microsoft.com>
---
 RELEASE_CHECKLIST.md | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/RELEASE_CHECKLIST.md b/RELEASE_CHECKLIST.md
index 50afe223f..5f5a75289 100644
--- a/RELEASE_CHECKLIST.md
+++ b/RELEASE_CHECKLIST.md
@@ -2,23 +2,23 @@
 
 ## Overview
 
-This document describes the checklist to publish a release via GitHub workflow.
+This document describes the checklist to publish a release for Notation CLI via GitHub workflow.
 
 ## Release Process
 
 1. Check if there are any security vulnerabilities fixed and security advisories published before a release. Security advisories should be linked on the release notes.
 1. Determine a [SemVer2](https://semver.org/)-valid version prefixed with the letter `v` for release. For example, `version="v1.0.0-alpha.1"`.
-1. If there are code changes in notation-go or notation-core-go library, follow the two steps above and cut the release for the notation library. Then update the dependency versions in notation `go.mod` and `go.sum`
+1. If there is new release in [notation-go](https://github.com/notaryproject/notation-go) or [notation-core-go](https://github.com/notaryproject/notation-core-go) library that are required to be upgraded in Notation CLI, update the dependency versions in the follow `go.mod` and `go.sum` files of Notation CLI:
   - [go.mod](go.mod), [go.sum](go.sum)
   - [test/e2e/go.mod](test/e2e/go.mod), [test/e2e/go.sum](test/e2e/go.sum)
   - [test/e2e/plugin/go.mod](test/e2e/plugin/go.mod) and [test/e2e/plugin/go.sum](test/e2e/plugin/go.sum)
-1. Run `go mod tidy` locally to check if the `go.sum` file is also updated with any potential changes. Open a PR submit the changes to the notation repository. Please make sure this PR is merged with all E2E test cases passed before starting the next step. See [PR 754](https://github.com/notaryproject/notation/pull/754) as an example.
+1. Open a PR submit the changes in the previous step to the notation repository. Please make sure this PR is merged with all E2E test cases passed before starting the next step. See [PR #754](https://github.com/notaryproject/notation/pull/754) as an example.
 1. Create another PR to update the Notation CLI version with a single commit when PRs in above steps are merged. The commit message MUST follow the [conventional commit](https://www.conventionalcommits.org/en/v1.0.0/) and could be `bump: tag and release $version`. Record the digest of that commit as `<commit_digest>`. This PR is also used for voting purpose of the new release. Add the link of change logs and repo-level maintainer list in the PR's description. The PR title could be `bump: tag and release $version`. Make sure to reach a majority of approvals from the repo-level maintainers before releasing it. This PR should be merged using [Create a merge commit](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/configuring-pull-request-merges/about-merge-methods-on-github) method in GitHub. See [PR 748](https://github.com/notaryproject/notation/pull/748) as an example. 
-1. After the version and dependencies are updated by the the PRs above in the [Notation](https://github.com/notaryproject/notation.git) repository, execute `git clone https://github.com/notaryproject/notation.git` to clone the repository to your local file system.
+1. After the voting PR is merged and the version and dependencies are updated in the [Notation](https://github.com/notaryproject/notation.git) repository, execute `git clone https://github.com/notaryproject/notation.git` to clone the repository to your local file system.
 1. Enter the cloned repository and execute `git checkout <commit_digest>` to switch to the specified branch based on the voting result.
 1. Create a tag by running `git tag -s $version`.
 1. Run `git tag` and ensure the desired tag name in the list looks correct, then push the new tag directly to the repository by running `git push origin $version`.
 1. Wait for the completion of the GitHub action [release-github](https://github.com/notaryproject/notation/actions/workflows/release-github.yml).
 1. Check the new draft release, revise the release description, and publish the release.
-1. Update the necessary documentation in the [notaryproject.dev](https://github.com/notaryproject/notaryproject.dev) repository to reflect the changes of the release on the Notary website, includes but not limited to [installation guide](https://github.com/notaryproject/notaryproject.dev/blob/main/content/en/docs/installation/cli.md), [user guide](https://github.com/notaryproject/notaryproject.dev/tree/main/content/en/docs/how-to), [banner](https://github.com/notaryproject/notaryproject.dev/blob/main/layouts/partials/banner.html), [release blog](https://github.com/notaryproject/notaryproject.dev/tree/main/content/en/blog).
-1. Announce the release in the community.
+1. Update the necessary documentation in the [notaryproject.dev](https://github.com/notaryproject/notaryproject.dev) repository to reflect the changes of the release on the Notary Project website, includes but not limited to [installation guide](https://github.com/notaryproject/notaryproject.dev/blob/main/content/en/docs/installation/cli.md), [user guide](https://github.com/notaryproject/notaryproject.dev/tree/main/content/en/docs/how-to), [banner](https://github.com/notaryproject/notaryproject.dev/blob/main/layouts/partials/banner.html), [release blog](https://github.com/notaryproject/notaryproject.dev/tree/main/content/en/blog).
+1. Announce the release in the Notary Project community.

From 5000740ef3734e8175ea95d54fe4c5479642096d Mon Sep 17 00:00:00 2001
From: Feynman Zhou <feynmanzhou@microsoft.com>
Date: Mon, 7 Aug 2023 22:01:50 +0800
Subject: [PATCH 08/10] update release checklist

Signed-off-by: Feynman Zhou <feynmanzhou@microsoft.com>
---
 RELEASE_CHECKLIST.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/RELEASE_CHECKLIST.md b/RELEASE_CHECKLIST.md
index 5f5a75289..92df16826 100644
--- a/RELEASE_CHECKLIST.md
+++ b/RELEASE_CHECKLIST.md
@@ -13,12 +13,12 @@ This document describes the checklist to publish a release for Notation CLI via
   - [test/e2e/go.mod](test/e2e/go.mod), [test/e2e/go.sum](test/e2e/go.sum)
   - [test/e2e/plugin/go.mod](test/e2e/plugin/go.mod) and [test/e2e/plugin/go.sum](test/e2e/plugin/go.sum)
 1. Open a PR submit the changes in the previous step to the notation repository. Please make sure this PR is merged with all E2E test cases passed before starting the next step. See [PR #754](https://github.com/notaryproject/notation/pull/754) as an example.
-1. Create another PR to update the Notation CLI version with a single commit when PRs in above steps are merged. The commit message MUST follow the [conventional commit](https://www.conventionalcommits.org/en/v1.0.0/) and could be `bump: tag and release $version`. Record the digest of that commit as `<commit_digest>`. This PR is also used for voting purpose of the new release. Add the link of change logs and repo-level maintainer list in the PR's description. The PR title could be `bump: tag and release $version`. Make sure to reach a majority of approvals from the repo-level maintainers before releasing it. This PR should be merged using [Create a merge commit](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/configuring-pull-request-merges/about-merge-methods-on-github) method in GitHub. See [PR 748](https://github.com/notaryproject/notation/pull/748) as an example. 
-1. After the voting PR is merged and the version and dependencies are updated in the [Notation](https://github.com/notaryproject/notation.git) repository, execute `git clone https://github.com/notaryproject/notation.git` to clone the repository to your local file system.
+1. Create another PR to update the Notation CLI version with a single commit when PRs in above steps are merged. The commit message MUST follow the [conventional commit](https://www.conventionalcommits.org/en/v1.0.0/) and could be `bump: tag and release $version`. Record the digest of that commit as `<commit_digest>`. This PR is also used for voting purpose of the new release. Add the link of change logs and repo-level maintainer list in the PR's description. The PR title could be `bump: tag and release $version`. Make sure to reach a majority of approvals from the [repo-level maintainers](MAINTAINERS) before releasing it. This PR should be merged using [Create a merge commit](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/configuring-pull-request-merges/about-merge-methods-on-github) method in GitHub. See [PR #748](https://github.com/notaryproject/notation/pull/748) as an example. 
+1. After the voting PR is merged in the [Notation](https://github.com/notaryproject/notation.git) repository, execute `git clone https://github.com/notaryproject/notation.git` to clone the repository to your local file system.
 1. Enter the cloned repository and execute `git checkout <commit_digest>` to switch to the specified branch based on the voting result.
 1. Create a tag by running `git tag -s $version`.
 1. Run `git tag` and ensure the desired tag name in the list looks correct, then push the new tag directly to the repository by running `git push origin $version`.
 1. Wait for the completion of the GitHub action [release-github](https://github.com/notaryproject/notation/actions/workflows/release-github.yml).
 1. Check the new draft release, revise the release description, and publish the release.
 1. Update the necessary documentation in the [notaryproject.dev](https://github.com/notaryproject/notaryproject.dev) repository to reflect the changes of the release on the Notary Project website, includes but not limited to [installation guide](https://github.com/notaryproject/notaryproject.dev/blob/main/content/en/docs/installation/cli.md), [user guide](https://github.com/notaryproject/notaryproject.dev/tree/main/content/en/docs/how-to), [banner](https://github.com/notaryproject/notaryproject.dev/blob/main/layouts/partials/banner.html), [release blog](https://github.com/notaryproject/notaryproject.dev/tree/main/content/en/blog).
-1. Announce the release in the Notary Project community.
+1. Announce the new release in the Notary Project community.

From c569b9575a69eca2094936c657c1f0de937fa76b Mon Sep 17 00:00:00 2001
From: Feynman Zhou <feynmanzhou@microsoft.com>
Date: Tue, 7 Nov 2023 07:39:36 +0800
Subject: [PATCH 09/10] resolve comments

Signed-off-by: Feynman Zhou <feynmanzhou@microsoft.com>
---
 RELEASE_CHECKLIST.md | 26 +++++++++++++-------------
 1 file changed, 13 insertions(+), 13 deletions(-)

diff --git a/RELEASE_CHECKLIST.md b/RELEASE_CHECKLIST.md
index 92df16826..2b7ebba3c 100644
--- a/RELEASE_CHECKLIST.md
+++ b/RELEASE_CHECKLIST.md
@@ -6,19 +6,19 @@ This document describes the checklist to publish a release for Notation CLI via
 
 ## Release Process
 
-1. Check if there are any security vulnerabilities fixed and security advisories published before a release. Security advisories should be linked on the release notes.
-1. Determine a [SemVer2](https://semver.org/)-valid version prefixed with the letter `v` for release. For example, `version="v1.0.0-alpha.1"`.
-1. If there is new release in [notation-go](https://github.com/notaryproject/notation-go) or [notation-core-go](https://github.com/notaryproject/notation-core-go) library that are required to be upgraded in Notation CLI, update the dependency versions in the follow `go.mod` and `go.sum` files of Notation CLI:
+- Check if there are any security vulnerabilities fixed and security advisories published before a release. Security advisories should be linked on the release notes.
+- Determine a [SemVer2](https://semver.org/)-valid version prefixed with the letter `v` for release. For example, `version="v1.0.0-alpha.1"`.
+- If there is new release in [notation-go](https://github.com/notaryproject/notation-go) or [notation-core-go](https://github.com/notaryproject/notation-core-go) library that are required to be upgraded in Notation CLI, update the dependency versions in the follow `go.mod` and `go.sum` files of Notation CLI:
   - [go.mod](go.mod), [go.sum](go.sum)
   - [test/e2e/go.mod](test/e2e/go.mod), [test/e2e/go.sum](test/e2e/go.sum)
   - [test/e2e/plugin/go.mod](test/e2e/plugin/go.mod) and [test/e2e/plugin/go.sum](test/e2e/plugin/go.sum)
-1. Open a PR submit the changes in the previous step to the notation repository. Please make sure this PR is merged with all E2E test cases passed before starting the next step. See [PR #754](https://github.com/notaryproject/notation/pull/754) as an example.
-1. Create another PR to update the Notation CLI version with a single commit when PRs in above steps are merged. The commit message MUST follow the [conventional commit](https://www.conventionalcommits.org/en/v1.0.0/) and could be `bump: tag and release $version`. Record the digest of that commit as `<commit_digest>`. This PR is also used for voting purpose of the new release. Add the link of change logs and repo-level maintainer list in the PR's description. The PR title could be `bump: tag and release $version`. Make sure to reach a majority of approvals from the [repo-level maintainers](MAINTAINERS) before releasing it. This PR should be merged using [Create a merge commit](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/configuring-pull-request-merges/about-merge-methods-on-github) method in GitHub. See [PR #748](https://github.com/notaryproject/notation/pull/748) as an example. 
-1. After the voting PR is merged in the [Notation](https://github.com/notaryproject/notation.git) repository, execute `git clone https://github.com/notaryproject/notation.git` to clone the repository to your local file system.
-1. Enter the cloned repository and execute `git checkout <commit_digest>` to switch to the specified branch based on the voting result.
-1. Create a tag by running `git tag -s $version`.
-1. Run `git tag` and ensure the desired tag name in the list looks correct, then push the new tag directly to the repository by running `git push origin $version`.
-1. Wait for the completion of the GitHub action [release-github](https://github.com/notaryproject/notation/actions/workflows/release-github.yml).
-1. Check the new draft release, revise the release description, and publish the release.
-1. Update the necessary documentation in the [notaryproject.dev](https://github.com/notaryproject/notaryproject.dev) repository to reflect the changes of the release on the Notary Project website, includes but not limited to [installation guide](https://github.com/notaryproject/notaryproject.dev/blob/main/content/en/docs/installation/cli.md), [user guide](https://github.com/notaryproject/notaryproject.dev/tree/main/content/en/docs/how-to), [banner](https://github.com/notaryproject/notaryproject.dev/blob/main/layouts/partials/banner.html), [release blog](https://github.com/notaryproject/notaryproject.dev/tree/main/content/en/blog).
-1. Announce the new release in the Notary Project community.
+- Open a PR submit the changes in the previous step to the notation repository. Please make sure this PR is merged with all E2E test cases passed before starting the next step. See [PR #754](https://github.com/notaryproject/notation/pull/754) as an example.
+- Create another PR to update the Notation CLI version with a single commit when PRs in above steps are merged. The commit message MUST follow the [conventional commit](https://www.conventionalcommits.org/en/v1.0.0/) and could be `bump: tag and release $version`. Record the digest of that commit as `<commit_digest>`. This PR is also used for voting purpose of the new release. Add the link of change logs and repo-level maintainer list in the PR's description. The PR title could be `bump: tag and release $version`. Make sure to reach a majority of approvals from the [repo-level maintainers](MAINTAINERS) before releasing it. This PR should be merged using [Create a merge commit](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/configuring-pull-request-merges/about-merge-methods-on-github) method in GitHub. See [PR #748](https://github.com/notaryproject/notation/pull/748) as an example. 
+- After the voting PR is merged in the [Notation](https://github.com/notaryproject/notation.git) repository, execute `git clone git@github.com:notaryproject/notation.git` to clone the repository to your local file system.
+- Enter the cloned repository and execute `git checkout <commit_digest>` to switch to the specified branch based on the voting result.
+- Create a tag by running `git tag -m $version -s $version`.
+- Run `git tag` and ensure the desired tag name in the list looks correct, then push the new tag directly to the repository by running `git push origin $version`.
+- Wait for the completion of the GitHub action [release-github](https://github.com/notaryproject/notation/actions/workflows/release-github.yml).
+- Check the new draft release, revise the release description, and publish the release.
+- Update the necessary documentation in the [notaryproject.dev](https://github.com/notaryproject/notaryproject.dev) repository to reflect the changes of the release on the Notary Project website, includes but not limited to [installation guide](https://github.com/notaryproject/notaryproject.dev/blob/main/content/en/docs/installation/cli.md), [user guide](https://github.com/notaryproject/notaryproject.dev/tree/main/content/en/docs/how-to), [banner](https://github.com/notaryproject/notaryproject.dev/blob/main/layouts/partials/banner.html), [release blog](https://github.com/notaryproject/notaryproject.dev/tree/main/content/en/blog).
+- Announce the new release in the Notary Project community.

From 74be9f57381867641cfc5d322264404836182e72 Mon Sep 17 00:00:00 2001
From: Feynman Zhou <feynmanzhou@microsoft.com>
Date: Tue, 4 Jun 2024 08:18:27 +0800
Subject: [PATCH 10/10] Update RELEASE_CHECKLIST.md

Include Patrick's comment

Co-authored-by: Patrick Zheng <patrickzheng@microsoft.com>
Signed-off-by: Feynman Zhou <feynmanzhou@microsoft.com>
---
 RELEASE_CHECKLIST.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/RELEASE_CHECKLIST.md b/RELEASE_CHECKLIST.md
index 2b7ebba3c..0ec185c31 100644
--- a/RELEASE_CHECKLIST.md
+++ b/RELEASE_CHECKLIST.md
@@ -16,7 +16,7 @@ This document describes the checklist to publish a release for Notation CLI via
 - Create another PR to update the Notation CLI version with a single commit when PRs in above steps are merged. The commit message MUST follow the [conventional commit](https://www.conventionalcommits.org/en/v1.0.0/) and could be `bump: tag and release $version`. Record the digest of that commit as `<commit_digest>`. This PR is also used for voting purpose of the new release. Add the link of change logs and repo-level maintainer list in the PR's description. The PR title could be `bump: tag and release $version`. Make sure to reach a majority of approvals from the [repo-level maintainers](MAINTAINERS) before releasing it. This PR should be merged using [Create a merge commit](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/configuring-pull-request-merges/about-merge-methods-on-github) method in GitHub. See [PR #748](https://github.com/notaryproject/notation/pull/748) as an example. 
 - After the voting PR is merged in the [Notation](https://github.com/notaryproject/notation.git) repository, execute `git clone git@github.com:notaryproject/notation.git` to clone the repository to your local file system.
 - Enter the cloned repository and execute `git checkout <commit_digest>` to switch to the specified branch based on the voting result.
-- Create a tag by running `git tag -m $version -s $version`.
+- Create a tag by running `git tag -am $version $version -s`.
 - Run `git tag` and ensure the desired tag name in the list looks correct, then push the new tag directly to the repository by running `git push origin $version`.
 - Wait for the completion of the GitHub action [release-github](https://github.com/notaryproject/notation/actions/workflows/release-github.yml).
 - Check the new draft release, revise the release description, and publish the release.