Our release process is automated by a couple of GitHub Actions (Update Plugins-dev and Release Plugins).
The process publishes two types of releases:
- dev builds: the process is fully automated, and it is triggered when changes are merged into
mainbranch - stable builds: the process is automated, but it needs to be manually triggered by tagging a plugin with a release version (see the section below)
Regardless of the type, if a plugin provides a ruleset, the ruleset is released, too, with the same version number. This may change in the future. Also, see Versioning a rulset guidelines before deciding the release version number.
Artifacts will be published at https://download.falco.org/?prefix=plugins/. For stable builds, OCI artifacts are published too. They can be consumed with falcoctl.
Since the plugins repository is a monorepo, we introduced a special convention for tagging release versions, so that we can differentiate among plugins. Git tag MUST respect the following format:
plugins/name/vversion e.x: plugins/cloudtrail/v1.2.3
Where name is the plugin name (must match a folder under ./plugins) and version is the plugin version to be released (must match the version string declared by the plugin).
When we release, we do the following process:
- When changes are introduced to a plugin (i.e. a PR gets merged) and its version has been bumped, we choose the git tag based on the above convention
- A person with repository rights creates a new release from the GitHub UI
- Once the CI has done its job:
- the tag is live on Github;
- the plugin package is published at download.falco.org;
- the OCI artifact is published at ghcr.io.