Problem
PAC is moving to the tektoncd GitHub org, which enforces branch protection rules. The current release process requires pushing tags directly (git push refs/tags/v1.2.3), which is blocked under these rules.
Current Flow
- Engineer manually runs
git tag v1.2.3 && git push refs/tags/v1.2.3
.tekton/release-pipeline.yaml triggers on push to refs/tags/*- Pipeline reads version from
git tag --points-at HEAD
- GoReleaser runs with
prerelease: true (.goreleaser.yml:52) — creates a pre-release; tag must already exist
Problems:
- Direct tag push is incompatible with branch protection in the tektoncd org
prerelease: true creates a pre-release rather than a draft, requiring an already-existing tag- No way to trigger the pipeline without a pre-existing tag
Proposed Flow (tektoncd upstream pattern)
This mirrors the approach used by tektoncd/pipeline:
- Trigger release via
workflow_dispatch (or PAC push to a special branch) with a version input parameter
- Pipeline builds binaries, generates manifests, and creates a GitHub draft release (no tag created yet)
- Engineer reviews the draft, edits release notes, then publishes → GitHub automatically creates the tag on publish
- Branch pushes (
release-v1.2.x / stable) continue as today
Files to Change
| File |
Change |
.tekton/release-pipeline.yaml |
Change trigger from refs/tags/* push to workflow_dispatch; accept version as input parameter |
.goreleaser.yml:52 |
Change prerelease: true to draft: true |
docs/content/docs/dev/release-process.md |
Update documented process to reflect draft-release flow |
References
- tektoncd/pipeline release-cheat-sheet and
tekton/README for the upstream pattern
- GitHub docs: Automatically created releases — publishing a draft auto-creates the tag
Acceptance Criteria
Problem
PAC is moving to the
tektoncdGitHub org, which enforces branch protection rules. The current release process requires pushing tags directly (git push refs/tags/v1.2.3), which is blocked under these rules.Current Flow
git tag v1.2.3 && git push refs/tags/v1.2.3.tekton/release-pipeline.yamltriggers onpushtorefs/tags/*git tag --points-at HEADprerelease: true(.goreleaser.yml:52) — creates a pre-release; tag must already existProblems:
prerelease: truecreates a pre-release rather than a draft, requiring an already-existing tagProposed Flow (tektoncd upstream pattern)
This mirrors the approach used by
tektoncd/pipeline:workflow_dispatch(or PAC push to a special branch) with aversioninput parameterrelease-v1.2.x/stable) continue as todayFiles to Change
.tekton/release-pipeline.yamlrefs/tags/*push toworkflow_dispatch; acceptversionas input parameter.goreleaser.yml:52prerelease: truetodraft: truedocs/content/docs/dev/release-process.mdReferences
tekton/READMEfor the upstream patternAcceptance Criteria
workflow_dispatchwith a version parameter (no manual tag push required)