Backporting Process
+This document outlines the backporting process for Trivy, including when to create patch releases and how to perform the backporting.
+When to Create Patch Releases
+In general, small changes should not be backported and should be included in the next minor release. +However, patch releases should be made in the following cases:
+-
+
- Fixes for HIGH or CRITICAL vulnerabilities in Trivy itself or Trivy's dependencies +
- Fixes for bugs that cause panic during Trivy execution or otherwise interfere with normal usage +
In these cases, the fixes should be backported using the procedure described below. +At the maintainer's discretion, other bug fixes may be included in the patch release containing these hotfixes.
+Versioning
+Trivy follows Semantic Versioning, using version numbers in the format MAJOR.MINOR.PATCH. +When creating a patch release, the PATCH part of the version number is incremented. +For example, if a fix is being distributed for v0.50.0, the patch release would be v0.50.1.
+Backporting Procedure
+-
+
- A release branch (e.g.,
release/v0.50) is automatically created when a new minor version is released.
+ - Create a pull request (PR) against the main branch with the necessary fixes. If the fixes are already merged into the main branch, skip this step. +
- Once the PR with the fixes is merged, comment
@aqua-bot backport <release-branch>on the PR (e.g.,@aqua-bot backport release/v0.50). This will trigger the automated backporting process using GitHub Actions.
+ - The automated process will create a new PR with the backported changes. Ensure that all tests pass for this PR. +
- Once the tests pass, merge the automatically created PR into the release branch. +
- Merge a release PR on the release branch and release the patch version. +
Note
+Even if a conflict occurs, a PR is created by forceful commit, in which case the conflict should be resolved manually. +If you want to re-run a backport of the same PR, close the existing PR, delete the branch and re-run it.
+Example
+To better understand the backporting procedure, let's walk through an example using the releases of v0.50.
+gitGraph:
+ commit id:"Feature 1"
+ commit id:"v0.50.0 release" tag:"v0.50.0"
+
+ branch "release/v0.50"
+
+ checkout main
+ commit id:"Bugfix 1"
+
+ checkout "release/v0.50"
+ cherry-pick id:"Bugfix 1"
+
+ checkout main
+ commit id:"Feature 2"
+ commit id:"Bugfix 2"
+ commit id:"Feature 3"
+
+ checkout "release/v0.50"
+ cherry-pick id:"Bugfix 2"
+ commit id:"v0.50.1 release" tag:"v0.50.1"