chore(scripts): implement mainline and stable release channels

[mafredri]

This PR modifies the release scripts to add support for --stable and --mainline releases.

Fixes #12458

It also formalizes the release process.

• Creating a new minor (or major) release starts a new release branch: release/2.10 (I'd prefer using the v-prefix here but I followed the existing convention)
• Creating a patch release (v2.10.1) must be applied to the release/2.10 branch to enforce consistency
• If possible, the release branch (e.g. release/2.10) will be fast-forwarded to the commit we want to release
• If fast-forward is impossible, only new commits/cherry picks can be used in patch releases
• Pushing a new version tag (v2.11.0) will not trigger a release (build/publish)
• The scripts/release.sh should be used, in which case it will ask to start a release (build/publish) for you
• When cutting a new minor release, the autogenerated changelog will exclude commits cherry-picked into a patch release (e.g. v2.10.2)
• The release script will attempt to humanize the changelog for maintainer convenience (defined in scripts/release/check_commit_metadata.sh)

Running pre-release hooks will be part of an upcoming PR, there we will add sanity checks for patch-releases with migrations.

Here are two examples of running the release script:

Patch release on current `main` (not possible)

❯ ./scripts/release.sh --ignore-script-out-of-date --ref main --mainline --dry-run
Working directory is not clean, it is highly recommended to stash changes.
Stash changes? (y/n) n

Checking remote origin for repo...
Fetching main and tags from origin...
Checking GitHub for latest release(s)...
Latest mainline release: v2.10.2
Latest stable release: v2.9.4

Checking commit metadata for changes between v2.10.2 and 81fcdf717...
Skipping commit 8d1220e0c814e709363cc22951f1b0238a4c1594 cherry-picked into v2.10.2 as 2a98123701655dadc659b84ac463b3b77b0172c0 (chore: add generate script for azure instance identity (#13028))
Skipping commit d426569d4a1bb40042af52244768848c56af5aac cherry-picked into v2.10.2 as bda13a2818b71cd104db2afd0e21a56acdd46f9d (fix: make terminal raw in ssh command on windows (#12990))
Skipping commit a231b5aef503ada90e37bd755a9574b858d8d60e cherry-picked into v2.10.2 as 353888a5d8fd971c2ed7e68260199eadadc60aa9 (feat: add src_id and dst_id indexes to tailnet_tunnels (#12911))
Skipping commit 06eae954c978db7767d984348f3d471f64858b19 cherry-picked into v2.10.2 as 3fc6111994b5e129afee416f002ae4f9710915ac (fix: stop sending DeleteTailnetPeer when coordinator is unhealthy (#12925))
Skipping commit a2b28f80d7a14e1a42af2f6527aedfce757727b1 cherry-picked into v2.10.2 as 3eb9abcbd3305cc2823a0493d889e031a850b563 (fix(coderd): prevent agent reverse proxy from using `HTTP[S]_PROXY` envs (#12875))

Executing DRYRUN of release tagging...
No breaking changes detected, using "patch" increment.
ERROR: Provided ref (81fcdf717) is not in the required release branch (release/2.10) and cannot be fast-forwarded, unable to increment patch version. Please increment minor or major.

Minor release of current `main`

❯ ./scripts/release.sh --ignore-script-out-of-date --ref main --mainline --minor --dry-run
Working directory is not clean, it is highly recommended to stash changes.
Stash changes? (y/n) n

Checking remote origin for repo...
Fetching main and tags from origin...
Checking GitHub for latest release(s)...
Latest mainline release: v2.10.2
Latest stable release: v2.9.4

Checking commit metadata for changes between v2.10.2 and 81fcdf717...
Skipping commit 8d1220e0c814e709363cc22951f1b0238a4c1594 cherry-picked into v2.10.2 as 2a98123701655dadc659b84ac463b3b77b0172c0 (chore: add generate script for azure instance identity (#13028))
Skipping commit d426569d4a1bb40042af52244768848c56af5aac cherry-picked into v2.10.2 as bda13a2818b71cd104db2afd0e21a56acdd46f9d (fix: make terminal raw in ssh command on windows (#12990))
Skipping commit a231b5aef503ada90e37bd755a9574b858d8d60e cherry-picked into v2.10.2 as 353888a5d8fd971c2ed7e68260199eadadc60aa9 (feat: add src_id and dst_id indexes to tailnet_tunnels (#12911))
Skipping commit 06eae954c978db7767d984348f3d471f64858b19 cherry-picked into v2.10.2 as 3fc6111994b5e129afee416f002ae4f9710915ac (fix: stop sending DeleteTailnetPeer when coordinator is unhealthy (#12925))
Skipping commit a2b28f80d7a14e1a42af2f6527aedfce757727b1 cherry-picked into v2.10.2 as 3eb9abcbd3305cc2823a0493d889e031a850b563 (fix(coderd): prevent agent reverse proxy from using `HTTP[S]_PROXY` envs (#12875))

Executing DRYRUN of release tagging...
No breaking changes detected, using "minor" increment.
Old version: v2.10.2
New version: v2.11.0
Release branch: release/2.11
Creating new release branch
DRYRUN: git checkout -b release/2.11 81fcdf717
DRYRUN: git tag -a v2.11.0 -m Release v2.11.0 81fcdf717

Continue? (y/n) y

Writing release notes to build/RELEASE-v2.11.0-DRYRUN.md
Release notes written to build/RELEASE-v2.11.0-DRYRUN.md, you can now edit this file manually.

No editor found, please set the $EDITOR environment variable for edit prompt.

Preview release notes? (y/n) y

## Changelog

> [!NOTE]
> This is a mainline Coder release. We advise enterprise customers without a staging environment to install our [latest stable release](https://github.com/coder/coder/releases/latest) while we refine this version. Learn more about our [Release Schedule](https://coder.com/docs/v2/latest/install/releases).

### Features

- CLI: Support bundle: dump healthcheck summary (#12963, 407e61ecd) (@johnstcn)
- CLI: Support bundle: show links to docs/admin/healthcheck (#12974, 8e1e0f04a) (@johnstcn)
- CLI: Add `--env` flag for `coder ssh` (#12991, 8a1216254) (@aaronlehmann)
- Database: Keep only 1 day of `workspace_agent_stats` after rollup (#12674, e17e8aa3c) (@mafredri)
- Server: Improve detection of STUN issues (#12951, 9a4703a31) (@johnstcn)
- Enterprise: Add ready for handshake support to pgcoord (#12935, 777dfbe96) (@coadler)
- Add owner groups to workspace data (#12841, f96ce80ab) (@f0ssel)
- Remove health link from deployment sidebar (#12914, 08451ce80) (@mtojek)
- Add s suffix to use HTTPS for ports (#12862, 1d4bf30c0) (@f0ssel)
- Link with protocol on shared ports (#12908, acaa25409) (@f0ssel)
- Add agent acks to in-memory coordinator (#12786, e801e878b) (@coadler)
- Add listening ports protocol selector (#12915, 3ab5a51ec) (@f0ssel)
- Add warning about use of old/removed/invalid experiments (#12962, b85d5d849) (@dannykopping)

### Bug fixes

- CLI: Allow generating partial support bundles with no workspace or agent (#12933, fad97a14f) (@johnstcn)
- Server: Properly calculate query latency for tailnet queries (#12944, 231fc26c9) (@coadler)
- Database: Reduce db load via dbpurge advisory locking (#13021, 3adcccb61) (@mafredri)
- Server: Avoid logging error for no rows (#12988, 92190443f) (@mafredri)
- Examples: Copy /etc/skel on init in docker template (#12913, 0178bfe13) (@mafredri)
- Installer: Use `--version` when provided (#12873, 61e5721ca) (@michaelbrewer)
- Installer: Change post-install advisory when installing specific version (#12878, c243210ae) (@mafredri)
- Installer: Remove extracted files after installation (#12879, b06452ee8) (@mafredri)
- Support: Correctly rename existing agent connection info, add real netcheck (#12946, b163bc7f0) (@johnstcn)
- Fix race in assertWorkspaceLastUsedAtUpdated (#12899, 3b7380fa0) (@spikecurtis)
- Update typo in audit log field (#12907, d82f2fd41) (@coryb)
- Stop logging session shutdown as warning (#12922, 546901101) (@spikecurtis)
- Ignore gomock temporary files (#12924, b6359b0a8) (@mtojek)
- Show template autostop setting when it overrides the workspace setting (#12910, 2ad7fcc0b) (@aslilac)
- Use provided username when fetching workspaces (#12955, d3790bb5b) (@kylecarbs)
- Disable azureidentity test on darwin (#12979, 942e90270) (@coadler)
- Add grace period before showing replicas license error (#12989, 227e63205) (@kylecarbs)

### Documentation

- Describe multi-cloud architecture (#12857, 90efa1b84) (@mtojek)
- Describe devcontainers as deployment model (#12877, 7c0fac990) (@mtojek)
- Describe air-gapped architecture (#12897, 28754a79e) (@mtojek)
- Explain that mainline stays around for one month now (#12993, f5a32b3f2) (@bpmct)

### Code refactoring

- Dashboard: Verify deployment config flags in e2e tests (#12986, ee7dda811) (@mtojek)

### Tests

- Dashboard: Fix flaky outdated agent test (#12927, e266ecf91) (@mtojek)
- Dashboard: Add e2e tests for experiments (#12940, dcf1d3a9a) (@mtojek)
- Dashboard: Add e2e tests for appearance (#12950, cf2d2a98b) (@mtojek)
- Dashboard: Add e2e tests for security (#12961, 49689162b) (@mtojek)
- Dashboard: Add e2e tests for user auth (#12971, b598aef54) (@mtojek)
- Dashboard: Add e2e tests for network (#12987, cb8c576c9) (@mtojek)
- Dashboard: Add e2e tests for observability (75223dfd8) (@mtojek)
- Dashboard: Add e2e tests for workspace proxies (#13009, 3d7740bd3) (@mtojek)
- Verify that enterprise tests are being run (#12871, c4b26f335) (@aslilac)
- Verify actually uploaded license with assert (#12934, 8da8b89af) (@Emyrk)
- Fix url checks in e2e tests (#12881, c5367c201) (@aslilac)
- Add an e2e audit logs test (#12868, 00fcf3699) (@aslilac)

### Continuous integration

- Disable enterprise e2e tests temporarily (#12874, bc9ea61eb) (@aslilac)
- Execute enterprise and non-enterprise e2e tests concurrently (#12872, 9cf235811) (@aslilac)
- Bump crate-ci/typos from 1.19.0 to 1.20.9 in the github-actions group (#13027, 3af317317) (@app/dependabot)

### Chores

- Documentation: Add support bundle guide (#12931, b71af3211) (@johnstcn)
- Documentation: Make external auth docs easier to follow (#12970, b40f54f60) (@doodzik)
- Dashboard: Add e2e to test add and remove user (#12851, 41b8ff3e8) (@BrunoQuaresma)
- Dashboard: Add e2e tests for groups (#12866, 3fbcdb0dd) (@BrunoQuaresma)
- Bump golang.org/x/term from 0.18.0 to 0.19.0 (#12886, 24135a2d0) (@app/dependabot)
- Bump github.com/elastic/go-sysinfo from 1.13.1 to 1.14.0 (#12894, 8ba8ec2f1) (@app/dependabot)
- Bump golang.org/x/sync from 0.6.0 to 0.7.0 (#12895, f99fd807b) (@app/dependabot)
- Bump golang.org/x/net from 0.22.0 to 0.24.0 (#12888, 9a7d8034c) (@app/dependabot)
- Bump golang.org/x/tools from 0.19.0 to 0.20.0 (#12890, 589434e8d) (@app/dependabot)
- Bump google.golang.org/grpc from 1.62.1 to 1.63.0 (#12892, 11123018a) (@app/dependabot)
- Bump golang.org/x/oauth2 from 0.18.0 to 0.19.0 (#12893, 7179c86df) (@app/dependabot)
- Deprecate agent report-stats endpoint (#12880, 189b8626d) (@Emyrk)
- Remove InsertWorkspaceAgentStat query  (#12869, 0a8c8ce5c) (@Emyrk)
- Add date information to windows startup logs (#12905, 4dc293d93) (@Emyrk)
- Merge apikey/token session config values (#12817, 838e8df5b) (@Emyrk)
- Disable pgcoord (HA) when --in-memory (#12919, a607d5610) (@Emyrk)
- Add unit test for pass through external auth query params (#12928, 566f8f231) (@Emyrk)
- Nix shell to support playwright e2e tests (#12917, 7fd9a75ad) (@Emyrk)
- Deconflict e2e enterprise and AGPL artifacts in ci (#12941, b9936a467) (@Emyrk)
- Add -agpl to agpl e2e artifacts (#12943, 22785a307) (@Emyrk)
- Skip global.setup if first user already exists (#12930, 93b46fe1f) (@Emyrk)
- Update generated array type definitions in TypeScript to be readonly (#12947, d9da054c9) (@Emyrk)
- Fix broken links in the jfrog guide (#12835, c13909a1a) (@stirby)
- Add `created_at` to workspace resource telemetry (#12969, 41ca6e4f7) (@kylecarbs)
- Apply shellcheck recommendation which was causing "make lint" to fail locally (#12972, 06e042acf) (@dannykopping)
- Fix linting issue (#12945, ba52a4fbe) (@coadler)
- Add license review to CI (#12981, 80f597812) (@sreya)
- Bump github.com/moby/moby (#12960, 3338cdca7) (@app/dependabot)
- Give additional time in tests for `tailnetAPIConnector` graceful disconnect (#12980, 6b4eb0319) (@coadler)
- Add e2e test against an external auth provider during workspace creation (#12985, 319fd5bf1) (@dannykopping)
- Fix down migration 196 (#13006, 3aa0d7381) (@coadler)
- Fix 404 for managed terraform variables (#13018, 4a6693a17) (@michaelbrewer)
- Fix link to install (#13019, d2acb6776) (@michaelbrewer)
- Bump google.golang.org/api from 0.172.0 to 0.175.0 (#13026, ea472c538) (@app/dependabot)
- Bump github.com/coder/terraform-provider-coder (#13022, 2e49fa94d) (@app/dependabot)
- Fix broken mainline link (#13015, 7bd1b3bdb) (@michaelbrewer)
- Reduce dashboard requests from seeded data (#13034, d3f3ace22) (@kylecarbs)
- Change `site_configs.value` to `text` (#13036, fab5591cf) (@aslilac)
- Bump github.com/gohugoio/hugo from 0.124.0 to 0.125.2 (#13024, 81fcdf717) (@app/dependabot)

### Other changes

- added releases.md to manifest (#12936, ab116af54) (@stirby)
- e2e tests for deployment/licenses (#12926, 2f2a395ba) (@mtojek)
- Skip dependency license review on main (#12982, 0c993566d) (@sreya)
- label some template settings as enterprise (#12952, 7cf8577f1) (@aslilac)

Compare: [`v2.10.2...v2.11.0`](https://github.com/coder/coder/compare/v2.10.2...v2.11.0)

## Container image

- `docker pull ghcr.io/coder/coder:v2.11.0`

## Install/upgrade

Refer to our docs to [install](https://coder.com/docs/v2/latest/install) or [upgrade](https://coder.com/docs/v2/latest/admin/upgrade) Coder, or use a release asset below.


Create, build and publish release? (y/n) y

DRYRUN: execrelative ./release/tag_version.sh --old-version v2.10.2 --ref 81fcdf717 --minor
DRYRUN: git push -u origin release/2.11
DRYRUN: git push --tags -u origin v2.11.0

Release tags for v2.11.0 created successfully and pushed to origin!

Writing release JSON to /var/folders/xb/7t2r1stn5lj9z5mxstz6vymc0000gn/T/coder-release.json.WbcmOVOenQ
Running release workflow...
DRYRUN: cat /var/folders/xb/7t2r1stn5lj9z5mxstz6vymc0000gn/T/coder-release.json.WbcmOVOenQ
DRYRUN: gh workflow run release.yaml --json --ref v2.11.0

Release workflow started successfully!

[dannykopping]

Looks really solid @mafredri! Also checked and there are no shellcheck violations 👌
Left a couple small stability comments & 1 question

[dannykopping]

Why do we need to do this? Keeping the category & subsection is probably useful.

[mafredri]

You can take a look at the latest changelogs over at https://github.com/coder/coder/releases. The goal here was mainly reduce the burden of creating new releases by automating some of the transformations.

I think @stirby may be better equipped to address the why here?

[mtojek]

+1

I'm sure that sooner or later this will break.

[mafredri]

If it breaks it's left as-is (original title), fwiw.

[stirby]

@mtojek @dannykopping

Ben and I manually add these prefixes already, as seen in the Bug fixes in v2.10.0. IMO, these tags help with skimming the changelog. The automation removes a huge chunk of the tedious work in making the release.

We'll still have the chance to edit the changelog and, as Mathias mentioned, we'll catch where it breaks.

[mtojek]

First round done 👍

[mtojek]

+1

I'm sure that sooner or later this will break.

[mtojek]

Let's watch it in the wild 👍

[mtojek]

Related: #12458