vote: v1.1.1

[JeyJeyGao]

Release

This would mean tagging 8d3b7a2 as v1.1.1 to release.

Note

This release doesn't include the #379 as this is a patch release.

The commit 8d3b7a2 was generated by the following steps:

1. Checked out a new branch: git checkout -b release-1.1 v1.1.0
2. Cherry-picked all commits from the main branch, excluding feat: add support for signing blob #379, starting from 1752918 and ending with 254dfcd, totaling 23 commits. Conflicts were also resolved.
3. Pushed to origin as the release-1.1 branch.

Vote

We need at least 4 approvals from 6 maintainers to release notation-go v1.1.1.

• Junjie Gao (@JeyJeyGao)
• Milind Gokarn (@gokarnm)
• Patrick Zheng (@Two-Hearts)
• Pritesh Bandi (@priteshbandi)
• Rakesh Gariganti (@rgnote)
• Shiwei Zhang (@shizhMSFT)

Changes

The code changes compared to v1.1.0 include:

• fix: update error message by @JeyJeyGao in fix: update error message #380
• bump: bump up oras-go and image-spec by @Two-Hearts in bump: bump up oras-go and image-spec #381
• chore: start using plugin-framework package by @priteshbandi in chore: start using plugin-framework package #372
• build(deps): bump golang.org/x/crypto from 0.18.0 to 0.19.0 by @dependabot in build(deps): bump golang.org/x/crypto from 0.18.0 to 0.19.0 #383
• build(deps): bump github.com/opencontainers/image-spec from 1.1.0-rc6 to 1.1.0 by @dependabot in build(deps): bump github.com/opencontainers/image-spec from 1.1.0-rc6 to 1.1.0 #385
• build(deps): bump golang.org/x/mod from 0.14.0 to 0.15.0 by @dependabot in build(deps): bump golang.org/x/mod from 0.14.0 to 0.15.0 #384
• chore: updated/added deprecation message by @priteshbandi in chore: updated/added deprecation message #382
• build(deps): bump golang.org/x/crypto from 0.19.0 to 0.20.0 by @dependabot in build(deps): bump golang.org/x/crypto from 0.19.0 to 0.20.0 #387
• chore: add GitHub action for stale issues and PRs by @yizha1 in chore: add GitHub action for stale issues and PRs #365
• build(deps): bump golang.org/x/crypto from 0.20.0 to 0.21.0 by @dependabot in build(deps): bump golang.org/x/crypto from 0.20.0 to 0.21.0 #389
• build(deps): bump golang.org/x/mod from 0.15.0 to 0.16.0 by @dependabot in build(deps): bump golang.org/x/mod from 0.15.0 to 0.16.0 #388
• fix: Add contract version to plugin sign request and plugin verify request by @priteshbandi in fix: Add contract version to plugin sign request and plugin verify request #390
• bump: bump golang and dependency versions by @Two-Hearts in bump: bump golang and dependency versions #392
• build(deps): bump actions/stale from 8 to 9 by @dependabot in build(deps): bump actions/stale from 8 to 9 #391
• Moved org maintainers to emeritus by @toddysm in Moved org maintainers to emeritus #393
• build(deps): bump golang.org/x/mod from 0.16.0 to 0.17.0 by @dependabot in build(deps): bump golang.org/x/mod from 0.16.0 to 0.17.0 #397
• build(deps): bump github.com/go-ldap/ldap/v3 from 3.4.6 to 3.4.7 by @dependabot in build(deps): bump github.com/go-ldap/ldap/v3 from 3.4.6 to 3.4.7 #395
• build(deps): bump github.com/go-ldap/ldap/v3 from 3.4.7 to 3.4.8 by @dependabot in build(deps): bump github.com/go-ldap/ldap/v3 from 3.4.7 to 3.4.8 #399
• build(deps): bump golang.org/x/crypto from 0.21.0 to 0.22.0 by @dependabot in build(deps): bump golang.org/x/crypto from 0.21.0 to 0.22.0 #396
• build(deps): bump golang.org/x/crypto from 0.22.0 to 0.23.0 by @dependabot in build(deps): bump golang.org/x/crypto from 0.22.0 to 0.23.0 #403
• test: improve test coverage to 80% by @JeyJeyGao in test: improve test coverage to 80% #405
• fix: error message for dangling reference index by @JeyJeyGao in fix: error message for dangling reference index #402
• bump: bump up notation-core-go v1.0.3 by @JeyJeyGao in bump: bump up notation-core-go v1.0.3 #407

Full Changelog: v1.1.0...8d3b7a2

[Two-Hearts]

LGTM

[JeyJeyGao]

LGTM

[shizhMSFT]

I have concerns about the process of generating the release-1.1 branch since the hashes of all commits after v1.1.0 are changed without proper reviews. Meanwhile, there is no proof that the resulted head of the branch release-1.1 passes all the checks we set for the main branch.

Therefore, I'd like to propose a more compliant way to generate the release-1.1 branch.

1. Delete the existing release-1.1 branch
2. Update build.yml, codeql.yml, and license-checker.yml in the main branch to include release-* (see samples)
3. Set a branch protection rule for release-* with the same settings as main.
4. Checkout release-1.1 based on main. Send a PR to release-1.1 to revert feat: add support for signing blob #379.
5. Close this issue and create a new issue to vote on the latest commit of the release-1.1 branch

[JeyJeyGao]

I have concerns about the process of generating the release-1.1 branch since the hashes of all commits after v1.1.0 are changed without proper reviews. Meanwhile, there is no proof that the resulted head of the branch release-1.1 passes all the checks we set for the main branch.

Therefore, I'd like to propose a more compliant way to generate the release-1.1 branch.

1. Delete the existing release-1.1 branch
2. Update build.yml, codeql.yml, and license-checker.yml in the main branch to include release-* (see samples)
3. Set a branch protection rule for release-* with the same settings as main.
4. Checkout release-1.1 based on main. Send a PR to release-1.1 to revert feat: add support for signing blob #379.
5. Close this issue and create a new issue to vote on the latest commit of the release-1.1 branch

@priteshbandi How about this: instead of cherry-picking each commit, we just revert #379 in release-1.1 branch?

[priteshbandi]

LGTM

[JeyJeyGao]

I will create a new release vote based on the proposed steps.