add release cadence section in the readme (#2179)

Signed-off-by: cpanato <ctadeu@gmail.com> Signed-off-by: cpanato <ctadeu@gmail.com>
sigstore · Aug 19, 2022 · 9bcd90e · 9bcd90e
1 parent 5a5ba22
commit 9bcd90e
Showing 1 changed file with 19 additions and 4 deletions.
diff --git a/README.md b/README.md
@@ -44,6 +44,7 @@ If you have Go 1.17+, you can setup a development environment:
     $ $(go env GOPATH)/bin/cosign
 
 ## Dockerfile
+
 Here is how to install and use cosign inside a Dockerfile through the gcr.io/projectsigstore/cosign image:
 
 ```shell
@@ -194,6 +195,7 @@ $ cosign sign --key cosign.key gcr.io/dlorenc-vmtest2/artifact
 Enter password for private key:
 Pushing signature to: gcr.io/dlorenc-vmtest2/artifact:sha256-3f612a4520b2c245d620d0cca029f1173f6bea76819dde8543f5b799ea3c696c.sig
 ```
+
 #### sget
 
 We also include the `sget` command for safer, automatic verification of signatures and integration with our binary transparency log, Rekor.
@@ -349,6 +351,7 @@ Today, `cosign` has been tested and works against the following registries:
 * Cloudsmith Container Registry
 
 We aim for wide registry support. To `sign` images in registries which do not yet fully support [OCI media types](https://github.com/sigstore/cosign/blob/main/SPEC.md#object-types), one may need to use `COSIGN_DOCKER_MEDIA_TYPES` to fall back to legacy equivalents. For example:
+
 ```shell
 COSIGN_DOCKER_MEDIA_TYPES=1 cosign sign --key cosign.key legacy-registry.example.com/my/image
 ```
@@ -414,12 +417,12 @@ That looks like:
     }
 }
 ```
+
 **Note:** This can be generated for an image reference using `cosign generate <image>`.
 
 I'm happy to switch this format to something else if it makes sense.
 See https://github.com/notaryproject/nv2/issues/40 for one option.
 
-
 #### Registry Details
 
 `cosign` signatures are stored as separate objects in the OCI registry, with only a weak
@@ -434,14 +437,17 @@ To add a signature, clients orchestrate a "read-append-write" operation, so the
 will win in the case of contention.
 
 ##### Specifying Registry
+
 `cosign` will default to storing signatures in the same repo as the image it is signing.
 To specify a different repo for signatures, you can set the `COSIGN_REPOSITORY` environment variable.
 
 This will replace the repo in the provided image like this:
-```
+
+```shell
 $ export COSIGN_REPOSITORY=gcr.io/my-new-repo
 $ gcr.io/dlorenc-vmtest2/demo -> gcr.io/my-new-repo/demo:sha256-DIGEST.sig
 ```
+
 So the signature for `gcr.io/dlorenc-vmtest2/demo` will be stored in `gcr.io/my-new-repo/demo:sha256-DIGEST.sig`.
 
 Note: different registries might expect different formats for the "repository."
@@ -452,10 +458,12 @@ Note: different registries might expect different formats for the "repository."
   specify a full image name like
   `$LOCATION-docker.pkg.dev/$PROJECT/$REPO/$STORAGE_IMAGE`, not just a
   repository. For example,
-  ```
+
+  ```shell
   COSIGN_REPOSITORY=us-docker.pkg.dev/my-new-repo/demo
   gcr.io/dlorenc-vmtest2/demo --> us-docker.pkg.dev/my-new-repo/demo:sha256-DIGEST.sig
   ```
+
   where the `sha256-DIGEST` will match the digest for
   `gcr.io/dlorenc-vmtest2/demo`. Specifying just a repo like
   `$LOCATION-docker.pkg.dev/$PROJECT/$REPO` will not work in Artifact Registry.
@@ -471,7 +479,7 @@ The keys encrypted under a password using scrypt as a KDF and nacl/secretbox for
 
 They have a PEM header of `ENCRYPTED COSIGN PRIVATE KEY`:
 
-```
+```shell
 -----BEGIN ENCRYPTED COSIGN PRIVATE KEY-----
 ...
 -----END ENCRYPTED COSIGN PRIVATE KEY-----
@@ -777,6 +785,13 @@ $ crane manifest dlorenc/demo@sha256:71f70e5d29bde87f988740665257c35b1c6f52dafa2
 }
 ```
 
+## Release Cadence
+
+We are intending to move to a monthly cadence for minor releases.
+Minor releases will be published around the beginning of the month.
+We may cut a patch release instead, if the changes are small enough not to warrant a minor release.
+We will also cut patch releases periodically as needed to address bugs.
+
 ## Security
 
 Should you discover any security issues, please refer to sigstore's [security