...
Example release can be seen here.
Emergency Takedown Process
On the discovery of a known bad release, build artifacts can be removed from circulation.
- Do not delete the release in github, rather update it to explain it was found to be faulty.
- Be sure to include what alternate version(s) to use instead.
- When editing the release, delete the attached build artifacts.
- Do not remove the file hashes from the release notes, rather mark them up as strikethrough so they are still available, but discouraged.
- Delete the docker images from the package management screens, for all image variants.
- Communicate on social media if necessary.
This process was tested during initial implementation of this CI/CD pipeline, and an example can be found here.
Developer Notes
In addition to the rulset defined above, there is another important repository setting that needs to be actively maintained: Actions Permissions. When a new github action is to be used, or an existing one updated, it must be referenced by the specific git sha for that release. This prevents any tags that may be moved on the action distribution from causing a change in what actions are run.
...