vote: v1.1.1

[JeyJeyGao]

Release

This would mean tagging 8d3b7a22a70a7d0e5e71f4f717ccbb03eb9ae59e as v1.1.1 to release.

[!Note] This release doesn't include the #379 as this is a patch release.

The commit 8d3b7a22a70a7d0e5e71f4f717ccbb03eb9ae59e was generated by the following steps:

1. Checked out a new branch: git checkout -b release-1.1 v1.1.0
2. Cherry-picked all commits from the main branch, excluding #379, starting from 1752918878aca0f5f811263be091cdd17a26562a and ending with 254dfcde664212784c8116200efb97e17b30683d, totaling 23 commits. Conflicts were also resolved.
3. Pushed to origin as the release-1.1 branch.

Vote

We need at least 4 approvals from 6 maintainers to release notation-go v1.1.1.

• [x] Junjie Gao (@JeyJeyGao)
• [ ] Milind Gokarn (@gokarnm)
• [x] Patrick Zheng (@Two-Hearts)
• [ ] Pritesh Bandi (@priteshbandi)
• [ ] Rakesh Gariganti (@rgnote)
• [ ] Shiwei Zhang (@shizhMSFT)

Changes

The code changes compared to v1.1.0 include:

• fix: update error message by @JeyJeyGao in https://github.com/notaryproject/notation-go/pull/380
• bump: bump up oras-go and image-spec by @Two-Hearts in https://github.com/notaryproject/notation-go/pull/381
• chore: start using plugin-framework package by @priteshbandi in https://github.com/notaryproject/notation-go/pull/372
• build(deps): bump golang.org/x/crypto from 0.18.0 to 0.19.0 by @dependabot in https://github.com/notaryproject/notation-go/pull/383
• build(deps): bump github.com/opencontainers/image-spec from 1.1.0-rc6 to 1.1.0 by @dependabot in https://github.com/notaryproject/notation-go/pull/385
• build(deps): bump golang.org/x/mod from 0.14.0 to 0.15.0 by @dependabot in https://github.com/notaryproject/notation-go/pull/384
• chore: updated/added deprecation message by @priteshbandi in https://github.com/notaryproject/notation-go/pull/382
• build(deps): bump golang.org/x/crypto from 0.19.0 to 0.20.0 by @dependabot in https://github.com/notaryproject/notation-go/pull/387
• chore: add GitHub action for stale issues and PRs by @yizha1 in https://github.com/notaryproject/notation-go/pull/365
• build(deps): bump golang.org/x/crypto from 0.20.0 to 0.21.0 by @dependabot in https://github.com/notaryproject/notation-go/pull/389
• build(deps): bump golang.org/x/mod from 0.15.0 to 0.16.0 by @dependabot in https://github.com/notaryproject/notation-go/pull/388
• fix: Add contract version to plugin sign request and plugin verify request by @priteshbandi in https://github.com/notaryproject/notation-go/pull/390
• bump: bump golang and dependency versions by @Two-Hearts in https://github.com/notaryproject/notation-go/pull/392
• build(deps): bump actions/stale from 8 to 9 by @dependabot in https://github.com/notaryproject/notation-go/pull/391
• Moved org maintainers to emeritus by @toddysm in https://github.com/notaryproject/notation-go/pull/393
• build(deps): bump golang.org/x/mod from 0.16.0 to 0.17.0 by @dependabot in https://github.com/notaryproject/notation-go/pull/397
• build(deps): bump github.com/go-ldap/ldap/v3 from 3.4.6 to 3.4.7 by @dependabot in https://github.com/notaryproject/notation-go/pull/395
• build(deps): bump github.com/go-ldap/ldap/v3 from 3.4.7 to 3.4.8 by @dependabot in https://github.com/notaryproject/notation-go/pull/399
• build(deps): bump golang.org/x/crypto from 0.21.0 to 0.22.0 by @dependabot in https://github.com/notaryproject/notation-go/pull/396
• build(deps): bump golang.org/x/crypto from 0.22.0 to 0.23.0 by @dependabot in https://github.com/notaryproject/notation-go/pull/403
• test: improve test coverage to 80% by @JeyJeyGao in https://github.com/notaryproject/notation-go/pull/405
• fix: error message for dangling reference index by @JeyJeyGao in https://github.com/notaryproject/notation-go/pull/402
• bump: bump up notation-core-go v1.0.3 by @JeyJeyGao in https://github.com/notaryproject/notation-go/pull/407

Full Changelog: https://github.com/notaryproject/notation-go/compare/v1.1.0...8d3b7a22a70a7d0e5e71f4f717ccbb03eb9ae59e

[Two-Hearts]

LGTM

[JeyJeyGao]

LGTM

[shizhMSFT]

I have concerns about the process of generating the release-1.1 branch since the hashes of all commits after v1.1.0 are changed without proper reviews. Meanwhile, there is no proof that the resulted head of the branch release-1.1 passes all the checks we set for the main branch.

Therefore, I'd like to propose a more compliant way to generate the release-1.1 branch.

1. Delete the existing release-1.1 branch
2. Update build.yml, codeql.yml, and license-checker.yml in the main branch to include release-* (see samples)
3. Set a branch protection rule for release-* with the same settings as main.
4. Checkout release-1.1 based on main. Send a PR to release-1.1 to revert #379.
5. Close this issue and create a new issue to vote on the latest commit of the release-1.1 branch

[JeyJeyGao]

I have concerns about the process of generating the release-1.1 branch since the hashes of all commits after v1.1.0 are changed without proper reviews. Meanwhile, there is no proof that the resulted head of the branch release-1.1 passes all the checks we set for the main branch.

Therefore, I'd like to propose a more compliant way to generate the release-1.1 branch.

1. Delete the existing release-1.1 branch
2. Update build.yml, codeql.yml, and license-checker.yml in the main branch to include release-* (see samples)
3. Set a branch protection rule for release-* with the same settings as main.
4. Checkout release-1.1 based on main. Send a PR to release-1.1 to revert feat: add support for signing blob #379.
5. Close this issue and create a new issue to vote on the latest commit of the release-1.1 branch

@priteshbandi How about this: instead of cherry-picking each commit, we just revert #379 in release-1.1 branch?

[priteshbandi]

LGTM

[JeyJeyGao]

I will create a new release vote based on the proposed steps.