Preparations for branching

.github/workflows/check.yml

@@ -4,9 +4,11 @@ on:
   push:
     branches:
     - main
+    - 'flatpak-builder-1.[0-9]*[02468].x'
   pull_request:
     branches:
     - main
+    - 'flatpak-builder-1.[0-9]*[02468].x'
 
 env:
   DEBIAN_FRONTEND: noninteractive

MAINT.md

@@ -0,0 +1,50 @@
+## Maintainance notes
+
+- Please see the [versioning policy](https://github.com/flatpak/flatpak-builder/tree/main?tab=readme-ov-file#supported-versions).
+- Stable branches will only get bugfixes and non-breaking enhancements.
+- Everything is merged to `main` and from time to time suitable changes
+  are backported to the stable `flatpak-builder-1.EVEN_MINOR.x`
+  branches. GitHub milestone can be used for tracking which PRs should
+  be backported.
+- Stable tags are created from `flatpak-builder-1.EVEN_MINOR.x` branch.
+- Unstable tags are created from the `main` branch.
+- The first release of a new stable release line eg. `1.6.0`
+  is tagged from `main`. After that the `flatpak-builder-1.6.x` branch
+  is to be created and the `1.6.1` is made from that branch. During this
+  time `main` should not receive breaking changes until the new
+  stable branch is created.
+
+## Releasing
+
+- Update the `NEWS`
+- Update version number in `meson.build` and `configure.ac`.
+- Open a  PR titled "Release $VERSION" with the above to see if CI passes.
+- Merge the PR to the target branch.
+- Check out the target branch, pull the above change locally and make
+  sure the submodules are correct and checked out.
+- Build with `meson` and `make`, with all options enabled.
+- Create a tarball with `make dist`. The tarball is created from a
+  clean checkout. It is produced as `flatpak-builder-$VERSION.tar.xz`.
+- Verify the project is buildable using the tarball. The tarball MUST
+  contain the submodule files.
+
+## Tagging
+
+- The tags are created in the `MAJOR.MINOR.PATCH` format eg. `1.4.6`
+  (WITHOUT the `v*` prefix).
+- Ideally the tags should be signed and annotated tags. Optionally
+  git-evtag can be used.
+- The tag message should have the changelog and the checksum of the
+  tarball that will be attached to GitHub releases.
+- Once the tag is pushed, a GitHub release from that tag is to be
+  created.
+
+  The release tag is the new tag, the title is `VERSION` and the release
+  body is the message from the tag. Additional notifications and details
+  can be documented to the release body.
+
+  Then the `flatpak-builder-$VERSION.tar.xz` tarball is to be attahced.
+  This is the primary way downstreams consume Flatpak builder.
+
+
+NOTE: GitHub releases are set as _immutable_, so please be careful.

README.md

@@ -8,7 +8,7 @@ It reads a JSON or YAML based manifest to automatically download, build, and ins
 
 For information on the manifest format see `man flatpak-manifest`. A JSON Schema for this format is [available here](https://github.com/flatpak/flatpak-builder/blob/main/data/flatpak-manifest.schema.json).
 
-To use the JSON schema, in [an editor with support](https://code.visualstudio.com/docs/languages/json) for schemas, you can include this line in your manifest: 
+To use the JSON schema, in [an editor with support](https://code.visualstudio.com/docs/languages/json) for schemas, you can include this line in your manifest:
 
 ```json
   "$schema": "https://raw.githubusercontent.com/flatpak/flatpak-builder/main/data/flatpak-manifest.schema.json"
@@ -26,6 +26,31 @@ Flatpak-builder uses the [Meson build system](https://mesonbuild.com/). To build
 
 Configure arguments are documented in `meson_options.txt`.
 
+# Versioning Policy
+
+Flatpak Builder, like Flatpak, follows the GLib-style versioning policy,
+where the version is formatted as `MAJOR.MINOR.PATCH`. The `MAJOR`
+version is currently set to `1`.
+
+- Odd `MINOR` versions indicate an unstable release.
+- Even `MINOR` versions indicate a stable release.
+
+Stable releases are limited to bug fixes and minor, non-breaking
+improvements. Each stable release line is maintained on a dedicated
+`flatpak-builder-1.MINOR.x` branch.
+
+At any given time, only one unstable release line and only one stable
+release line are supported.
+
+## Supported versions
+
+The currently supported release lines are:
+
+| Release line | Supported          | Status              |
+| -------------| ------------------ | --------------------|
+| 1.5.x        | Yes                | Development branch  |
+| 1.4.x        | Yes                | Stable branch       |
+
 ## Runtime dependencies
 
 The `flatpak-builder` tool requires `flatpak` being available on the host to
@@ -48,3 +73,7 @@ Rarely used:
  * rpm2cpio & cpio
  * svn
  * bzr
+
+# Maintainance docs
+
+Please see the [maintainance docs](https://github.com/flatpak/flatpak-builder/blob/main/MAINT.md).

SECURITY.md

@@ -0,0 +1,20 @@
+# Security policy for Flatpak builder
+
+## Supported versions
+
+Please see the [readme](https://github.com/flatpak/flatpak-builder/tree/main?tab=readme-ov-file#supported-versions).
+
+## Reporting vulnerabilities
+
+Please DO NOT report security issues via public mediums such as
+GitHub issues, forums, public mailing lists or Matrix.
+
+Please report all security issues via an email to the private mailing list 
+[flatpak-security@lists.freedesktop.org](mailto:flatpak-security@lists.freedesktop.org).
+
+## Security announcements
+
+The [flatpak@lists.freedesktop.org](mailto:flatpak@lists.freedesktop.org)
+email list is used for messages about Flatpak security announcements.
+You can join the list [here](https://lists.freedesktop.org/mailman/listinfo/flatpak).
+Security issues may also be announced via GitHub security advisories.