docs: add Auditable release #2912
Open
+73
−0
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
github-actions
bot
added
the
kind/docs
hisarbalik
added
do-not-merge/hold
github-actions
bot
added
the
kind/docs
NHingerl
reviewed
Jan 26, 2026
|
|
||
| ## Context | ||
|
|
||
| In the context of the SAP BTP, Kyma runtime product, ensuring a reliable and auditable release process is crucial for maintaining software quality and compliance. An automated release pipeline not only streamlines the deployment process but also provides a clear audit trail of changes, approvals, and deployments. |
Contributor
There was a problem hiding this comment.
Shorter and more direct:
Suggested change
| In the context of the SAP BTP, Kyma runtime product, ensuring a reliable and auditable release process is crucial for maintaining software quality and compliance. An automated release pipeline not only streamlines the deployment process but also provides a clear audit trail of changes, approvals, and deployments. | |
| To ensure the quality and compliance of the SAP BTP, Kyma runtime product, we must have a reliable and auditable release process. Our current process lacks a clear audit trail. |
|
|
||
| In the context of the SAP BTP, Kyma runtime product, ensuring a reliable and auditable release process is crucial for maintaining software quality and compliance. An automated release pipeline not only streamlines the deployment process but also provides a clear audit trail of changes, approvals, and deployments. | ||
|
|
||
| This document outlines the principles and practices for implementing auditable release automation within the Kyma runtime product environment. |
Contributor
There was a problem hiding this comment.
Suggested change
| This document outlines the principles and practices for implementing auditable release automation within the Kyma runtime product environment. | |
| This document proposes a new, automated release process that produces the required audit artifacts for changes, approvals, and deployments. |
|
|
||
| This document outlines the principles and practices for implementing auditable release automation within the Kyma runtime product environment. | ||
|
|
||
| ## Principles of Auditable Release Automation |
Contributor
There was a problem hiding this comment.
Suggested change
| ## Principles of Auditable Release Automation | |
| ## Audit Requirements |
|
|
||
| ## Principles of Auditable Release Automation | ||
|
|
||
| For auditing purposes, each release must provide successful test result artifacts. This includes: |
Contributor
There was a problem hiding this comment.
Suggested change
| For auditing purposes, each release must provide successful test result artifacts. This includes: | |
| To pass an audit, the release process must produce the following artifacts: |
|
|
||
| ### Test Execution Reports | ||
|
|
||
| Test execution reports should be downloaded for both unit tests and end-to-end (E2E) tests from corresponding GitHub Workflow executions and retained for audit purposes. |
Contributor
There was a problem hiding this comment.
Can we switch to active voice?
Suggested change
| Test execution reports should be downloaded for both unit tests and end-to-end (E2E) tests from corresponding GitHub Workflow executions and retained for audit purposes. | |
| The release workflow must download and retain the execution reports for all unit and end-to-end (E2E) tests from their corresponding GitHub workflow runs. |
|
|
||
| ### Docker Images | ||
|
|
||
| The Docker image used for testing and release should be reproducible and traceable. The current release pipeline builds two Docker images: first for testing and second for release. |
Contributor
There was a problem hiding this comment.
Suggested change
| The Docker image used for testing and release should be reproducible and traceable. The current release pipeline builds two Docker images: first for testing and second for release. | |
| The Docker image used for testing must be the exact same image that is used for the release. Our release process must produce reproducible and traceable images. |
|
|
||
| The Docker image used for testing and release should be reproducible and traceable. The current release pipeline builds two Docker images: first for testing and second for release. | ||
|
|
||
| **Current Flow:** |
Contributor
There was a problem hiding this comment.
Suggested change
| **Current Flow:** | |
| **Current Flow:** | |
| Our current release pipeline builds two separate images: |
| The Docker image used for testing and release should be reproducible and traceable. The current release pipeline builds two Docker images: first for testing and second for release. | ||
|
|
||
| **Current Flow:** | ||
| - First Docker image is built during release preparation PR and pushed to the Kyma dev registry with a unique PR tag and digest SHA. This image is used for running unit and E2E tests. |
Contributor
There was a problem hiding this comment.
Suggested change
| - First Docker image is built during release preparation PR and pushed to the Kyma dev registry with a unique PR tag and digest SHA. This image is used for running unit and E2E tests. | |
| - The release preparation workflow builds a Docker image from a PR and pushes it to the Kyma dev registry with a unique PR tag and digest SHA. This image is used to run unit and E2E tests. |
|
|
||
| **Current Flow:** | ||
| - First Docker image is built during release preparation PR and pushed to the Kyma dev registry with a unique PR tag and digest SHA. This image is used for running unit and E2E tests. | ||
| - After successful tests, the second image is built for release using the same Dockerfile and source code, but tagged with release version and pushed to the production registry. |
Contributor
There was a problem hiding this comment.
Suggested change
| - After successful tests, the second image is built for release using the same Dockerfile and source code, but tagged with release version and pushed to the production registry. | |
| - After successful tests, the release workflow builds a new image from the same Dockerfile and source code, tags it with the release version and pushes it to the production registry. |
| Both images currently receive different digests due to different build environments and timestamps, despite having identical content and application binary. This behavior is not acceptable for auditable release automation. | ||
|
|
||
| **Resolution:** | ||
| Implement deterministic Docker builds to ensure PR and release images produce identical digests when built from the same source code. |
Contributor
There was a problem hiding this comment.
Suggested change
| Implement deterministic Docker builds to ensure PR and release images produce identical digests when built from the same source code. | |
| We must implement deterministic Docker builds. An image built from a PR must have the identical digest as the final release image built from the same source code. This makes the build process auditable. |
NHingerl
reviewed
Jan 28, 2026
| ### Test Execution Reports | ||
|
|
||
| Test execution reports should be downloaded for both unit tests and end-to-end (E2E) tests from corresponding GitHub Workflow executions and retained for audit purposes. | ||
| Test execution reports should be downloaded for unit tests, end-to-end (E2E) tests, and Gardener Integration tests from corresponding GitHub Workflow executions and retained for audit purposes. |
Contributor
There was a problem hiding this comment.
Suggested change
| Test execution reports should be downloaded for unit tests, end-to-end (E2E) tests, and Gardener Integration tests from corresponding GitHub Workflow executions and retained for audit purposes. | |
| Test execution reports should be downloaded for unit tests, end-to-end (E2E) tests, and Gardener integration tests from corresponding GitHub Workflow executions and retained for audit purposes. |
NHingerl
reviewed
Jan 28, 2026
|
|
||
| ### Download Test Reports | ||
|
|
||
| The test reports from unit tests, E2E tests, and Gardener tests should be downloaded from the respective GitHub Actions workflows and stored as artifacts for audit purposes. For this pupose, a new re-usable workflow created to download and store test reports based on workflow run ID and job name. |
Contributor
There was a problem hiding this comment.
should or must? Or simply, "We create a reusable workflow that downloads the test results from... based on... and stores them..."
(I'm not sure which of the actions is "based on run ID and job name", the downloading or the storing?)
| ### Download Test Reports | ||
|
|
||
| The test reports from unit tests, E2E tests, and Gardener tests should be downloaded from the respective GitHub Actions workflows and stored as artifacts for audit purposes. For this pupose, a new re-usable workflow created to download and store test reports based on workflow run ID and job name. | ||
| The new workflow can be called from the release PR workflow after test jobs are completed successfully and upload to the pre-configured GCP bucket for audit retention as desccribed [here](https://github.tools.sap/kyma/backlog/issues/8419). |
Contributor
There was a problem hiding this comment.
Please clarify who/what is uploaded by whom. Not sure what "upload" in the middle of this sentence means. Thus, the following is probably wrong:
Suggested change
| The new workflow can be called from the release PR workflow after test jobs are completed successfully and upload to the pre-configured GCP bucket for audit retention as desccribed [here](https://github.tools.sap/kyma/backlog/issues/8419). | |
| After test jobs are completed successfully, the new workflow is called from the release PR workflow and uploaded to the pre-configured GCP bucket for audit retention (see [Archive Test Logs for 12-Month Auditing via Release Assets #8419](https://github.tools.sap/kyma/backlog/issues/8419). |
| The new workflow can be called from the release PR workflow after test jobs are completed successfully and upload to the pre-configured GCP bucket for audit retention as desccribed [here](https://github.tools.sap/kyma/backlog/issues/8419). | ||
|
|
||
| ### Deterministic Docker Builds | ||
| To achieve deterministic Docker builds, the following strategies can be employed: |
Contributor
There was a problem hiding this comment.
Suggested change
| To achieve deterministic Docker builds, the following strategies can be employed: | |
| To achieve deterministic Docker builds, we consider the following strategies: |
| ### Deterministic Docker Builds | ||
| To achieve deterministic Docker builds, the following strategies can be employed: | ||
|
|
||
| - **Reproducible Build Tools**: Utilize tools and techniques that support reproducible builds, such as Docker's BuildKit option, which have to be implemented by the `Image-Builder`. |
Contributor
There was a problem hiding this comment.
Suggested change
| - **Reproducible Build Tools**: Utilize tools and techniques that support reproducible builds, such as Docker's BuildKit option, which have to be implemented by the `Image-Builder`. | |
| - **Reproducible Build Tools**: Utilize tools and techniques that support reproducible builds, such as Docker's BuildKit option, which must be implemented by the `Image-Builder`. |
| To achieve deterministic Docker builds, the following strategies can be employed: | ||
|
|
||
| - **Reproducible Build Tools**: Utilize tools and techniques that support reproducible builds, such as Docker's BuildKit option, which have to be implemented by the `Image-Builder`. | ||
| - **Copy Release PR Image**: As an alternative to reproducible builds, the release process can be modified to copy the Docker image built during the release PR directly to the production registry with the release tag. This approach ensures that the same image used for testing is released, maintaining identical digests. |
Contributor
There was a problem hiding this comment.
Suggested change
| - **Copy Release PR Image**: As an alternative to reproducible builds, the release process can be modified to copy the Docker image built during the release PR directly to the production registry with the release tag. This approach ensures that the same image used for testing is released, maintaining identical digests. | |
| - **Copy Release PR Image**: As an alternative to reproducible builds, we can modify the release process to copy the Docker image built during the release PR directly to the production registry with the release tag. This approach ensures that the same image used for testing is released, maintaining identical digests. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Changes proposed in this pull request (what was done and why):
Changes refer to particular issues, PRs or documents:
Traceability
Related Issuessection.