docs: Update release process#5980
Merged
Skarlso merged 2 commits intoexternal-secrets:mainfrom Feb 21, 2026
Merged
Conversation
Avoid running releases when unfinished jobs still present in CI. Signed-off-by: Jean-Philippe Evrard <jean-philippe.evrard+rochepub@external.roche.com>
WalkthroughThe release process documentation was updated to include a new prerequisite step requiring verification that no pending CI jobs are running before initiating a release to prevent promotion of stale images. Changes
Tip Issue Planner is now in beta. Read the docs and try it out! Share your feedback on Discord. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@docs/contributing/release.md`:
- Line 34: Fix the subject–verb agreement in the sentence that currently reads
"there is no pending CI jobs" by changing it to "there are no pending CI jobs";
locate the exact phrase "there is no pending CI jobs" in the release
instructions and update it to use the plural verb "are" so the line reads "there
are no pending CI jobs running."
| ⚠️ Note: when releasing multiple versions, make sure to first release the "old" version, then the newer version. | ||
| Otherwise the `latest` documentation will point to the older version. Also avoid to release both versions at the same time to avoid race conditions in the CI pipeline (updating docs, GitHub Release, helm chart release). | ||
|
|
||
| 1. Make sure there is no pending CI jobs running. This is to avoid promoting a stale image to a new version (we need to rely on _existing_ pushed images for release). |
There was a problem hiding this comment.
Grammar fix: subject–verb agreement.
"there is no pending CI jobs" should be "there are no pending CI jobs" (plural subject).
✏️ Proposed fix
-1. Make sure there is no pending CI jobs running. This is to avoid promoting a stale image to a new version (we need to rely on _existing_ pushed images for release).
+1. Ensure there are no pending CI jobs running. This is to avoid promoting a stale image to a new version (we need to rely on _existing_ pushed images for release).🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@docs/contributing/release.md` at line 34, Fix the subject–verb agreement in
the sentence that currently reads "there is no pending CI jobs" by changing it
to "there are no pending CI jobs"; locate the exact phrase "there is no pending
CI jobs" in the release instructions and update it to use the plural verb "are"
so the line reads "there are no pending CI jobs running."
Skarlso
approved these changes
Feb 21, 2026
|
alexlebens
pushed a commit
to alexlebens/infrastructure
that referenced
this pull request
Mar 6, 2026
…2.1.0 (#4491) This PR contains the following updates: | Package | Update | Change | |---|---|---| | [external-secrets/external-secrets](https://github.com/external-secrets/external-secrets) | minor | `v2.0.1` → `v2.1.0` | --- ### Release Notes <details> <summary>external-secrets/external-secrets (external-secrets/external-secrets)</summary> ### [`v2.1.0`](https://github.com/external-secrets/external-secrets/releases/tag/v2.1.0) [Compare Source](external-secrets/external-secrets@v2.0.1...v2.1.0) Image: `ghcr.io/external-secrets/external-secrets:v2.1.0` Image: `ghcr.io/external-secrets/external-secrets:v2.1.0-ubi` Image: `ghcr.io/external-secrets/external-secrets:v2.1.0-ubi-boringssl` <!-- Release notes generated using configuration in .github/release.yml at main --> #### What's Changed ##### General - chore(release): Update helm chart by [@​evrardj-roche](https://github.com/evrardj-roche) in [#​5981](external-secrets/external-secrets#5981) - fix: cosign verify does not use signing config by [@​gusfcarvalho](https://github.com/gusfcarvalho) in [#​5982](external-secrets/external-secrets#5982) - docs: Update release process by [@​evrardj-roche](https://github.com/evrardj-roche) in [#​5980](external-secrets/external-secrets#5980) - fix: allow cross-namespace push with ClusterSecretStore objects by [@​Skarlso](https://github.com/Skarlso) in [#​5998](external-secrets/external-secrets#5998) - feat(charts): add new flag enable leader for cert-manager by [@​nutmos](https://github.com/nutmos) in [#​5863](external-secrets/external-secrets#5863) - feat(kubernetes): fall back to system CA roots when no CA is configured by [@​rajsinghtech](https://github.com/rajsinghtech) in [#​5961](external-secrets/external-secrets#5961) - feat: dedup sbom but keep it monolithic by [@​moolen](https://github.com/moolen) in [#​6004](external-secrets/external-secrets#6004) - fix: add missing metrics and fundamentally fix the caching logic by [@​Skarlso](https://github.com/Skarlso) in [#​5894](external-secrets/external-secrets#5894) - docs: designate Oracle Vault provider as 'stable' by [@​anders-swanson](https://github.com/anders-swanson) in [#​6020](external-secrets/external-secrets#6020) - docs: Oracle Vault provider capabilities by [@​anders-swanson](https://github.com/anders-swanson) in [#​6023](external-secrets/external-secrets#6023) - docs(azurekv): cert-manager pushsecret example and cleanups by [@​illrill](https://github.com/illrill) in [#​5972](external-secrets/external-secrets#5972) - feat(kubernetes): implement SecretExists by [@​Saku2](https://github.com/Saku2) in [#​5973](external-secrets/external-secrets#5973) - fix(charts): Fix wrongly set annotations for cert-controller metrics service by [@​josemaia](https://github.com/josemaia) in [#​6029](external-secrets/external-secrets#6029) - feat(providers): Nebius MysteryBox integration by [@​greenmapc](https://github.com/greenmapc) in [#​5868](external-secrets/external-secrets#5868) ##### Dependencies - chore(deps): bump aquasecurity/trivy-action from 0.34.0 to 0.34.1 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5986](external-secrets/external-secrets#5986) - chore(deps): bump mkdocs-material from 9.7.1 to 9.7.2 in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5992](external-secrets/external-secrets#5992) - chore(deps): bump ubi9/ubi from `b8923f5` to `cecb1cd` by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5984](external-secrets/external-secrets#5984) - chore(deps): bump helm/kind-action from 1.13.0 to 1.14.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5985](external-secrets/external-secrets#5985) - chore(deps): bump actions/dependency-review-action from 4.8.2 to 4.8.3 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5990](external-secrets/external-secrets#5990) - chore(deps): bump github/codeql-action from 4.32.3 to 4.32.4 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5989](external-secrets/external-secrets#5989) - chore(deps): bump goreleaser/goreleaser-action from 6.4.0 to 7.0.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5987](external-secrets/external-secrets#5987) - chore(deps): bump regex from 2026.1.15 to 2026.2.19 in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5991](external-secrets/external-secrets#5991) - chore(deps): bump actions/stale from 10.1.1 to 10.2.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5988](external-secrets/external-secrets#5988) - chore(deps): bump regex from 2026.2.19 to 2026.2.28 in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​6012](external-secrets/external-secrets#6012) - chore(deps): bump mkdocs-material from 9.7.2 to 9.7.3 in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​6014](external-secrets/external-secrets#6014) - chore(deps): bump step-security/harden-runner from 2.14.2 to 2.15.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​6015](external-secrets/external-secrets#6015) - chore(deps): bump anchore/sbom-action from 0.22.2 to 0.23.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​6016](external-secrets/external-secrets#6016) - chore(deps): bump certifi from 2026.1.4 to 2026.2.25 in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​6013](external-secrets/external-secrets#6013) - chore(deps): bump actions/setup-go from 6.2.0 to 6.3.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​6010](external-secrets/external-secrets#6010) - chore(deps): bump hashicorp/setup-terraform from [`ce70bcf`](external-secrets/external-secrets@ce70bcf) to [`5e8dbf3`](external-secrets/external-secrets@5e8dbf3) by [@​dependabot](https://github.com/dependabot)\[bot] in [#​6011](external-secrets/external-secrets#6011) - chore(deps): bump actions/attest-build-provenance from 3.2.0 to 4.1.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​6009](external-secrets/external-secrets#6009) - chore(deps): bump distroless/static from `972618c` to `28efbe9` by [@​dependabot](https://github.com/dependabot)\[bot] in [#​6008](external-secrets/external-secrets#6008) #### New Contributors - [@​nutmos](https://github.com/nutmos) made their first contribution in [#​5863](external-secrets/external-secrets#5863) - [@​rajsinghtech](https://github.com/rajsinghtech) made their first contribution in [#​5961](external-secrets/external-secrets#5961) - [@​illrill](https://github.com/illrill) made their first contribution in [#​5972](external-secrets/external-secrets#5972) - [@​Saku2](https://github.com/Saku2) made their first contribution in [#​5973](external-secrets/external-secrets#5973) - [@​greenmapc](https://github.com/greenmapc) made their first contribution in [#​5868](external-secrets/external-secrets#5868) **Full Changelog**: <external-secrets/external-secrets@v2.0.1...v2.1.0> </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My41MS4wIiwidXBkYXRlZEluVmVyIjoiNDMuNTEuMCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiaW1hZ2UiXX0=--> Reviewed-on: https://gitea.alexlebens.dev/alexlebens/infrastructure/pulls/4491 Co-authored-by: Renovate Bot <renovate-bot@alexlebens.net> Co-committed-by: Renovate Bot <renovate-bot@alexlebens.net>
alexlebens
pushed a commit
to alexlebens/infrastructure
that referenced
this pull request
Mar 7, 2026
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [external-secrets](https://github.com/external-secrets/external-secrets) | minor | `2.0.1` → `2.1.0` | --- ### Release Notes <details> <summary>external-secrets/external-secrets (external-secrets)</summary> ### [`v2.1.0`](https://github.com/external-secrets/external-secrets/releases/tag/v2.1.0) [Compare Source](external-secrets/external-secrets@v2.0.1...v2.1.0) Image: `ghcr.io/external-secrets/external-secrets:v2.1.0` Image: `ghcr.io/external-secrets/external-secrets:v2.1.0-ubi` Image: `ghcr.io/external-secrets/external-secrets:v2.1.0-ubi-boringssl` <!-- Release notes generated using configuration in .github/release.yml at main --> #### What's Changed ##### General - chore(release): Update helm chart by [@​evrardj-roche](https://github.com/evrardj-roche) in [#​5981](external-secrets/external-secrets#5981) - fix: cosign verify does not use signing config by [@​gusfcarvalho](https://github.com/gusfcarvalho) in [#​5982](external-secrets/external-secrets#5982) - docs: Update release process by [@​evrardj-roche](https://github.com/evrardj-roche) in [#​5980](external-secrets/external-secrets#5980) - fix: allow cross-namespace push with ClusterSecretStore objects by [@​Skarlso](https://github.com/Skarlso) in [#​5998](external-secrets/external-secrets#5998) - feat(charts): add new flag enable leader for cert-manager by [@​nutmos](https://github.com/nutmos) in [#​5863](external-secrets/external-secrets#5863) - feat(kubernetes): fall back to system CA roots when no CA is configured by [@​rajsinghtech](https://github.com/rajsinghtech) in [#​5961](external-secrets/external-secrets#5961) - feat: dedup sbom but keep it monolithic by [@​moolen](https://github.com/moolen) in [#​6004](external-secrets/external-secrets#6004) - fix: add missing metrics and fundamentally fix the caching logic by [@​Skarlso](https://github.com/Skarlso) in [#​5894](external-secrets/external-secrets#5894) - docs: designate Oracle Vault provider as 'stable' by [@​anders-swanson](https://github.com/anders-swanson) in [#​6020](external-secrets/external-secrets#6020) - docs: Oracle Vault provider capabilities by [@​anders-swanson](https://github.com/anders-swanson) in [#​6023](external-secrets/external-secrets#6023) - docs(azurekv): cert-manager pushsecret example and cleanups by [@​illrill](https://github.com/illrill) in [#​5972](external-secrets/external-secrets#5972) - feat(kubernetes): implement SecretExists by [@​Saku2](https://github.com/Saku2) in [#​5973](external-secrets/external-secrets#5973) - fix(charts): Fix wrongly set annotations for cert-controller metrics service by [@​josemaia](https://github.com/josemaia) in [#​6029](external-secrets/external-secrets#6029) - feat(providers): Nebius MysteryBox integration by [@​greenmapc](https://github.com/greenmapc) in [#​5868](external-secrets/external-secrets#5868) ##### Dependencies - chore(deps): bump aquasecurity/trivy-action from 0.34.0 to 0.34.1 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5986](external-secrets/external-secrets#5986) - chore(deps): bump mkdocs-material from 9.7.1 to 9.7.2 in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5992](external-secrets/external-secrets#5992) - chore(deps): bump ubi9/ubi from `b8923f5` to `cecb1cd` by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5984](external-secrets/external-secrets#5984) - chore(deps): bump helm/kind-action from 1.13.0 to 1.14.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5985](external-secrets/external-secrets#5985) - chore(deps): bump actions/dependency-review-action from 4.8.2 to 4.8.3 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5990](external-secrets/external-secrets#5990) - chore(deps): bump github/codeql-action from 4.32.3 to 4.32.4 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5989](external-secrets/external-secrets#5989) - chore(deps): bump goreleaser/goreleaser-action from 6.4.0 to 7.0.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5987](external-secrets/external-secrets#5987) - chore(deps): bump regex from 2026.1.15 to 2026.2.19 in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5991](external-secrets/external-secrets#5991) - chore(deps): bump actions/stale from 10.1.1 to 10.2.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5988](external-secrets/external-secrets#5988) - chore(deps): bump regex from 2026.2.19 to 2026.2.28 in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​6012](external-secrets/external-secrets#6012) - chore(deps): bump mkdocs-material from 9.7.2 to 9.7.3 in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​6014](external-secrets/external-secrets#6014) - chore(deps): bump step-security/harden-runner from 2.14.2 to 2.15.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​6015](external-secrets/external-secrets#6015) - chore(deps): bump anchore/sbom-action from 0.22.2 to 0.23.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​6016](external-secrets/external-secrets#6016) - chore(deps): bump certifi from 2026.1.4 to 2026.2.25 in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​6013](external-secrets/external-secrets#6013) - chore(deps): bump actions/setup-go from 6.2.0 to 6.3.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​6010](external-secrets/external-secrets#6010) - chore(deps): bump hashicorp/setup-terraform from [`ce70bcf`](external-secrets/external-secrets@ce70bcf) to [`5e8dbf3`](external-secrets/external-secrets@5e8dbf3) by [@​dependabot](https://github.com/dependabot)\[bot] in [#​6011](external-secrets/external-secrets#6011) - chore(deps): bump actions/attest-build-provenance from 3.2.0 to 4.1.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​6009](external-secrets/external-secrets#6009) - chore(deps): bump distroless/static from `972618c` to `28efbe9` by [@​dependabot](https://github.com/dependabot)\[bot] in [#​6008](external-secrets/external-secrets#6008) #### New Contributors - [@​nutmos](https://github.com/nutmos) made their first contribution in [#​5863](external-secrets/external-secrets#5863) - [@​rajsinghtech](https://github.com/rajsinghtech) made their first contribution in [#​5961](external-secrets/external-secrets#5961) - [@​illrill](https://github.com/illrill) made their first contribution in [#​5972](external-secrets/external-secrets#5972) - [@​Saku2](https://github.com/Saku2) made their first contribution in [#​5973](external-secrets/external-secrets#5973) - [@​greenmapc](https://github.com/greenmapc) made their first contribution in [#​5868](external-secrets/external-secrets#5868) **Full Changelog**: <external-secrets/external-secrets@v2.0.1...v2.1.0> </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My41OS4yIiwidXBkYXRlZEluVmVyIjoiNDMuNTkuMiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiY2hhcnQiXX0=--> Reviewed-on: https://gitea.alexlebens.dev/alexlebens/infrastructure/pulls/4516 Co-authored-by: Renovate Bot <renovate-bot@alexlebens.net> Co-committed-by: Renovate Bot <renovate-bot@alexlebens.net>
dsp0x4
pushed a commit
to dsp0x4/external-secrets
that referenced
this pull request
Mar 22, 2026
Co-authored-by: Gergely Bräutigam <gergely.brautigam@sap.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Avoid running releases when unfinished jobs still present in CI.
Problem Statement
What is the problem you're trying to solve?
Related Issue
Fixes #...
Proposed Changes
How do you like to solve the issue and why?
Format
Please ensure that your PR follows the following format for the title:
Where
scopeis optionally one of:Checklist
git commit --signoffmake testmake reviewableSummary
Adds a prerequisite check to the release process documentation. The PR introduces a new first step in the ESO release process that requires verifying no pending CI jobs are running before starting a release, to prevent promoting stale images to a new version.
Changes