Instructions for Release Managers

Release Manager Initial Setup

If you have never served as a Release Manager (or it has been a while since you have done it), first read the Release Manager Setup instructions. We have scripts that automate many of the tasks a Release Manager must perform, but these scripts assume you have followed the instructions in the Release Manager Setup before you start executing them.

Non-PMC Release Managers

Actually publishing a release is an official act of the OpenWhisk Project Management Committee (PMC). If you are an OpenWhisk Committer, but not an OpenWhisk PMC member, you will need to pair-up with a PMC member to accomplish some of the steps. In brief, any step that adds or removes an artifact from a public distributions channel must be executed by an OpenWhisk PMC member.

Background Information

If you are acting as a Release Manager, you should be familiar with the Apache Software Foundation‘s (ASF) Release Creation Process and Release Policy. The detailed instructions and scripts we provide for Release Managers are designed to implement the ASF’s policies and procedures in the specific context of the OpenWhisk project. However, it is still essential that each Release Manager understands the rationale underlying the steps they are executing.

Licensing requirements

All released source code has to be compliant with Apache Licensing Policy. In part this is done by adding the LICENSE file and NOTICE file to each git repository and by adding Licensing headers to each source code file. Please see License Compliance for detailed information on Apache OpenWhisk project policies, rules and guidelines.

Artifact requirements

Artifacts for project repository source code and any compiled binaries are packaged separately with each artifact being signed cryptographically.

Release Approval

All Releases must be formally approved via a PMC vote on the dev list. A successful release vote must have a minimum of three positive binding votes and more positive than negative binding votes MUST be cast.

Release distribution requirements

All release artifacts must be uploaded to project’s designated subdirectory in the Apache distribution channel (

Specifically, the Apache OpenWhisk project has a subdirectory to publish both candidate (staged) releases: and approved releases:

Release announcements should not directly refer to the main Apache dist server for mirrored artifacts (the sources.tar.gz files). Instead they should refer to the OpenWhisk project download page which is configured to redirect download requests to Apache dist mirrors or otherwise incorporate a mirroring enabled URL.

Step-by-Step Instructions for the Release Process

Preparing to Make a Release

Before creating release artifacts, the Release Manager should initiate a community discussion to confirm that we are ready to release the component(s). It is also good practice to do a quick check of the repositories to confirm they are release-ready to reduce the odds of needing multiple release candidates.

  1. Start a [DISCUSS] thread on the dev list proposing the release. Allow at least 24 hours for feedback.
  2. Make sure all unit and integration tests are passing in the repositories that are being released. Check the project status list.
  3. If a component being released includes a changelog or release notes file, make sure they are up-to-date.
  4. If you are releasing either the openwhisk or openwhisk-deploy-kube repositories create a release branch in the Apache git repo. Then submit a PR to that release branch to change all uses of the nightly tag to fixed tags (eg 1.14.0 or 8eb922f).

Defining the Release Contents

The contents of a release are defined by a JSON configuration file. To create one for your release, make a copy of config_template.json and edit to provide the version information, list of repositories, and details for each repository. After creating your config, commit it to ../release-configs to provide historical documentation of project releases.

  "versioning": {
    "version": "X.Y.Z",
    "pre_release_version": "rc1"
  "RepoList": [
  "openwhisk_repo_name_one": {
    "name": "OpenWhisk Repo Name",
    "hash": "<GIT COMMIT HASH>",
    "repository": "<REPO-NAME-ONE>.git",
    "branch": "master"
  "openwhisk_repo_name_two": {
    "name": "OpenWhisk Repo Two",
    "hash": "<GIT COMMIT HASH>",
    "repository": "<REPO-NAME-TWO>.git",
    "branch": "master"
  • versioning: Defines the release version and the release candidate number.
  • RepoList: Defines the list of OpenWhisk repositories being released.
  • For every repository in RepoList, we name-mangle it to convert - into _ and use the mangled name as a key whose value is an object that defines
    • name: User level name of the component
    • hash: git commit hash being released
    • repository: URL of the repository
    • branch: git branch being released (master or a release branch name)

Important Note: If you are releasing a Node.js package which contains a package.json, you should make sure the version specified in package.json matches your release version. If you also have a package-lock.json file, it too must have a matching version property. See additional tips for releasing npm packages.

Create Release Candidates

From the tools directory, execute the script providing the config.json file as an argument. Using ../stagingArea as scratch space, this script will clone the source repositories, package them into compressed tarballs, and create the checksum and detached PGP signature files.

./ ../release-configs/<MY_RELEASE_CONFIG>.json [<MY_APACHE_GPG_KEY_ID>]

Note: uses your system default GPG key to sign the release. To use an alternate key, specify the key id as a second argument. Omit this value to use the default key.

Next, verify the release artifacts by running This script will run against your local artifacts.

./ ../release-configs/<MY_RELEASE_CONFIG>.json

TODO: We should also run Apache Rat ( as part of; for now it is a recommended best practice to run Apache Rat by hand on each of your .tar.gz files. Download RAT and invoke it on the .tar.gz file like:

java -jar apache-rat-0.13.jar stagingArea/artifacts/<release-name>.tar.gz

If the release candidates pass all checks, commit them to the staging svn:

./ ../release-configs/<MY_RELEASE_CONFIG>.json

Initiate a Release Vote

Initiate a release vote on the dev list. Use the script to create the body of the voting email.

./ ../release-configs/<MY_RELEASE_CONFIG>.json

This script accepts a mailer configuration file which you can use to also send the vote email directly to the mailing list. You should dry run this command with -n to sanity check the vote notice before it is sent.

./ ../release-configs/<MY_RELEASE_CONFIG>.json -mc <MY_MAILER_CONFIG>.yaml

Report Vote Result

When the vote can be closed (at least 72 hours and minimum number of binding votes cast), the Release Manager will respond to the voting thread modifying the subject to start with [RESULT][VOTE]... announcing the result of the vote. If the vote has sufficient -1 votes cast, the Release Manager may declare that the vote has failed without waiting the full 72 hours.

If the vote is successful, the Release Manager proceeds with publishing the release and cleaning up as described below.

It the vote is unsuccessful, correct whatever issues were raised and restart the process with new candidate releases. Update your config.json file by incrementing the rc number and changing git hashes.

Publishing a Successful Release to Apache Dist Servers

Only a PMC member can perform this step

After a successful vote, the release manager will commit the artifacts being released to the openwhisk subdir of the Apache dist svn.

The script automates the copy & svn add operations, but it assumes that every file found in the release candidate subdir should be released. If this is not true (e.g., multiple parallel release votes), then the upload must be performed manually.

./ ../release-configs/<MY_RELEASE_CONFIG>.json

Assuming the expected set of files were added, commit them:

cd ../stagingArea/svn_release && svn commit -m  "Apache OpenWhisk X.Y.Z release of <Component Description>"

Relatively soon after doing the svn commit, you should receive an email like the one shown below from asking you to add release data to its database information.

This is an automated email from
I see that you just pushed something to our release repository for the 'openwhisk' project
in the following commit:

r35971 at 2019-09-23 16:07:53 +0000 (Mon, 23 Sep 2019)
Apache OpenWhisk CLI Group v1.0.0

If you are a PMC member of this project, we ask that you log on to:
and add your release data (version and date) to the database.

...elided rest of email...

Please follow the link and perform the update; this information is quite useful for drafting our periodic reports to the ASF Board.

Tag GitHub repos

Each GitHub repository needs to be tagged. Unfortunately, the naming conventions for tagging vary across the OpenWhisk project repositories and therefore we have not yet attempted to automate this step.

For each released repository, the Release Manager should examine the existing set of tags (git tag) and then add a new tag following the same convention using the git commit hash from <MY_RELEASE_CONFIG>.json. After tagging a repo, push the tag.

Many of the GitHub repositories are configured to build binary artifacts in response to new tags being committed. Monitor the build process and ensure that all expected artifacts are created for each tag you commit.

There are some slightly outdated, but much more detailed comments on release tagging available if you need a reminder of the git commands to use.

Create GitHub releases

After pushing the tags, you should go to the GitHub Releases for each released project and “Draft a new release” using the tag you just pushed. If the project contains a CHANGELOG or RELEASENOTES, copy that information into the release description.

Dockerhub updates

Only a PMC member can push images to the openwhisk organization on dockerhub

If the components you released build docker images, then you should build the docker images locally, tag them with the release version (following the naming scheme for the repo), push the new images to dockerhub using the whiskbot dockerhub id, and update the latest tag to point to the new images.

If you have published new images to dockerhub, submit PRs to openwhisk-deploy-kube to use the new images.

Rippling changes for openwhisk-runtime-* releases

If you are releasing a new version of an openwhisk-runtime, then once the updated images are available on dockerhub you should submit a PR to openwhisk-deploy-kube to update the docker imageTags in that project's helm/openwhisk/runtimes.json.

If you released a new version of openwhisk-runtime-go, then you need to update tag information in the Dockerfiles of all actionloop based action runtimes. To support reproducible builds, we always use a fixed-tag (and almost always a release tag) when pulling code from openwhisk-runtime-go into other runtime projects to build the actionloop go proxy. The current list of actionloop based Dockerfiles is:

  • openwhisk-runtime-java/core/java8actionloop/Dockerfile
  • openwhisk-runtime-php/core/php7.4Action/Dockerfile
  • openwhisk-runtime-php/core/php7.3Action/Dockerfile
  • openwhisk-runtime-python/core/pythonActionLoop/Dockerfile
  • openwhisk-runtime-ruby/core/ruby2.6ActionLoop/Dockerfile
  • openwhisk-runtime-rust/rust1.34/Dockerfile
  • openwhisk-runtime-swift/core/swift42Action/Dockerfile
  • openwhisk-runtime-swift/core/swift51Action/Dockerfile

If you released a new version of openwhisk-runtime-docker, then you need to update tag information in the Dockerfiles of openwhisk-runtime-python. To support reproducible builds, we always use a fixed-tag (and almost always a release tag) when pulling code from openwhisk-runtime-docker into other runtime projects to build their images.

Publishing to npm

Only a PMC member can publish to npm

The openwhisk-client-js, openwhisk-composer, and openwhisk-wskdebug project release npm packages built from each source release. The Release Manager should build and publish these packages manually using the openwhisk-bot credentials found in the npmjs.txt file in the accounts subdir of the PMC private svn.

Some tips:

  • Login as the openwhisk-bot using npm login.
  • The version specified in package.json (and package-lock.json if it exists) should match the release version. If they don't you need to fix the release.
  • Confirm that npm pack does not report any errors. Then delete the generated .tgz file.
  • Confirm the list of files that will bundled using npm publish --dry-run.
  • To publish the distribution, use npm publish --public.

If you are releasing a new version of the openwhisk-client-js package, then after the new version of the openwhisk package is published on npm, submit PRs to update the version number for the openwhisk package in the package.json files found in the openwhisk, openwhisk-composer, openwhisk-wskdebug, and openwhisk-runtime-nodejs git repos. The command find . -name package.json -exec grep -l \"openwhisk\": {} \; can help you find all the places to change.


If you released a new version of openwhisk-cli, then submit a PR to Homebrew to publish the new cli version.

Update Downloads Page

Submit a PR to openwhisk-website to update the Downloads page to refer to the newly released versions.

Announcing the Release

For all normal releases you should wait at least 24 hours before announcing the release to allow time for Apache Dist mirrors to be updated with the newly released artifacts. You must also wait until the PR to update the website has been merged and the change appears on the website (successful Jenkins job to rebuild website).

When announcing a release, you must use the URL of the OpenWhisk Downloads page (or some other URL that supports mirroring). Do not include a direct link to the svn server.

Releases should always be announced to Releases can optionally be announced to at the discretion of the release manager.

Post-release cleanup

  1. Remove the release candidate files from the staging svn.
  2. If there is a prior release, remove it from the release svn (all releases are automatically archived, removing an old release from dist does not remove it from the archive).