Prerequisites (one-time setup)

1. Go to PyPI management page and create an API token with its scope limited to the tuf project.
2. Go to GitHub settings, create an environment called release and configure review protection.
3. In the environment create a secret called PYPI_API_TOKEN and paste the token created above.

1. Ensure docs/CHANGELOG.md contains a one-line summary of each notable change since the prior release
2. Update tuf/__init__.py to the new version number A.B.C
3. Create a PR with updated CHANGELOG.md and version bumps

➔ Review PR on GitHub

1. Once the PR is merged, pull the updated develop branch locally
2. Create a signed tag for the version number on the merge commit git tag --sign vA.B.C -m "vA.B.C"
3. Push the tag to GitHub git push origin vA.B.C

A tag push triggers the CD workflow, which runs the tests, builds source dist and wheel, creates a preliminary GitHub release under vA.B.C-rc, and pauses for review.

1. Run verify_release --skip-pypi locally to make sure a build on your machine matches the preliminary release artifacts published on GitHub.

➔ Review deployment on GitHub

An approval resumes the CD workflow to publish the release on PyPI, and to finalize the GitHub release (removes -rc suffix and updates release notes).

1. Run verify_release to make sure the PyPI release artifacts match the local build as well. When called as verify_release --sign [<key id>] the script additionally creates gpg release signatures. When signed by maintainers with a corresponding GPG fingerprint in the MAINTAINERS.md file, these signature files should be made available on the GitHub release page under Assets.
2. Announce the release on #tuf on CNCF Slack
3. Ensure POUF 1, for the reference implementation, is up-to-date