Prerequisites (one-time setup)

1. Enable "Trusted Publishing" in PyPI project settings
   • Publisher: GitHub
   • Owner: theupdateframework
   • Project: python-tuf
   • Workflow: cd.yml
   • Environment: release
2. Go to GitHub settings, create an environment called release and configure review protection.

1. Ensure docs/CHANGELOG.md contains a one-line summary of each notable change since the prior release
2. Update tuf/__init__.py to the new version number A.B.C
3. Create a PR with updated CHANGELOG.md and version bumps

➔ Review PR on GitHub

1. Once the PR is merged, pull the updated develop branch locally
2. Create a signed tag for the version number on the merge commit git tag --sign vA.B.C -m "vA.B.C"
3. Push the tag to GitHub git push origin vA.B.C

A tag push triggers the CD workflow, which runs the tests, builds source dist and wheel, creates a preliminary GitHub release under vA.B.C-rc, and pauses for review.

1. Run verify_release --skip-pypi locally to make sure a build on your machine matches the preliminary release artifacts published on GitHub.

➔ Review deployment on GitHub

An approval resumes the CD workflow to publish the release on PyPI, and to finalize the GitHub release (removes -rc suffix and updates release notes).

1. Run verify_release to make sure the PyPI release artifacts match the local build as well. When called as verify_release --sign [<key id>] the script additionally creates gpg release signatures. When signed by maintainers with a corresponding GPG fingerprint in the MAINTAINERS.md file, these signature files should be made available on the GitHub release page under Assets.
2. Announce the release on #tuf on CNCF Slack
3. Ensure POUF 1, for the reference implementation, is up-to-date