Create tools/release.go to automate release tagging

[aarongable]

Create tools/release/tag and tools/release/branch, a pair of small Go scripts which automates the creation of release tags and hotfix branches. It also updates our release documentation to provide instructions on how to use these new tools.

//tools/release/tag/main.go:

In its primary mode, this script creates a new release tag pointing at the current tip of main. It assumes that you have "github.com/letsencrypt/boulder" (i.e. this repo) set as your "origin" remote. The new tag is always of the format "v0.YYYYMMDD.0", so that the major version does not make any backwards-compatibility guarantees, the minor version continues our tradition of date-stamping our version numbers, and the patch version can be incremented by hotfix releases. It only pushes the newly-created tag if passed the "-push" flag; otherwise it just creates the new tag locally and exits, allowing the user to inspect it and push it themselves.

This tag naming system is superior to our current "release-YYYY-MM-DD[a]" system for a few reasons. First, by virtue of being a Semver, we get access to tools (like pkg.go.dev) which understand semver. It shortens our tags, making them easier to read in horizontally-constrained environments like github's tag dropdowns and releases sidebar. And it provides a dedicated place (the patch version) for us to indicate hotfix tags, rather than our ad-hoc letter-based suffix system.

Eventually, it will also support a mode where you supply a hotfix release branch name, and it tags the tip of that branch instead of the tip of main. This mode does not yet exist, to ensure that we can land the this MVP.

Sample output:

$ go run github.com/letsencrypt/boulder/tools/release/tag@f5e096e     
go: downloading github.com/letsencrypt/boulder v0.0.0-20250624230838-f5e096ebac59
Running: /usr/bin/git fetch origin main
Running: /usr/bin/git tag -s -m Release v0.20250624.0 v0.20250624.0 origin/main
Running: /usr/bin/git show -s v0.20250624.0
   tag v0.20250624.0
   Tagger: Aaron Gable <[email protected]>
   Date:   Tue Jun 24 16:29:19 2025 -0700
   
   Release v0.20250624.0
   -----BEGIN PGP SIGNATURE-----
   
   iQIzBAABCgAdFiEEMAw+bIQoSxmIEeevqNvTgPqGbiMFAmhbNM8ACgkQqNvTgPqG
   biNbLg/+N41M6gkuhGxtQpEy3KZ6kIzk9EIa7ErfXnjitmpj71khSrs+mnBQBopK
   e5ORMYyWU8mIguG4aCXUVwC5Xw8eFxPrKF9u2Bg4ezqg2i3BveQQ8Oy9SvyaTjf1
   ArLEADGshqd3XP6MTrSxMlNFY0bDNudwB3J7f09uX/yASs5kiTAGs1kEVKa9s5PN
   EC30RaxsBVSNu3yvozdj2Y13dHROPOA3xkJ8AxfnqQf+cjS7x6hlLmm9OYzkXzko
   fLtwBEY12mvpL0IXR+iohKoICOsd5W3NbEk328z92ir0NDOuMCakR5YKuDlKlKrq
   DqNqTteg3VEo5A5e5cD+0UeToo8OawxflmFWzvcP+nlbH0vfflJEN1+GrliG5NTy
   AV1eEohdQfB5xrLJJT9wlaDlAvzvkz6eyJKrSmYmvQL6QNOScaoazoJc+d/vd2rJ
   eXPwFYYGG5idQAbgj0XXpM7I0x3tnXmi0XFy1wlOil72zW+dsxzQ+bgkh3xwFpkl
   NCO2HIzmPlqB+1baL871ASwKt84tl4CqCsqwo+g0+sSR6MnfH85A8On1h+u5kCGL
   D8DNy1J7i82hwheMSCfmRqKtT1k3Mry1Ga2I0WYgh/YHneWe9Uftyv9f64+kuZdT
   VoT/tiIYwr36xiKoUi1YQbvfHLDLYojsh5OG6WCKzcifMQXaDMA=
   =Vz2G
   -----END PGP SIGNATURE-----
   
   commit 1bfc3186c8510a4bce231970152c7b506a4c96ba
   Author: Samantha Frank <[email protected]>
   Date:   Wed Jun 18 10:37:20 2025 -0400
   
       grpc: Enable client-side health_v1 health checking (#8254)
       
       - Configure all gRPC clients to check the overall serving status of each
       endpoint via the `grpc_health_v1` service.
       - Configure all gRPC servers to expose the `grpc_health_v1` service to
       any client permitted to access one of the server’s services.
       - Modify long-running, deep health checks to set and transition the
       overall (empty string) health status of the gRPC server in addition to
       the specific service they were configured for.
       
       Fixes #8227

Please inspect the tag above, then run:
    git push origin v0.20250624.0

$ git push origin v0.20250624.0
 Enumerating objects: 1, done.
Counting objects: 100% (1/1), done.
Writing objects: 100% (1/1), 808 bytes | 808.00 KiB/s, done.
Total 1 (delta 0), reused 0 (delta 0), pack-reused 0
To github.com:aarongable/boulder
 * [new tag]             v0.20250624.0 -> v0.20250624.0

//tools/release/branch/main.go:

This script tags an existing tag name as input, and produces a new release branch starting at that tag. The new branch has the name "release-branch-foo", where "foo" is the major and minor of the base tag's semantic version number. The intention is that commits will then be merged to that release branch using the standard pull-request workflow, and then the as-yet-unimplemented code path of the tagging tool (see above) will be used to tag the hotfix release itself.

Sample output:

$ go run github.com/letsencrypt/boulder/tools/release/branch@f5e096e v0.20250624.0
Running: /usr/bin/git fetch origin
Running: /usr/bin/git merge-base --is-ancestor v0.20250624.0 origin/main
Running: /usr/bin/git branch release-branch-v0.20250624 v0.20250624.0
Running: /usr/bin/git show -s release-branch-v0.20250624
   commit 1bfc3186c8510a4bce231970152c7b506a4c96ba
   Author: Samantha Frank <[email protected]>
   Date:   Wed Jun 18 10:37:20 2025 -0400
   
       grpc: Enable client-side health_v1 health checking (#8254)
       
       - Configure all gRPC clients to check the overall serving status of each
       endpoint via the `grpc_health_v1` service.
       - Configure all gRPC servers to expose the `grpc_health_v1` service to
       any client permitted to access one of the server’s services.
       - Modify long-running, deep health checks to set and transition the
       overall (empty string) health status of the gRPC server in addition to
       the specific service they were configured for.
       
       Fixes #8227

Please inspect the branch above, then run:
    git push origin release-branch-v0.20250624:release-branch-v0.20250624

$ git push origin release-branch-v0.20250624:release-branch-v0.20250624       
Total 0 (delta 0), reused 0 (delta 0), pack-reused 0
remote: 
remote: Create a pull request for 'release-branch-v0.20250624' on GitHub by visiting:
remote:      https://github.com/aarongable/boulder/pull/new/release-branch-v0.20250624
remote: 
To github.com:aarongable/boulder
 * [new branch]          release-branch-v0.20250624 -> release-branch-v0.20250624

Fixes #5726

[pgporada]

For posterity, I think you can do `// #nosec G204` https://stackoverflow.com/a/75063194

[aarongable]

That works when you're running gosec directly, but not as part of golangci-lint. No, I have no idea why it's different, but I've tripped over it multiple times.

[beautifulentropy]

You've got a failing gomod vendor test.

[aarongable]

I've merged main and made several improvements that were obvious with fresh eyes. I've added sample output to the PR description above. Please take a look!

[aarongable]

Example release tag: https://github.com/aarongable/boulder/tree/v0.20250618.0
Example release branch: https://github.com/aarongable/boulder/tree/v0.20250618
Example hotfix release tag on that branch: https://github.com/aarongable/boulder/tree/v0.20250618.1

[jsha]

Looks great. I noticed this in the sample output:

Running: /usr/bin/git tag -s -m Release v0.20250618.0 v0.20250618.0 origin/main

That's a little confusing, because "Release v0.20250618.0" is a single arg, but there's no indication in the output. Of course, cmd.String() says:

String returns a human-readable description of c. It is intended only for debugging. In particular, it is not suitable for use as input to a shell. The output of String may vary across Go releases.

It's probably not worth investing in fancier quoting for this one place where we include a space in an arg.

The trick of embedding error in cmdError is interesting. I took a long moment looking for func (c cmdError) Error() string before realizing that's just part of the error interface. I'll note that since there's no Unwrap, you can't unwrap to the inner err. Which you don't make use of here, but might be slightly surprising under future modifications.

[beautifulentropy]

Overall I think the tool looks great. I've just got a couple of comments and suggestions.